Security

Hi

The plan looks good and will definetlly work. Personally I would do some minor changes. See my comments in red after each of your actions below:

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Apr 04, 2024 02:08 AM
From: Mithran
Subject: Need suggestion for the 6.11 Upgrade.

We are running with clearpass version 6.10.8 with 1 Publisher(192.168.1.2) and 1 Subscriber(192.168.1.3) with VIP configured(192.168.1.1)

In NAD device VIP address is configured as Radius server.

 

Upgrade Plan

============

 

1. Take the backup of the server, certificate, and licenses.

2. Take notes of the static routes you had manually add in clearpass CLI 

3. Take the screenshots of the services and certificate trust list.

4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point).

5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and  Subscriber will take control of the authentication

6. Perform the basic configuration. 

a. Activate the platform license.

b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)

c. Join them in the domain.

7. Upload the backup configuration to the new publisher.

8. Power of the subscriber and bring the new 6.11 subscriber online.

9. Perform the Virtual IP Address configuration.

10. Validate the authentication request.

 

 

Correct me if anything I have missed and database backup size is 90 MB.

During the first login whether it will accept the platform license key of the old server ?

I am planning to upgrade to 6.11.6 Is it ok ?

What will be downtime required for this upgrade ?

Original Message:
Sent: 4/4/2024 2:33:00 AM
From: jonas.hammarback
Subject: RE: Need suggestion for the 6.11 Upgrade.

Hi

The plan looks good and will definetlly work. Personally I would do some minor changes. See my comments in red after each of your actions below:

1. Take the backup of the server, certificate, and licenses.

2. Take notes of the static routes you had manually add in clearpass CLI 

3. Take the screenshots of the services and certificate trust list.

4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point). 
Instead of using the same IP addresses i would consider assigning new IP's to the servers, this way both the old and the new cluster can be up and running at the same time. Also give the servers new names as this will make it possible to have all the servers joined with AD at the same time.

5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and  Subscriber will take control of the authentication

6. Perform the basic configuration. 

a. Activate the platform license.

b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)
Consider giving the servers new names, so you can have both the old and new ones up and running in parallell.

c. Join them in the domain.

7. Upload the backup configuration to the new publisher.
If you stay with your initial plan to have same IP and hostname, start with the subscriber instead. You may want to be able to test the 6.11 installation for some time before you switch over, and during this time you also may need to do some updates in the 6.10 cluster, or guests need to register.

8. Power of the subscriber and bring the new 6.11 subscriber online.

9. Perform the Virtual IP Address configuration.
The VIP configuration will be transfered with the backup and restore, if you have new server names the VIP will not be active on the new servers until you manually activates it.

10. Validate the authentication request.

If you have 6.8+ formated platform and accesses licenses 6.11 will accept them. You can utilize the same licenses on both the 6.10 and 6.11 servers at the same time during the migration phase and the license will be possible to activate in 6.11 without contact with Aruba TAC.

6.11.6 contains some security related issues and 6.11.7 was released to address these. See ARUBA-PSA-2024-001 on https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt

With the approach of just moving the VIP address you will not have a long downtime. Only during the move of the VIP addresses, and this can be reduced to a few seconds.

If you have had two VIP addresses and both configured as Radius servers in your switches and WLAN infrastructure you could eliminated the downtime to nothing by moving the VIP's one by one. This also let you have both servers active in processing the requests.

Keep in mind that 6.11 introduces TLS 1.3 with PSS RSA algorithm, and some older computers have a TPM chip with a bug that prevents successful authentication if the certificates are stored in the TPM. More information: https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Apr 04, 2024 02:08 AM
From: Mithran
Subject: Need suggestion for the 6.11 Upgrade.

We are running with clearpass version 6.10.8 with 1 Publisher(192.168.1.2) and 1 Subscriber(192.168.1.3) with VIP configured(192.168.1.1)

In NAD device VIP address is configured as Radius server.

 

Upgrade Plan

============

 

1. Take the backup of the server, certificate, and licenses.

2. Take notes of the static routes you had manually add in clearpass CLI 

3. Take the screenshots of the services and certificate trust list.

4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point).

5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and  Subscriber will take control of the authentication

6. Perform the basic configuration. 

a. Activate the platform license.

b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)

c. Join them in the domain.

7. Upload the backup configuration to the new publisher.

8. Power of the subscriber and bring the new 6.11 subscriber online.

9. Perform the Virtual IP Address configuration.

10. Validate the authentication request.

 

 

Correct me if anything I have missed and database backup size is 90 MB.

During the first login whether it will accept the platform license key of the old server ?

I am planning to upgrade to 6.11.6 Is it ok ?

What will be downtime required for this upgrade ?

I missed the part where they said the CPPM server is joined with AD. That is only needed for EAP-PEA_=MSCHAPv2 which has been deprecated for years.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 04, 2024 02:33 AM
From: jonas.hammarback
Subject: Need suggestion for the 6.11 Upgrade.

Hi

The plan looks good and will definetlly work. Personally I would do some minor changes. See my comments in red after each of your actions below:

1. Take the backup of the server, certificate, and licenses.

2. Take notes of the static routes you had manually add in clearpass CLI 

3. Take the screenshots of the services and certificate trust list.

4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point). 
Instead of using the same IP addresses i would consider assigning new IP's to the servers, this way both the old and the new cluster can be up and running at the same time. Also give the servers new names as this will make it possible to have all the servers joined with AD at the same time.

5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and  Subscriber will take control of the authentication

6. Perform the basic configuration. 

a. Activate the platform license.

b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)
Consider giving the servers new names, so you can have both the old and new ones up and running in parallell.

c. Join them in the domain.

7. Upload the backup configuration to the new publisher.
If you stay with your initial plan to have same IP and hostname, start with the subscriber instead. You may want to be able to test the 6.11 installation for some time before you switch over, and during this time you also may need to do some updates in the 6.10 cluster, or guests need to register.

8. Power of the subscriber and bring the new 6.11 subscriber online.

9. Perform the Virtual IP Address configuration.
The VIP configuration will be transfered with the backup and restore, if you have new server names the VIP will not be active on the new servers until you manually activates it.

10. Validate the authentication request.

If you have 6.8+ formated platform and accesses licenses 6.11 will accept them. You can utilize the same licenses on both the 6.10 and 6.11 servers at the same time during the migration phase and the license will be possible to activate in 6.11 without contact with Aruba TAC.

6.11.6 contains some security related issues and 6.11.7 was released to address these. See ARUBA-PSA-2024-001 on https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt

With the approach of just moving the VIP address you will not have a long downtime. Only during the move of the VIP addresses, and this can be reduced to a few seconds.

If you have had two VIP addresses and both configured as Radius servers in your switches and WLAN infrastructure you could eliminated the downtime to nothing by moving the VIP's one by one. This also let you have both servers active in processing the requests.

Keep in mind that 6.11 introduces TLS 1.3 with PSS RSA algorithm, and some older computers have a TPM chip with a bug that prevents successful authentication if the certificates are stored in the TPM. More information: https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Apr 04, 2024 02:08 AM
From: Mithran
Subject: Need suggestion for the 6.11 Upgrade.

We are running with clearpass version 6.10.8 with 1 Publisher(192.168.1.2) and 1 Subscriber(192.168.1.3) with VIP configured(192.168.1.1)

In NAD device VIP address is configured as Radius server.

 

Upgrade Plan

============

 

1. Take the backup of the server, certificate, and licenses.

2. Take notes of the static routes you had manually add in clearpass CLI 

3. Take the screenshots of the services and certificate trust list.

4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point).

5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and  Subscriber will take control of the authentication

6. Perform the basic configuration. 

a. Activate the platform license.

b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)

c. Join them in the domain.

7. Upload the backup configuration to the new publisher.

8. Power of the subscriber and bring the new 6.11 subscriber online.

9. Perform the Virtual IP Address configuration.

10. Validate the authentication request.

 

 

Correct me if anything I have missed and database backup size is 90 MB.

During the first login whether it will accept the platform license key of the old server ?

I am planning to upgrade to 6.11.6 Is it ok ?

What will be downtime required for this upgrade ?

Couple of gotchas that I encountered:

Be sure to change "Enable Pulisher Failover" to False before taking the backup. Otherwise it will not allow you to add subscribers after the restore.

Also, this is likley obvious to most, disable the HTTPS ECC (assuming you are using the RSA) cert on both the publisher and subscriber. That configuration is independant per server. 

Something I ran into using the same DATA IPs, I had to disable the 6.11 VM data interface from VMWare in order to configure the same IP, otherwise it would continue to detect duplicate IP even though I had already downed the old ClearPass physical server data port. That was an odd one, cleared router cache and everything trying to get around it but it kept detecting it.

What I did to keep the old cluster available, was to use new mgmt IPs and keep the old cluster alive only on the mgmt interfaces. That way the cluster stays together, you could still point things at the old mgmt IP to test if needed and can login to verify config transfer completeness. This is assmuning you have the VIP assigned to the data ports.

