Security

last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Enabling FIPS on ClearPass - how to save/restore configuration

This thread has been viewed 2 times

  • 1.  Enabling FIPS on ClearPass - how to save/restore configuration

    Posted May 18, 2020 11:28 AM

    We need to move our Aruba Wireless infrastructure to be FIPS complaint and it seems like FIPS needs to be enabled on ClearPass.

     

    The warnings you see in the GUI and documentation are scary. Things like:  the database will be reset, configuration backup file from the ClearPass Policy Manager in non-FIPS mode cannot be restored on ClearPass Policy Manager in FIPS mode, current configuration will be lost, this server will be dropped out of cluster (if it is part of a cluster) and a few others.

     

    My main question is, how do we restore ClearPass configuration after enabling FIPS in ClearPass?



  • 2.  RE: Enabling FIPS on ClearPass - how to save/restore configuration

    EMPLOYEE
    Posted May 19, 2020 05:01 AM

    You cannot backup/restore between FIPS and non-FIPS systems by design.

     

    What may work is exporting your services/network devices/endpoints/other relevant configs as XML, then import it, to at least make some of the work easier.



  • 3.  RE: Enabling FIPS on ClearPass - how to save/restore configuration

    Posted May 20, 2020 09:28 AM

    Any idea what will happen to all the onboard certificates? Are we going to lose all of them? Don't see a way to export the OnBoard configurations.



  • 4.  RE: Enabling FIPS on ClearPass - how to save/restore configuration

    Posted May 20, 2020 09:47 AM
    Yes unfortunately, even if you were able to do a backup and restore , onboard certificates are not included in the backup

    Sent from Mail for Windows 10


  • 5.  RE: Enabling FIPS on ClearPass - how to save/restore configuration

    EMPLOYEE
    Posted May 20, 2020 09:51 AM

    I don't think you can save/restore them across non-FIPS/FIPS. You may try to do a custom backup which can be found in the Guest-Administration-Import Configuration (top right there is an option to do backups of some of the guest components), unsure if the CA is part of that.

     

    This probably is by design and required to be FIPS compliant. You may try to reach out to Aruba Support if they know a way to get your CA exported/imported.



  • 6.  RE: Enabling FIPS on ClearPass - how to save/restore configuration

    MVP EXPERT
    Posted May 20, 2020 10:48 AM

    You can export the root CA and create a new intermediate in your new deployment using the same root. You can then configure Onboard to issue from this new CA. As long as you import that root CA to CPPM for EAP, existing devices will continue to authenticate.

     

    The one caveat is you will not be able to revoke individual certificates from the old intermediate. An alternative is to keep one node from the old cluster alive just to serve as an OCSP responder and to invoke revocation. Once the last of those old certs are expired or the device has been migrated, you can kill that box.