Rather than using the VIP as your target for RADIUS and TACACS+, just define both servers on the network device but set the group or priority or whatever so that the subscriber is the primary target. That way the network device handles the failover from primary to secondary rather than counting on the VIP to move...and the VIP doesn't care about the RADIUS or TACACS+ service status.
Original Message:
Sent: May 14, 2024 10:12 PM
From: Mithran
Subject: Replacing ClearPass Publisher
Hi Jonas,
Currently, in our setup, we've got two nodes - the Publisher and Subscriber. The virtual IP is configured, and it's pointing to the Publisher.
In our NAD devices, the Virtual IP is set up for both radius and tacacs traffic, meaning all authentication requests are hitting the Publisher.
Now, following standard practices, it's not recommended for the Publisher to handle authentication exclusively. So, I'm considering redirecting the VIP to the Subscriber.
Before making this change, do you think there might be any potential impact or specific things I should check?
Original Message:
Sent: May 08, 2024 09:25 AM
From: jonas.hammarback
Subject: Replacing ClearPass Publisher
Hi
Can you elaborate what you would like to know regarding moving the VIP address?
It's done from the Virtual IP Settings dialouge under Server Manager/Server Configuration.
So with your current VIP for Radius you just need to set the new server as the primary server for the VIP address.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: May 08, 2024 06:16 AM
From: Mithran
Subject: Replacing ClearPass Publisher
Hi Jonas ,
We are using the VIP for radius traffic ,could you please brief on transferring the VIP to the subscriber .
Currently we have installed two CPPM(1 Pub and 1 Sub) parellely in 6.11.7 with new IP address . During the upgarde we will plan to change the IP without much downtime.
Original Message:
Sent: May 02, 2024 06:21 AM
From: jonas.hammarback
Subject: Replacing ClearPass Publisher
Hi
This is expected behavior.
Instead of performing a restore just install the new host, either on new IP or same IP as the old publisher, and join the cluster. During the cluster join all configuration like admin and appadmin passwords will be copied to the host as part of the cluster sync process. If you plan to use the same IP as the old publisher, move the publisher role to the current subscriber add the new server to the cluster and, if needed, move the publisher role again.
Certificate, license, domain join must be added manually.
If you have configured specific service parameters on the server you need to configure these settings again. Same for IP restrictions done in the Network tab.
Any manual routes added in the CLI msut also be added on the new server.
If all network devices like switches and access points have redundant Radius configuration there shouldn't be any disturbances for the clients. Maybe a few authentications with longer response time.
If you have VIP addresses configured and are using the VIP's for the Radius traffic, you can transfer the VIP from the Publisher to the subscriber, replace the old Publisher node, and when this server is ready just transfer the VIP back to the new server, without any disturbances at all.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: May 02, 2024 05:06 AM
From: Ahmad Enaya
Subject: Replacing ClearPass Publisher
My customer have an issue in publisher storage and wants to spin-up a new virtual machine to replace the current publisher. The cluster includes a publisher and subscriber and I am looking for the smoothest way for this replacement. I am testing the process in my lab and I noticed that when restoring the publisher backup into a different machine in my lab some components are not restored like:
- IP addresses
- Certificates
- licenses
- AD Domain
- Passwords for admin and appadmin accounts
Is this the expected behavior? what other components are not restored and I need to migrate manually?
If I select to restore cluster setup and configured appadmin password to match the old publisher, does the subscriber join the cluster even if I restore the publisher in a different machine?
Do you have any suggested procedure to make this replacement smooth with minimum interruption?