Security

Reply
Highlighted
Occasional Contributor II

Enabling FIPS on ClearPass - how to save/restore configuration

We need to move our Aruba Wireless infrastructure to be FIPS complaint and it seems like FIPS needs to be enabled on ClearPass.

 

The warnings you see in the GUI and documentation are scary. Things like:  the database will be reset, configuration backup file from the ClearPass Policy Manager in non-FIPS mode cannot be restored on ClearPass Policy Manager in FIPS mode, current configuration will be lost, this server will be dropped out of cluster (if it is part of a cluster) and a few others.

 

My main question is, how do we restore ClearPass configuration after enabling FIPS in ClearPass?

Highlighted
MVP Guru

Re: Enabling FIPS on ClearPass - how to save/restore configuration

You cannot backup/restore between FIPS and non-FIPS systems by design.

 

What may work is exporting your services/network devices/endpoints/other relevant configs as XML, then import it, to at least make some of the work easier.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
Occasional Contributor II

Re: Enabling FIPS on ClearPass - how to save/restore configuration

Any idea what will happen to all the onboard certificates? Are we going to lose all of them? Don't see a way to export the OnBoard configurations.

Highlighted
MVP Expert

Re: Enabling FIPS on ClearPass - how to save/restore configuration

Yes unfortunately, even if you were able to do a backup and restore , onboard certificates are not included in the backup

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
MVP Guru

Re: Enabling FIPS on ClearPass - how to save/restore configuration

I don't think you can save/restore them across non-FIPS/FIPS. You may try to do a custom backup which can be found in the Guest-Administration-Import Configuration (top right there is an option to do backups of some of the guest components), unsure if the CA is part of that.

 

This probably is by design and required to be FIPS compliant. You may try to reach out to Aruba Support if they know a way to get your CA exported/imported.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
Occasional Contributor I

Re: Enabling FIPS on ClearPass - how to save/restore configuration

You can export the root CA and create a new intermediate in your new deployment using the same root. You can then configure Onboard to issue from this new CA. As long as you import that root CA to CPPM for EAP, existing devices will continue to authenticate.

 

The one caveat is you will not be able to revoke individual certificates from the old intermediate. An alternative is to keep one node from the old cluster alive just to serve as an OCSP responder and to invoke revocation. Once the last of those old certs are expired or the device has been migrated, you can kill that box.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: