Security

 View Only
last person joined: 2 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Upgrade/Replace Clearpass Appliances

This thread has been viewed 25 times
  • 1.  Upgrade/Replace Clearpass Appliances

    Posted Jul 06, 2022 10:53 AM
    Hello,

    We are getting ready to replace our long-running Clearpass "25K" appliance cluster with new (C3010 DL360) appliances. Our cluster consists of (8) 25K appliances, with (1) Publisher and (7) Subscribers. No Standby Publisher is currently configured. Running 6.9.11.

    Does anyone know if there is a specific document that covers hardware or whole-cluster replacements?  Any licensing gotchas? Other than backing up configuration data on each appliance should I back up anything else?

    My thought was to do Subscribers first, Publisher last. Does this make sense? When swapping the Publisher, I figured I would configure a Standby Publisher and point to one of the new Subscribers.

    Below is a high-level outline of how I plan to do this. Any errors? Something missing? Suggestions?

    For each 25K Subscriber:
    - Pull info from existing appliance, drop from cluster, wipe data, halt system
    - Power down appliance. Remove KVM-OOB, ethernet and power connections. Remove appliance
    - Connect KVM-OOB, ethernet and power cables to new appliance. Record Serial Number. Power On
    - Via KVM OOB connection:
       - Proceed through StartUp Wizard using the same IP, hostname and network parameters
       - Once appliance is online/reachable:
          - Upgrade version
          - Add licenses (?)
          - Add HPE Passport Credentials
          - Attach to cluster
    - Verify functionality
    - Proceed to next appliance. Rinse and Repeat

    Any insight would be most helpful!

    Thanks!
    Mike

    ------------------------------
    Michael Dickson
    Network Engineer
    University of Massachusetts Amherst
    ------------------------------


  • 2.  RE: Upgrade/Replace Clearpass Appliances

    Posted Jul 06, 2022 03:03 PM
    Why even do subscribers at all?  Just migrate the configuration from the publisher to the new publisher and build out the subscribers from scratch.  When the subscriber is added to the cluster it will download the necessary configuration. Don't forget certificates and AD join.  You should be prepared to export the certificates and private keys from the existing deployment or just generate new certificates.  Each node will also need to be re-joined to the domain.


  • 3.  RE: Upgrade/Replace Clearpass Appliances

    Posted Jul 06, 2022 03:21 PM
    Thanks. Makes sense, although I think we'll lose session data and Insight data by not restoring. Maybe that's ok. Good point about certs. IMO it's easier to export/import than create new. Clearpass cluster connects to an LDAP cluster (not AD yet!).

    Does it make sense to swap out the publisher first or the subscribers? Or does it really matter? No standby publisher is configured yet.

    Mike

    ------------------------------
    Michael Dickson
    Network Engineer
    University of Massachusetts Amherst
    ------------------------------



  • 4.  RE: Upgrade/Replace Clearpass Appliances

    Posted Jul 06, 2022 03:41 PM
    But that is precisely my point.  When you join a subscriber to a publisher all of the data on the subscriber gets replaced anyways with the database info from the publisher.  You must do the publisher before the subscribers.  You cannot deploy a subscriber without a publisher.
    Is your publisher the Insight Master?  Do you really even need the historical data pre/post upgrade?  Is your data retention time longer than 7 days?
    Here is what I would do:
    • Deploy new 3010, setup iLO, deploy with a different IP than the production publisher.
    • Import backup from current publisher to C3010.
    • Shutdown and drop 1 subscriber from current production deployment.
    • Deploy a new subscriber appliance, setup iLO, configure with the same IP as the just shutdown node.
    • Add new node to ClearPass 3010 Publisher as a subscriber.
    • Repeat for each.



  • 5.  RE: Upgrade/Replace Clearpass Appliances

    Posted Jul 06, 2022 04:09 PM
    Thanks for the reply. Understood that a new subscriber appliance needs a publisher to receive its config. I also think it's (probably) ok to lose Insight and session data from the subscribers. It's summertime at the university. So, no doing a restore on subscribers seems ok. We have two Insight Masters, both are subscribers.

    I'd prefer not to use a different IP address or hostname for the replacement publisher. There's a lot of backend stuff that would need to change. I also don't really see the need to do so. Before I power down the publisher, I thought would manually promote one of the subscribers to be publisher (or configure one as the standby publisher). As long as there is an active publisher present at all times, would it matter? And theoretically, it seems I could promote the original publisher node (a.k.a. the now-replaced appliance) back to the publisher again.

    Doing this would maintain the integrity of the aaa profiles in the Aruba controller environment. Aside from captive portal and other low-volume services, things that must live on the publisher, we don't configure 802.1x auths (EAP-TTLS) to point to the publisher so as not to overload it.


    ------------------------------
    Michael Dickson
    Network Engineer
    University of Massachusetts Amherst
    ------------------------------



  • 6.  RE: Upgrade/Replace Clearpass Appliances

    Posted Jul 06, 2022 04:15 PM
    Yup this would totally work too.  Just more work to keep promoting the subscribers rather than just have a new IP (or changing the IP at the end of the migration).


  • 7.  RE: Upgrade/Replace Clearpass Appliances

    Posted Jul 06, 2022 04:25 PM
    Thanks. In our case there is a need to assess "more work" on the front vs the back end!

    ------------------------------
    Michael Dickson
    Network Engineer
    University of Massachusetts Amherst
    ------------------------------