Security

My customer have an issue in publisher storage and wants to spin-up a new virtual machine to replace the current publisher. The cluster includes a publisher and subscriber and I am looking for the smoothest way for this replacement. I am testing the process in my lab and I noticed that when restoring the publisher backup into a different machine in my lab some components are not restored like:

• IP addresses
• Certificates
• licenses
• AD Domain
• Passwords for admin and appadmin accounts

Is this the expected behavior? what other components are not restored and I need to migrate manually?

If I select to restore cluster setup and configured appadmin password to match the old publisher, does the subscriber join the cluster even if I restore the publisher in a different machine? 

Do you have any suggested procedure to make this replacement smooth with minimum interruption? 

Hi

This is expected behavior.

Instead of performing a restore just install the new host, either on new IP or same IP as the old publisher, and join the cluster. During the cluster join all configuration like admin and appadmin passwords will be copied to the host as part of the cluster sync process. If you plan to use the same IP as the old publisher, move the publisher role to the current subscriber add the new server to the cluster and, if needed, move the publisher role again.

Certificate, license, domain join must be added manually.

If you have configured specific service parameters on the server you need to configure these settings again. Same for IP restrictions done in the Network tab.

Any manual routes added in the CLI msut also be added on the new server.

If all network devices like switches and access points have redundant Radius configuration there shouldn't be any disturbances for the clients. Maybe a few authentications with longer response time.

If you have VIP addresses configured and are using the VIP's for the Radius traffic, you can transfer the VIP from the Publisher to the subscriber, replace the old Publisher node, and when this server is ready just transfer the VIP back to the new server, without any disturbances at all.

My customer have an issue in publisher storage and wants to spin-up a new virtual machine to replace the current publisher. The cluster includes a publisher and subscriber and I am looking for the smoothest way for this replacement. I am testing the process in my lab and I noticed that when restoring the publisher backup into a different machine in my lab some components are not restored like:

• IP addresses
• Certificates
• licenses
• AD Domain
• Passwords for admin and appadmin accounts

Is this the expected behavior? what other components are not restored and I need to migrate manually?

If I select to restore cluster setup and configured appadmin password to match the old publisher, does the subscriber join the cluster even if I restore the publisher in a different machine? 

Do you have any suggested procedure to make this replacement smooth with minimum interruption? 

Hi

This is expected behavior.

Instead of performing a restore just install the new host, either on new IP or same IP as the old publisher, and join the cluster. During the cluster join all configuration like admin and appadmin passwords will be copied to the host as part of the cluster sync process. If you plan to use the same IP as the old publisher, move the publisher role to the current subscriber add the new server to the cluster and, if needed, move the publisher role again.

Certificate, license, domain join must be added manually.

If you have configured specific service parameters on the server you need to configure these settings again. Same for IP restrictions done in the Network tab.

Any manual routes added in the CLI msut also be added on the new server.

If all network devices like switches and access points have redundant Radius configuration there shouldn't be any disturbances for the clients. Maybe a few authentications with longer response time.

If you have VIP addresses configured and are using the VIP's for the Radius traffic, you can transfer the VIP from the Publisher to the subscriber, replace the old Publisher node, and when this server is ready just transfer the VIP back to the new server, without any disturbances at all.

My customer have an issue in publisher storage and wants to spin-up a new virtual machine to replace the current publisher. The cluster includes a publisher and subscriber and I am looking for the smoothest way for this replacement. I am testing the process in my lab and I noticed that when restoring the publisher backup into a different machine in my lab some components are not restored like:

• IP addresses
• Certificates
• licenses
• AD Domain
• Passwords for admin and appadmin accounts

Is this the expected behavior? what other components are not restored and I need to migrate manually?

If I select to restore cluster setup and configured appadmin password to match the old publisher, does the subscriber join the cluster even if I restore the publisher in a different machine? 

Do you have any suggested procedure to make this replacement smooth with minimum interruption? 

Hi Jonas , 

We are using the VIP for radius traffic ,could you please brief on transferring the VIP to the subscriber .

Currently we have installed two CPPM(1 Pub and 1 Sub) parellely in 6.11.7 with new IP address . During the upgarde we will plan to change the IP without much downtime.

Original Message:
Sent: May 02, 2024 06:21 AM
From: jonas.hammarback
Subject: Replacing ClearPass Publisher

Hi

This is expected behavior.

Instead of performing a restore just install the new host, either on new IP or same IP as the old publisher, and join the cluster. During the cluster join all configuration like admin and appadmin passwords will be copied to the host as part of the cluster sync process. If you plan to use the same IP as the old publisher, move the publisher role to the current subscriber add the new server to the cluster and, if needed, move the publisher role again.

Certificate, license, domain join must be added manually.

If you have configured specific service parameters on the server you need to configure these settings again. Same for IP restrictions done in the Network tab.

Any manual routes added in the CLI msut also be added on the new server.

If all network devices like switches and access points have redundant Radius configuration there shouldn't be any disturbances for the clients. Maybe a few authentications with longer response time.

If you have VIP addresses configured and are using the VIP's for the Radius traffic, you can transfer the VIP from the Publisher to the subscriber, replace the old Publisher node, and when this server is ready just transfer the VIP back to the new server, without any disturbances at all.

