Security

Hi!

We have four node cluster. Two nodes are site 1, Publisher and subscriber. Site 2 we have two subscriber nodes. 

We have configured virtual ip for authentication. Site 1 have own virtual ip and site 2 have own virtual ips. 

My plan is to remove one node both sites and remove nodes behind virtual ip. In that case all authentication goes two nodes. One node per site. 

If all works well, i drop those nodes from cluster. Then i can install new 6.11. version to these nodes. I have then two separate clusters, This newly installed cluster i have to get evaluation licenses from aruba. Then i restore backups, certificates etc. After this i can point some authentication to new cluster, If authentication works fine, i am planning to disable virtual ip from old cluster and add it to new. Could this be done ? 

If authenctication works with new cluster, i can make install process to old two nodes. Join them to new cluster and then i have again four node cluster, 

After this is only license problem. Can i replace eva access license what i have new cluster old permanent access licenses? 

I

Is there gonna be any problems with this plan? This system is very critical nowadays and downtime should be so short as possible. 

Maybe someone have same kind of environment and done this process succesfully? :) I hope that i can get support to do this from here. 

Sounds like a good plan, if you can handle the full load on the 2 (or even 1) appliance. You could even rebuild one subscriber as your new publisher, so during the migration you have a publisher on the old version and new version.

There is no need to use eval licenses, just re-enter your production licenses. During the migration you can temporarily use the same licenses on the old and new servers. But if you insist on using evals, you can replace an eval license to a production license; it's just not needed in your case.

I'd recommend to work with your Aruba partner and/or Aruba support to check your migration plan, so if something goes unexpected you have someone to work with who understands the migration steps already and can quickly jump in if needed.

Hi!

We have four node cluster. Two nodes are site 1, Publisher and subscriber. Site 2 we have two subscriber nodes. 

We have configured virtual ip for authentication. Site 1 have own virtual ip and site 2 have own virtual ips. 

My plan is to remove one node both sites and remove nodes behind virtual ip. In that case all authentication goes two nodes. One node per site. 

If all works well, i drop those nodes from cluster. Then i can install new 6.11. version to these nodes. I have then two separate clusters, This newly installed cluster i have to get evaluation licenses from aruba. Then i restore backups, certificates etc. After this i can point some authentication to new cluster, If authentication works fine, i am planning to disable virtual ip from old cluster and add it to new. Could this be done ? 

If authenctication works with new cluster, i can make install process to old two nodes. Join them to new cluster and then i have again four node cluster, 

After this is only license problem. Can i replace eva access license what i have new cluster old permanent access licenses? 

I

Is there gonna be any problems with this plan? This system is very critical nowadays and downtime should be so short as possible. 

Maybe someone have same kind of environment and done this process succesfully? :) I hope that i can get support to do this from here. 

Are you sure there is no need for eval licenses? When they set up a temporary publisher with their configuration there would need to be CPPM licenses tied to that node since all licenses except Platform must be on the publisher.. If the Publisher is later moved to a different node, the licenses would need tto me moved & reactivated. I believe I saw it stated that all licenses are removed from a node when it is made a subscriber.

Sounds like a good plan, if you can handle the full load on the 2 (or even 1) appliance. You could even rebuild one subscriber as your new publisher, so during the migration you have a publisher on the old version and new version.

There is no need to use eval licenses, just re-enter your production licenses. During the migration you can temporarily use the same licenses on the old and new servers. But if you insist on using evals, you can replace an eval license to a production license; it's just not needed in your case.

I'd recommend to work with your Aruba partner and/or Aruba support to check your migration plan, so if something goes unexpected you have someone to work with who understands the migration steps already and can quickly jump in if needed.

Hi!

We have four node cluster. Two nodes are site 1, Publisher and subscriber. Site 2 we have two subscriber nodes. 

We have configured virtual ip for authentication. Site 1 have own virtual ip and site 2 have own virtual ips. 

My plan is to remove one node both sites and remove nodes behind virtual ip. In that case all authentication goes two nodes. One node per site. 

If all works well, i drop those nodes from cluster. Then i can install new 6.11. version to these nodes. I have then two separate clusters, This newly installed cluster i have to get evaluation licenses from aruba. Then i restore backups, certificates etc. After this i can point some authentication to new cluster, If authentication works fine, i am planning to disable virtual ip from old cluster and add it to new. Could this be done ? 

If authenctication works with new cluster, i can make install process to old two nodes. Join them to new cluster and then i have again four node cluster, 

After this is only license problem. Can i replace eva access license what i have new cluster old permanent access licenses? 

I

Is there gonna be any problems with this plan? This system is very critical nowadays and downtime should be so short as possible. 

Maybe someone have same kind of environment and done this process succesfully? :) I hope that i can get support to do this from here. 

Yes. No need for eval license. Just apply your existing platform license and not activate it until you finish migration. You have 90 days grace period.

Best, Gorazd

Are you sure there is no need for eval licenses? When they set up a temporary publisher with their configuration there would need to be CPPM licenses tied to that node since all licenses except Platform must be on the publisher.. If the Publisher is later moved to a different node, the licenses would need tto me moved & reactivated. I believe I saw it stated that all licenses are removed from a node when it is made a subscriber.

Sounds like a good plan, if you can handle the full load on the 2 (or even 1) appliance. You could even rebuild one subscriber as your new publisher, so during the migration you have a publisher on the old version and new version.

There is no need to use eval licenses, just re-enter your production licenses. During the migration you can temporarily use the same licenses on the old and new servers. But if you insist on using evals, you can replace an eval license to a production license; it's just not needed in your case.

I'd recommend to work with your Aruba partner and/or Aruba support to check your migration plan, so if something goes unexpected you have someone to work with who understands the migration steps already and can quickly jump in if needed.

Hi!

We have four node cluster. Two nodes are site 1, Publisher and subscriber. Site 2 we have two subscriber nodes. 

We have configured virtual ip for authentication. Site 1 have own virtual ip and site 2 have own virtual ips. 

My plan is to remove one node both sites and remove nodes behind virtual ip. In that case all authentication goes two nodes. One node per site. 

If all works well, i drop those nodes from cluster. Then i can install new 6.11. version to these nodes. I have then two separate clusters, This newly installed cluster i have to get evaluation licenses from aruba. Then i restore backups, certificates etc. After this i can point some authentication to new cluster, If authentication works fine, i am planning to disable virtual ip from old cluster and add it to new. Could this be done ? 

If authenctication works with new cluster, i can make install process to old two nodes. Join them to new cluster and then i have again four node cluster, 

After this is only license problem. Can i replace eva access license what i have new cluster old permanent access licenses? 

I

Is there gonna be any problems with this plan? This system is very critical nowadays and downtime should be so short as possible. 

Maybe someone have same kind of environment and done this process succesfully? :) I hope that i can get support to do this from here. 

Yes. No need for eval license. Just apply your existing platform license and not activate it until you finish migration. You have 90 days grace period.

Best, Gorazd

Are you sure there is no need for eval licenses? When they set up a temporary publisher with their configuration there would need to be CPPM licenses tied to that node since all licenses except Platform must be on the publisher.. If the Publisher is later moved to a different node, the licenses would need tto me moved & reactivated. I believe I saw it stated that all licenses are removed from a node when it is made a subscriber.

Sounds like a good plan, if you can handle the full load on the 2 (or even 1) appliance. You could even rebuild one subscriber as your new publisher, so during the migration you have a publisher on the old version and new version.

There is no need to use eval licenses, just re-enter your production licenses. During the migration you can temporarily use the same licenses on the old and new servers. But if you insist on using evals, you can replace an eval license to a production license; it's just not needed in your case.

I'd recommend to work with your Aruba partner and/or Aruba support to check your migration plan, so if something goes unexpected you have someone to work with who understands the migration steps already and can quickly jump in if needed.

Hi!

We have four node cluster. Two nodes are site 1, Publisher and subscriber. Site 2 we have two subscriber nodes. 

We have configured virtual ip for authentication. Site 1 have own virtual ip and site 2 have own virtual ips. 