Original Message:
Sent: Apr 04, 2024 02:08 AM
From: Mithran
Subject: Need suggestion for the 6.11 Upgrade.

We are running with clearpass version 6.10.8 with 1 Publisher(192.168.1.2) and 1 Subscriber(192.168.1.3) with VIP configured(192.168.1.1)

In NAD device VIP address is configured as Radius server.

 

Upgrade Plan

============

 

1. Take the backup of the server, certificate, and licenses.

2. Take notes of the static routes you had manually add in clearpass CLI 

3. Take the screenshots of the services and certificate trust list.

4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point).

5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and  Subscriber will take control of the authentication

6. Perform the basic configuration. 

a. Activate the platform license.

b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)

c. Join them in the domain.

7. Upload the backup configuration to the new publisher.

8. Power of the subscriber and bring the new 6.11 subscriber online.

9. Perform the Virtual IP Address configuration.

10. Validate the authentication request.

 

 

Correct me if anything I have missed and database backup size is 90 MB.

During the first login whether it will accept the platform license key of the old server ?

I am planning to upgrade to 6.11.6 Is it ok ?

What will be downtime required for this upgrade ?

Pay attention to how Insight is configured in your cluster and make sure to manually set that in the new cluster prior to loading new config.  I have found that Insight roles are not automatically restored, and this can cause a large error volume with rather cryptic error messages when configuration is loaded from the old cluster.

Original Message:
Sent: Apr 04, 2024 02:08 AM
From: Mithran
Subject: Need suggestion for the 6.11 Upgrade.

We are running with clearpass version 6.10.8 with 1 Publisher(192.168.1.2) and 1 Subscriber(192.168.1.3) with VIP configured(192.168.1.1)

In NAD device VIP address is configured as Radius server.

 

Upgrade Plan

============

 

1. Take the backup of the server, certificate, and licenses.

2. Take notes of the static routes you had manually add in clearpass CLI 

3. Take the screenshots of the services and certificate trust list.

4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point).

5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and  Subscriber will take control of the authentication

6. Perform the basic configuration. 

a. Activate the platform license.

b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)

c. Join them in the domain.

7. Upload the backup configuration to the new publisher.

8. Power of the subscriber and bring the new 6.11 subscriber online.

9. Perform the Virtual IP Address configuration.

10. Validate the authentication request.

 

 

Correct me if anything I have missed and database backup size is 90 MB.

During the first login whether it will accept the platform license key of the old server ?

I am planning to upgrade to 6.11.6 Is it ok ?

What will be downtime required for this upgrade ?

Thanks everyone for the suggestions.

Now we are in a plan to build a publisher with new IP address and restore the existing ClearPass configuration backup to the new one.

Test the authentication from one location  by creating new SSID in the new ClearPass. During the downtime window we will replace the IP Address .

My doubt here is if I restore the configuration whether the old IP got applied to the new clearpass ?

Any other suggestion here are welcome.

Original Message:
Sent: Apr 05, 2024 12:10 PM
From: dwaites
Subject: Need suggestion for the 6.11 Upgrade.

Pay attention to how Insight is configured in your cluster and make sure to manually set that in the new cluster prior to loading new config.  I have found that Insight roles are not automatically restored, and this can cause a large error volume with rather cryptic error messages when configuration is loaded from the old cluster.

Original Message:
Sent: Apr 04, 2024 02:08 AM
From: Mithran
Subject: Need suggestion for the 6.11 Upgrade.

We are running with clearpass version 6.10.8 with 1 Publisher(192.168.1.2) and 1 Subscriber(192.168.1.3) with VIP configured(192.168.1.1)

In NAD device VIP address is configured as Radius server.

 

Upgrade Plan

============

 

1. Take the backup of the server, certificate, and licenses.

2. Take notes of the static routes you had manually add in clearpass CLI 

3. Take the screenshots of the services and certificate trust list.

4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point).

5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and  Subscriber will take control of the authentication

6. Perform the basic configuration. 

a. Activate the platform license.

b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)

c. Join them in the domain.

7. Upload the backup configuration to the new publisher.

8. Power of the subscriber and bring the new 6.11 subscriber online.

9. Perform the Virtual IP Address configuration.

10. Validate the authentication request.

 

 

Correct me if anything I have missed and database backup size is 90 MB.

During the first login whether it will accept the platform license key of the old server ?

I am planning to upgrade to 6.11.6 Is it ok ?

What will be downtime required for this upgrade ?

The server IP Address is not saved in the backup file.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 11, 2024 02:09 AM
From: Mithran
Subject: Need suggestion for the 6.11 Upgrade.

Thanks everyone for the suggestions.

