Security

Hi
We are currently running a CPPM 6.7.1 cluster on C3000 hardware platform. We are in the planning-process of migrating these two servers to our Hyper-V (VMM) virtual environment. We think the hardware recommendments of the 25k virtual servers are insane, but I guess theres nothing to do with that.

 

The plan is to install a brand new 6.8/6.9 cluster, with new IP-adresses, and export/import the config from the existing cluster, and do some config improvement (too many policyes, too many settings not in use anymore.
From what I can see, the following settings will have to be configured all over again after the config-import:

 

• Certificates (both radius and captive portal)
• Active directory connections
• IP-addresses
• Licenses
• Custom captive portal skin

 

It would be a much easier task to use the same IP-addresses/cluster all over again. Then we could just add servers to the existing cluster, and turn off the hardware hosts when done. I guess most of the configuration above would still be there as well.
The problem with that approach is that we would have to use the new cluster for all our wireless controllers, radius/8021x enabled switches, airwave etc at the same time - while we want to do a "controlled migration", over a month or so.

 

What do you experts think of this migration plan? Is this a good way to do it, or have I missed something?
Any comments will be much appreciated!

You should consider deploying the new ClearPass cluster running the same version as your production environment , that way you can perform the backup/restore with no issues and then upgrade to the desire version you want to run on the new Cluster.

The certificates will not be included in the backup so make sure you have the private key and private password.

Configure a test SSID for Guest / 802.1X and validate that everything works as expected prior to the migration.


Sent from Mail for Windows 10

Agree to Victor here. It is not recommended to restore 6.7.1 backup on 6.8/6.9. We might run into some issue.
Best practice would be restore on same code and upgrade.

 

Agree with Vishnu and Victor, only restore with a backup same version.

 

Possible steps to consider:

1. Create a backup from your current configuration

2. Export your certificates from the current nodes as PKCS12, it have the private key in it.

3. Install a new CPPM node with the same major and minor version of your current cluster

4. Join the new node as subscriber to the current node.

5. After the database are synced, drop the subscriber with keeping the databases.

6. Now you have a standalone copy of your current cluster

7. Upgrade the new node in required steps to the lastest stable release (i should go for 6.8.x those days.

8. Install a second node if you need redundancy. (off course you will)

9. Join the second node as subscriber.

 

(for license migration call tac support)