My plan is to remove one node both sites and remove nodes behind virtual ip. In that case all authentication goes two nodes. One node per site. 

If all works well, i drop those nodes from cluster. Then i can install new 6.11. version to these nodes. I have then two separate clusters, This newly installed cluster i have to get evaluation licenses from aruba. Then i restore backups, certificates etc. After this i can point some authentication to new cluster, If authentication works fine, i am planning to disable virtual ip from old cluster and add it to new. Could this be done ? 

If authenctication works with new cluster, i can make install process to old two nodes. Join them to new cluster and then i have again four node cluster, 

After this is only license problem. Can i replace eva access license what i have new cluster old permanent access licenses? 

I

Is there gonna be any problems with this plan? This system is very critical nowadays and downtime should be so short as possible. 

Maybe someone have same kind of environment and done this process succesfully? :) I hope that i can get support to do this from here. 

Yes. No need for eval license. Just apply your existing platform license and not activate it until you finish migration. You have 90 days grace period.

Best, Gorazd

Are you sure there is no need for eval licenses? When they set up a temporary publisher with their configuration there would need to be CPPM licenses tied to that node since all licenses except Platform must be on the publisher.. If the Publisher is later moved to a different node, the licenses would need tto me moved & reactivated. I believe I saw it stated that all licenses are removed from a node when it is made a subscriber.

Sounds like a good plan, if you can handle the full load on the 2 (or even 1) appliance. You could even rebuild one subscriber as your new publisher, so during the migration you have a publisher on the old version and new version.

There is no need to use eval licenses, just re-enter your production licenses. During the migration you can temporarily use the same licenses on the old and new servers. But if you insist on using evals, you can replace an eval license to a production license; it's just not needed in your case.

I'd recommend to work with your Aruba partner and/or Aruba support to check your migration plan, so if something goes unexpected you have someone to work with who understands the migration steps already and can quickly jump in if needed.

Hi!

We have four node cluster. Two nodes are site 1, Publisher and subscriber. Site 2 we have two subscriber nodes. 

We have configured virtual ip for authentication. Site 1 have own virtual ip and site 2 have own virtual ips. 

My plan is to remove one node both sites and remove nodes behind virtual ip. In that case all authentication goes two nodes. One node per site. 

If all works well, i drop those nodes from cluster. Then i can install new 6.11. version to these nodes. I have then two separate clusters, This newly installed cluster i have to get evaluation licenses from aruba. Then i restore backups, certificates etc. After this i can point some authentication to new cluster, If authentication works fine, i am planning to disable virtual ip from old cluster and add it to new. Could this be done ? 

If authenctication works with new cluster, i can make install process to old two nodes. Join them to new cluster and then i have again four node cluster, 

After this is only license problem. Can i replace eva access license what i have new cluster old permanent access licenses? 

I

Is there gonna be any problems with this plan? This system is very critical nowadays and downtime should be so short as possible. 

Maybe someone have same kind of environment and done this process succesfully? :) I hope that i can get support to do this from here. 

Yes. No need for eval license. Just apply your existing platform license and not activate it until you finish migration. You have 90 days grace period.

Best, Gorazd

Are you sure there is no need for eval licenses? When they set up a temporary publisher with their configuration there would need to be CPPM licenses tied to that node since all licenses except Platform must be on the publisher.. If the Publisher is later moved to a different node, the licenses would need tto me moved & reactivated. I believe I saw it stated that all licenses are removed from a node when it is made a subscriber.

Sounds like a good plan, if you can handle the full load on the 2 (or even 1) appliance. You could even rebuild one subscriber as your new publisher, so during the migration you have a publisher on the old version and new version.

There is no need to use eval licenses, just re-enter your production licenses. During the migration you can temporarily use the same licenses on the old and new servers. But if you insist on using evals, you can replace an eval license to a production license; it's just not needed in your case.

I'd recommend to work with your Aruba partner and/or Aruba support to check your migration plan, so if something goes unexpected you have someone to work with who understands the migration steps already and can quickly jump in if needed.