Now we are in a plan to build a publisher with new IP address and restore the existing ClearPass configuration backup to the new one.

Test the authentication from one location  by creating new SSID in the new ClearPass. During the downtime window we will replace the IP Address .

My doubt here is if I restore the configuration whether the old IP got applied to the new clearpass ?

Any other suggestion here are welcome.

Original Message:
Sent: Apr 05, 2024 12:10 PM
From: dwaites
Subject: Need suggestion for the 6.11 Upgrade.

Pay attention to how Insight is configured in your cluster and make sure to manually set that in the new cluster prior to loading new config.  I have found that Insight roles are not automatically restored, and this can cause a large error volume with rather cryptic error messages when configuration is loaded from the old cluster.

Original Message:
Sent: Apr 04, 2024 02:08 AM
From: Mithran
Subject: Need suggestion for the 6.11 Upgrade.

We are running with clearpass version 6.10.8 with 1 Publisher(192.168.1.2) and 1 Subscriber(192.168.1.3) with VIP configured(192.168.1.1)

In NAD device VIP address is configured as Radius server.

 

Upgrade Plan

============

 

1. Take the backup of the server, certificate, and licenses.

2. Take notes of the static routes you had manually add in clearpass CLI 

3. Take the screenshots of the services and certificate trust list.

4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point).

5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and  Subscriber will take control of the authentication

6. Perform the basic configuration. 

a. Activate the platform license.

b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)

c. Join them in the domain.

7. Upload the backup configuration to the new publisher.

8. Power of the subscriber and bring the new 6.11 subscriber online.

9. Perform the Virtual IP Address configuration.

10. Validate the authentication request.

 

 

Correct me if anything I have missed and database backup size is 90 MB.

During the first login whether it will accept the platform license key of the old server ?

I am planning to upgrade to 6.11.6 Is it ok ?

What will be downtime required for this upgrade ?

Transferring the current production ClearPass configuration to the newly established ClearPass in the test environment shouldn't cause any disruptions, correct?

We intend to conduct authentication testing in the test environment for a week in couple NAD device only.

Original Message:
Sent: Apr 11, 2024 07:52 AM
From: bosborne
Subject: Need suggestion for the 6.11 Upgrade.

The server IP Address is not saved in the backup file.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 11, 2024 02:09 AM
From: Mithran
Subject: Need suggestion for the 6.11 Upgrade.

Thanks everyone for the suggestions.

Now we are in a plan to build a publisher with new IP address and restore the existing ClearPass configuration backup to the new one.

Test the authentication from one location  by creating new SSID in the new ClearPass. During the downtime window we will replace the IP Address .

My doubt here is if I restore the configuration whether the old IP got applied to the new clearpass ?

Any other suggestion here are welcome.

Original Message:
Sent: Apr 05, 2024 12:10 PM
From: dwaites
Subject: Need suggestion for the 6.11 Upgrade.

Pay attention to how Insight is configured in your cluster and make sure to manually set that in the new cluster prior to loading new config.  I have found that Insight roles are not automatically restored, and this can cause a large error volume with rather cryptic error messages when configuration is loaded from the old cluster.

Original Message:
Sent: Apr 04, 2024 02:08 AM
From: Mithran
Subject: Need suggestion for the 6.11 Upgrade.

We are running with clearpass version 6.10.8 with 1 Publisher(192.168.1.2) and 1 Subscriber(192.168.1.3) with VIP configured(192.168.1.1)

In NAD device VIP address is configured as Radius server.

 

Upgrade Plan

============

 

1. Take the backup of the server, certificate, and licenses.

2. Take notes of the static routes you had manually add in clearpass CLI 

3. Take the screenshots of the services and certificate trust list.

4. Create 2 VMs with ClearPass policy manager 6.11 and assign the new publisher with the existing IP address (192.168.1.2) (we have to turn off the 6.10 ClearPass publisher at this point).

5. There will be no impact on the user authentication as they are pointing to the Virtual IP Address(192.168.1.1) and  Subscriber will take control of the authentication

6. Perform the basic configuration. 

a. Activate the platform license.

b. (for the ClearPass name assign them the same name, delete cppm's computer account in AD before joining the new one)

c. Join them in the domain.

7. Upload the backup configuration to the new publisher.

8. Power of the subscriber and bring the new 6.11 subscriber online.

9. Perform the Virtual IP Address configuration.

10. Validate the authentication request.

 

 

Correct me if anything I have missed and database backup size is 90 MB.

During the first login whether it will accept the platform license key of the old server ?

I am planning to upgrade to 6.11.6 Is it ok ?

What will be downtime required for this upgrade ?