My customer have an issue in publisher storage and wants to spin-up a new virtual machine to replace the current publisher. The cluster includes a publisher and subscriber and I am looking for the smoothest way for this replacement. I am testing the process in my lab and I noticed that when restoring the publisher backup into a different machine in my lab some components are not restored like:

• IP addresses
• Certificates
• licenses
• AD Domain
• Passwords for admin and appadmin accounts

Is this the expected behavior? what other components are not restored and I need to migrate manually?

If I select to restore cluster setup and configured appadmin password to match the old publisher, does the subscriber join the cluster even if I restore the publisher in a different machine? 

Do you have any suggested procedure to make this replacement smooth with minimum interruption? 

Hi

Can you elaborate what you would like to know regarding moving the VIP address?

It's done from the Virtual IP Settings dialouge under Server Manager/Server Configuration.

So with your current VIP for Radius you just need to set the new server as the primary server for the VIP address.

Hi Jonas , 

We are using the VIP for radius traffic ,could you please brief on transferring the VIP to the subscriber .

Currently we have installed two CPPM(1 Pub and 1 Sub) parellely in 6.11.7 with new IP address . During the upgarde we will plan to change the IP without much downtime.

Original Message:
Sent: May 02, 2024 06:21 AM
From: jonas.hammarback
Subject: Replacing ClearPass Publisher

Hi

This is expected behavior.

Instead of performing a restore just install the new host, either on new IP or same IP as the old publisher, and join the cluster. During the cluster join all configuration like admin and appadmin passwords will be copied to the host as part of the cluster sync process. If you plan to use the same IP as the old publisher, move the publisher role to the current subscriber add the new server to the cluster and, if needed, move the publisher role again.

Certificate, license, domain join must be added manually.

If you have configured specific service parameters on the server you need to configure these settings again. Same for IP restrictions done in the Network tab.

Any manual routes added in the CLI msut also be added on the new server.

If all network devices like switches and access points have redundant Radius configuration there shouldn't be any disturbances for the clients. Maybe a few authentications with longer response time.

If you have VIP addresses configured and are using the VIP's for the Radius traffic, you can transfer the VIP from the Publisher to the subscriber, replace the old Publisher node, and when this server is ready just transfer the VIP back to the new server, without any disturbances at all.

My customer have an issue in publisher storage and wants to spin-up a new virtual machine to replace the current publisher. The cluster includes a publisher and subscriber and I am looking for the smoothest way for this replacement. I am testing the process in my lab and I noticed that when restoring the publisher backup into a different machine in my lab some components are not restored like:

• IP addresses
• Certificates
• licenses
• AD Domain
• Passwords for admin and appadmin accounts

Is this the expected behavior? what other components are not restored and I need to migrate manually?

If I select to restore cluster setup and configured appadmin password to match the old publisher, does the subscriber join the cluster even if I restore the publisher in a different machine? 

Do you have any suggested procedure to make this replacement smooth with minimum interruption? 

Hi Jonas,

Currently, in our setup, we've got two nodes - the Publisher and Subscriber. The virtual IP is configured, and it's pointing to the Publisher.

In our NAD devices, the Virtual IP is set up for both radius and tacacs traffic, meaning all authentication requests are hitting the Publisher.

Now, following standard practices, it's not recommended for the Publisher to handle authentication exclusively. So, I'm considering redirecting the VIP to the Subscriber.

Before making this change, do you think there might be any potential impact or specific things I should check?

Hi

Can you elaborate what you would like to know regarding moving the VIP address?

It's done from the Virtual IP Settings dialouge under Server Manager/Server Configuration.

So with your current VIP for Radius you just need to set the new server as the primary server for the VIP address.

Hi Jonas , 

We are using the VIP for radius traffic ,could you please brief on transferring the VIP to the subscriber .

Currently we have installed two CPPM(1 Pub and 1 Sub) parellely in 6.11.7 with new IP address . During the upgarde we will plan to change the IP without much downtime.

Original Message:
Sent: May 02, 2024 06:21 AM
From: jonas.hammarback
Subject: Replacing ClearPass Publisher

Hi

This is expected behavior.

Instead of performing a restore just install the new host, either on new IP or same IP as the old publisher, and join the cluster. During the cluster join all configuration like admin and appadmin passwords will be copied to the host as part of the cluster sync process. If you plan to use the same IP as the old publisher, move the publisher role to the current subscriber add the new server to the cluster and, if needed, move the publisher role again.

Certificate, license, domain join must be added manually.

If you have configured specific service parameters on the server you need to configure these settings again. Same for IP restrictions done in the Network tab.

Any manual routes added in the CLI msut also be added on the new server.

If all network devices like switches and access points have redundant Radius configuration there shouldn't be any disturbances for the clients. Maybe a few authentications with longer response time.

If you have VIP addresses configured and are using the VIP's for the Radius traffic, you can transfer the VIP from the Publisher to the subscriber, replace the old Publisher node, and when this server is ready just transfer the VIP back to the new server, without any disturbances at all.

My customer have an issue in publisher storage and wants to spin-up a new virtual machine to replace the current publisher. The cluster includes a publisher and subscriber and I am looking for the smoothest way for this replacement. I am testing the process in my lab and I noticed that when restoring the publisher backup into a different machine in my lab some components are not restored like:

• IP addresses
• Certificates
• licenses
• AD Domain
• Passwords for admin and appadmin accounts

Is this the expected behavior? what other components are not restored and I need to migrate manually?

If I select to restore cluster setup and configured appadmin password to match the old publisher, does the subscriber join the cluster even if I restore the publisher in a different machine? 

Do you have any suggested procedure to make this replacement smooth with minimum interruption?