Hi!

We have four node cluster. Two nodes are site 1, Publisher and subscriber. Site 2 we have two subscriber nodes. 

We have configured virtual ip for authentication. Site 1 have own virtual ip and site 2 have own virtual ips. 

My plan is to remove one node both sites and remove nodes behind virtual ip. In that case all authentication goes two nodes. One node per site. 

If all works well, i drop those nodes from cluster. Then i can install new 6.11. version to these nodes. I have then two separate clusters, This newly installed cluster i have to get evaluation licenses from aruba. Then i restore backups, certificates etc. After this i can point some authentication to new cluster, If authentication works fine, i am planning to disable virtual ip from old cluster and add it to new. Could this be done ? 

If authenctication works with new cluster, i can make install process to old two nodes. Join them to new cluster and then i have again four node cluster, 

After this is only license problem. Can i replace eva access license what i have new cluster old permanent access licenses? 

I

Is there gonna be any problems with this plan? This system is very critical nowadays and downtime should be so short as possible. 

Maybe someone have same kind of environment and done this process succesfully? :) I hope that i can get support to do this from here. 

Yes. No need for eval license. Just apply your existing platform license and not activate it until you finish migration. You have 90 days grace period.

Best, Gorazd

Are you sure there is no need for eval licenses? When they set up a temporary publisher with their configuration there would need to be CPPM licenses tied to that node since all licenses except Platform must be on the publisher.. If the Publisher is later moved to a different node, the licenses would need tto me moved & reactivated. I believe I saw it stated that all licenses are removed from a node when it is made a subscriber.

Sounds like a good plan, if you can handle the full load on the 2 (or even 1) appliance. You could even rebuild one subscriber as your new publisher, so during the migration you have a publisher on the old version and new version.

There is no need to use eval licenses, just re-enter your production licenses. During the migration you can temporarily use the same licenses on the old and new servers. But if you insist on using evals, you can replace an eval license to a production license; it's just not needed in your case.

I'd recommend to work with your Aruba partner and/or Aruba support to check your migration plan, so if something goes unexpected you have someone to work with who understands the migration steps already and can quickly jump in if needed.

Hi!

We have four node cluster. Two nodes are site 1, Publisher and subscriber. Site 2 we have two subscriber nodes. 

We have configured virtual ip for authentication. Site 1 have own virtual ip and site 2 have own virtual ips. 

My plan is to remove one node both sites and remove nodes behind virtual ip. In that case all authentication goes two nodes. One node per site. 

If all works well, i drop those nodes from cluster. Then i can install new 6.11. version to these nodes. I have then two separate clusters, This newly installed cluster i have to get evaluation licenses from aruba. Then i restore backups, certificates etc. After this i can point some authentication to new cluster, If authentication works fine, i am planning to disable virtual ip from old cluster and add it to new. Could this be done ? 

If authenctication works with new cluster, i can make install process to old two nodes. Join them to new cluster and then i have again four node cluster, 

After this is only license problem. Can i replace eva access license what i have new cluster old permanent access licenses? 

I

Is there gonna be any problems with this plan? This system is very critical nowadays and downtime should be so short as possible. 

Maybe someone have same kind of environment and done this process succesfully? :) I hope that i can get support to do this from here. 

Hi!

We have four node cluster. Two nodes are site 1, Publisher and subscriber. Site 2 we have two subscriber nodes. 

We have configured virtual ip for authentication. Site 1 have own virtual ip and site 2 have own virtual ips. 

My plan is to remove one node both sites and remove nodes behind virtual ip. In that case all authentication goes two nodes. One node per site. 

If all works well, i drop those nodes from cluster. Then i can install new 6.11. version to these nodes. I have then two separate clusters, This newly installed cluster i have to get evaluation licenses from aruba. Then i restore backups, certificates etc. After this i can point some authentication to new cluster, If authentication works fine, i am planning to disable virtual ip from old cluster and add it to new. Could this be done ? 

If authenctication works with new cluster, i can make install process to old two nodes. Join them to new cluster and then i have again four node cluster, 

After this is only license problem. Can i replace eva access license what i have new cluster old permanent access licenses? 

