Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

upgrade 6.9 to 6.11

This thread has been viewed 26 times

  • 1.  upgrade 6.9 to 6.11

    Posted 30 days ago

    Hello i have this scenario in which i know how to do it if it was a c1000 to a c1000

    But in the new 6.11 they will include more things a lot of more things and it will require a c2000

    They are vms

    This is my question

    Can i backup my cleqrpass in 6.9.13 in c1000 and upload that backup in a 6.11 which is c2000? Or thats nkt compatible?

    Do i need to transform the machine from a c1000 to c2000 first in 6.9.13 for the  proceed and create my machine in c2000 in 6.11 and upload my 6.9.13 bavkup?

    Please let mw know 

    Thanks



  • 2.  RE: upgrade 6.9 to 6.11

    EMPLOYEE
    Posted 30 days ago

    I would:

    1. Create a backup of the publisher
    2. Add required resources to the Publisher VM
    3. morph-vm the Publisher to C2000V
    4. Create a backup of the publisher
    5. Deploy a new ClearPass VM with the C2000V resources and 6.11.1
    6. Restore backup
    7. Move forward with subscribers.


    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 3.  RE: upgrade 6.9 to 6.11

    MVP EXPERT
    Posted 30 days ago

    Agree with Carson, some extra tips here:

    • In ClearPass 6.11.x HTTPS certificate is default HTTPS ECC, when using a HTTPS RSA certificate you need to disable the ECC certificate.
    • Authentication Sources LDAP over TLS (aka secure LDAP) require now to specify the Root-CA certificate that validate the server certificate the AD is send to ClearPass.


    ------------------------------
    Marcel Koedijk | MVP Expert 2023 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------

    Original Message


  • 4.  RE: upgrade 6.9 to 6.11

    Posted 30 days ago

    I don't think it's needed to morph the old C1000V to a C2000V. I would leave that machine untouched to have a quick fallback and save time.

    There are no difference in the configuration of any of the sizes of the ClearPass machines and backups from one size of machine can be restored on any other size, as long as we are talking just configuration and not exceptional large Endpoint databases. Do not try to restore large Insight or session databases from a C3010 on a C1000 server as this may cause the a server crash.

    With ClearPass 6.11 TLS 1.3 is default and with TLS 1.3 also a new algorithm called PSS RSA, and some older TPM chip have a bug related to this algorithm. Please see my blog post for more information:
    https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 5.  RE: upgrade 6.9 to 6.11

    MVP
    Posted 30 days ago

    You said:

    • Authentication Sources LDAP over TLS (aka secure LDAP) require now to specify the Root-CA certificate that validate the server certificate the AD is send to ClearPass.

    I have been running LDAPS on 6.11 & 6.12 without doing this. Where did you see this requirement?



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------

    Original Message