I

Is there gonna be any problems with this plan? This system is very critical nowadays and downtime should be so short as possible. 

Maybe someone have same kind of environment and done this process succesfully? :) I hope that i can get support to do this from here. 

I did it exactly the same way in a similar setup and it worked without problem. As Herman said you can just go with your existing prod license in the new cluster.
If you have hardware appliances make sure to convert your PAK to 6.8 or newer format to activate the re-installed nodes.

Hi!

We have four node cluster. Two nodes are site 1, Publisher and subscriber. Site 2 we have two subscriber nodes. 

We have configured virtual ip for authentication. Site 1 have own virtual ip and site 2 have own virtual ips. 

My plan is to remove one node both sites and remove nodes behind virtual ip. In that case all authentication goes two nodes. One node per site. 

If all works well, i drop those nodes from cluster. Then i can install new 6.11. version to these nodes. I have then two separate clusters, This newly installed cluster i have to get evaluation licenses from aruba. Then i restore backups, certificates etc. After this i can point some authentication to new cluster, If authentication works fine, i am planning to disable virtual ip from old cluster and add it to new. Could this be done ? 

If authenctication works with new cluster, i can make install process to old two nodes. Join them to new cluster and then i have again four node cluster, 

After this is only license problem. Can i replace eva access license what i have new cluster old permanent access licenses? 

I

Is there gonna be any problems with this plan? This system is very critical nowadays and downtime should be so short as possible. 

Maybe someone have same kind of environment and done this process succesfully? :) I hope that i can get support to do this from here. 

Would the above also apply to my use case? 

I'm running 6.9.13.138003 on 4 nodes.  The publisher is a physical hardware appliance.  The subscribers are all virtual.   Pup+1 Sub at the HQ site, and 2 Subs at a remote site.  I would like to end up with the hardware appliance being the publisher in the end again.   Am I better off pulling our a couple of VM subs and building them as the new cluster, and then moving to it and doing the other 2?  Can a subscriber be "promoted" to a publisher so I could start by making #3 and #4 the active Pub and Sub while I upgrade #1 and #2?   What kind of timeframe are people having that it takes to accomplish an upgrade?

Since I'm back on 6.9.13, will I be needing any licenses in advance, before I even start the process?  Also, will I need to make extra hops in versions to get to what would be considered current stable?

I've never done any sort of Clearpass upgrade in the past, so I'll be reaching out to a partner for help, but I'd like to know what I'm getting into before I dig in.  Also, if this is going to involve a downtime where the process is long enough that it will have to be after hours on a weekend, I'll push it all out into October.  But if it's a quick and easy process and in theory I could push 2 units offline and rebuild them during the weekday daytime since we have 4, then I'd love to just get it done in June.

I did it exactly the same way in a similar setup and it worked without problem. As Herman said you can just go with your existing prod license in the new cluster.
If you have hardware appliances make sure to convert your PAK to 6.8 or newer format to activate the re-installed nodes.

Hi!

We have four node cluster. Two nodes are site 1, Publisher and subscriber. Site 2 we have two subscriber nodes. 

We have configured virtual ip for authentication. Site 1 have own virtual ip and site 2 have own virtual ips. 

My plan is to remove one node both sites and remove nodes behind virtual ip. In that case all authentication goes two nodes. One node per site. 

If all works well, i drop those nodes from cluster. Then i can install new 6.11. version to these nodes. I have then two separate clusters, This newly installed cluster i have to get evaluation licenses from aruba. Then i restore backups, certificates etc. After this i can point some authentication to new cluster, If authentication works fine, i am planning to disable virtual ip from old cluster and add it to new. Could this be done ? 

If authenctication works with new cluster, i can make install process to old two nodes. Join them to new cluster and then i have again four node cluster, 

After this is only license problem. Can i replace eva access license what i have new cluster old permanent access licenses? 

I

Is there gonna be any problems with this plan? This system is very critical nowadays and downtime should be so short as possible. 

Maybe someone have same kind of environment and done this process succesfully? :) I hope that i can get support to do this from here. 

I think in your case it's even easier as you don't need to reinstall all of your CPPM appliances on hardware, expect the publisher node. Just create new appliances based on the 6.11.1 Image and upgrade them to the current patches. Restore them with your backup and reinstall all licenses + certificates. You can find a guide with more detailed steps here:
https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-UpgradingTo_6.11.htm?tocpath=Installing%20ClearPass%206.11%7C_____0

When you have the new Cluster running you can convert your hardware appliance with the ISO file and join it. Last step would be then to promote the hardware appliance to publisher in Server Manager > Server Configuration. 

Would the above also apply to my use case? 

I'm running 6.9.13.138003 on 4 nodes.  The publisher is a physical hardware appliance.  The subscribers are all virtual.   Pup+1 Sub at the HQ site, and 2 Subs at a remote site.  I would like to end up with the hardware appliance being the publisher in the end again.   Am I better off pulling our a couple of VM subs and building them as the new cluster, and then moving to it and doing the other 2?  Can a subscriber be "promoted" to a publisher so I could start by making #3 and #4 the active Pub and Sub while I upgrade #1 and #2?   What kind of timeframe are people having that it takes to accomplish an upgrade?

Since I'm back on 6.9.13, will I be needing any licenses in advance, before I even start the process?  Also, will I need to make extra hops in versions to get to what would be considered current stable?

I've never done any sort of Clearpass upgrade in the past, so I'll be reaching out to a partner for help, but I'd like to know what I'm getting into before I dig in.  Also, if this is going to involve a downtime where the process is long enough that it will have to be after hours on a weekend, I'll push it all out into October.  But if it's a quick and easy process and in theory I could push 2 units offline and rebuild them during the weekday daytime since we have 4, then I'd love to just get it done in June.

I did it exactly the same way in a similar setup and it worked without problem. As Herman said you can just go with your existing prod license in the new cluster.
If you have hardware appliances make sure to convert your PAK to 6.8 or newer format to activate the re-installed nodes.

Hi!

We have four node cluster. Two nodes are site 1, Publisher and subscriber. Site 2 we have two subscriber nodes. 

We have configured virtual ip for authentication. Site 1 have own virtual ip and site 2 have own virtual ips. 

My plan is to remove one node both sites and remove nodes behind virtual ip. In that case all authentication goes two nodes. One node per site. 

If all works well, i drop those nodes from cluster. Then i can install new 6.11. version to these nodes. I have then two separate clusters, This newly installed cluster i have to get evaluation licenses from aruba. Then i restore backups, certificates etc. After this i can point some authentication to new cluster, If authentication works fine, i am planning to disable virtual ip from old cluster and add it to new. Could this be done ? 

If authenctication works with new cluster, i can make install process to old two nodes. Join them to new cluster and then i have again four node cluster, 

After this is only license problem. Can i replace eva access license what i have new cluster old permanent access licenses? 

I

Is there gonna be any problems with this plan? This system is very critical nowadays and downtime should be so short as possible. 

Maybe someone have same kind of environment and done this process succesfully? :) I hope that i can get support to do this from here. 

That all sounds good and makes good sense, thanks for that.  I wasn't sure that you could promote a subscriber to publisher but a little digging found that it is do-able.  So if I detach 2 subs, and I fire them up on the new images, what is the best way to deal with IP addressing?  Right now all of our devices are pointing to 3 or 4 IP addresses, individual addresses of the devices.  i.e. not a single virtual IP.   Do I just let the devices like switches and AP controller find out that the old primary is unreachable and it starts to hit one of the alternates?  Or will I have to be careful of restoring an image onto the new VM?  Maybe I'm thinking about it wrong....will I actually be doing individual backups of each device, and restoring each one of them to the newly created replacement servers?  In my head I was thinking that one backup of the publisher would be all I'd be doing.   I'll have to read that link you provided and start to digest the process.  Thanks for the info!

I think in your case it's even easier as you don't need to reinstall all of your CPPM appliances on hardware, expect the publisher node. Just create new appliances based on the 6.11.1 Image and upgrade them to the current patches. Restore them with your backup and reinstall all licenses + certificates. You can find a guide with more detailed steps here:
https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-UpgradingTo_6.11.htm?tocpath=Installing%20ClearPass%206.11%7C_____0

When you have the new Cluster running you can convert your hardware appliance with the ISO file and join it. Last step would be then to promote the hardware appliance to publisher in Server Manager > Server Configuration. 

Would the above also apply to my use case? 

I'm running 6.9.13.138003 on 4 nodes.  The publisher is a physical hardware appliance.  The subscribers are all virtual.   Pup+1 Sub at the HQ site, and 2 Subs at a remote site.  I would like to end up with the hardware appliance being the publisher in the end again.   Am I better off pulling our a couple of VM subs and building them as the new cluster, and then moving to it and doing the other 2?  Can a subscriber be "promoted" to a publisher so I could start by making #3 and #4 the active Pub and Sub while I upgrade #1 and #2?   What kind of timeframe are people having that it takes to accomplish an upgrade?

Since I'm back on 6.9.13, will I be needing any licenses in advance, before I even start the process?  Also, will I need to make extra hops in versions to get to what would be considered current stable?

I've never done any sort of Clearpass upgrade in the past, so I'll be reaching out to a partner for help, but I'd like to know what I'm getting into before I dig in.  Also, if this is going to involve a downtime where the process is long enough that it will have to be after hours on a weekend, I'll push it all out into October.  But if it's a quick and easy process and in theory I could push 2 units offline and rebuild them during the weekday daytime since we have 4, then I'd love to just get it done in June.

I did it exactly the same way in a similar setup and it worked without problem. As Herman said you can just go with your existing prod license in the new cluster.
If you have hardware appliances make sure to convert your PAK to 6.8 or newer format to activate the re-installed nodes.

Hi!

We have four node cluster. Two nodes are site 1, Publisher and subscriber. Site 2 we have two subscriber nodes. 

We have configured virtual ip for authentication. Site 1 have own virtual ip and site 2 have own virtual ips. 

My plan is to remove one node both sites and remove nodes behind virtual ip. In that case all authentication goes two nodes. One node per site. 

If all works well, i drop those nodes from cluster. Then i can install new 6.11. version to these nodes. I have then two separate clusters, This newly installed cluster i have to get evaluation licenses from aruba. Then i restore backups, certificates etc. After this i can point some authentication to new cluster, If authentication works fine, i am planning to disable virtual ip from old cluster and add it to new. Could this be done ? 

If authenctication works with new cluster, i can make install process to old two nodes. Join them to new cluster and then i have again four node cluster, 

After this is only license problem. Can i replace eva access license what i have new cluster old permanent access licenses? 

I

Is there gonna be any problems with this plan? This system is very critical nowadays and downtime should be so short as possible. 

Maybe someone have same kind of environment and done this process succesfully? :) I hope that i can get support to do this from here. 

Hi!

We have four node cluster. Two nodes are site 1, Publisher and subscriber. Site 2 we have two subscriber nodes. 

We have configured virtual ip for authentication. Site 1 have own virtual ip and site 2 have own virtual ips. 

My plan is to remove one node both sites and remove nodes behind virtual ip. In that case all authentication goes two nodes. One node per site. 

If all works well, i drop those nodes from cluster. Then i can install new 6.11. version to these nodes. I have then two separate clusters, This newly installed cluster i have to get evaluation licenses from aruba. Then i restore backups, certificates etc. After this i can point some authentication to new cluster, If authentication works fine, i am planning to disable virtual ip from old cluster and add it to new. Could this be done ? 

If authenctication works with new cluster, i can make install process to old two nodes. Join them to new cluster and then i have again four node cluster, 

After this is only license problem. Can i replace eva access license what i have new cluster old permanent access licenses? 

I

Is there gonna be any problems with this plan? This system is very critical nowadays and downtime should be so short as possible. 

Maybe someone have same kind of environment and done this process succesfully? :) I hope that i can get support to do this from here.