Clearpass - eekbot/public GitHub Wiki

Changing IP Address

Note: Updating the IP address will remove the static routes, so you need to re-add them. Also, if you change the IP in the GUI, it will only accept one IP change at a time. We did the MGMT IP update first.

configure ip mgmt 156.55.10.159 netmask 255.255.255.128 gateway 156.55.10.129 configure ip data 156.55.15.25 netmask 255.255.255.192 gateway 156.55.15.1

Add Static Route

network ip add mgmt -d <DST IP Address/Subnet Mask> -g <Gateway IP address>

View Routing Table

[appadmin@PHXMITCP02]# network ip list
=======================================================================
                        IP Rule Information
-----------------------------------------------------------------------
0:      from all lookup local
220:    from all lookup 220
10020:  from all to 156.55.10.128/25 lookup mgmt
10040:  from 156.55.10.169 lookup mgmt
32766:  from all lookup main
32767:  from all lookup default

=======================================================================
                  Route Information for Table main
-----------------------------------------------------------------------
default via 156.55.15.1 dev eth1
default via 156.55.15.1 dev eth1 proto static metric 105
127.17.0.0/16 dev docker0 proto kernel scope link src 127.17.0.1 linkdown
156.55.10.128/25 dev eth0 proto kernel scope link src 156.55.10.169 metric 104
156.55.15.0/26 dev eth1 proto kernel scope link src 156.55.15.35 metric 105

=======================================================================
                 Route Information for Table static
-----------------------------------------------------------------------

=======================================================================
                  Route Information for Table mgmt
-----------------------------------------------------------------------
default via 156.55.10.129 dev eth0
156.55.10.128/25 dev eth0 scope link src 156.55.10.169

=======================================================================
                  Route Information for Table data
-----------------------------------------------------------------------
default via 156.55.15.1 dev eth1
156.55.15.0/26 dev eth1 scope link src 156.55.15.35

=======================================================================
               Route Information for Table IPSec(220)
-----------------------------------------------------------------------

=======================================================================

Upgrading from 6.10 to 6.11

Link for reference: https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-Installation-6-11-x.htm

Clearpass code underwent drastic changes, so you can't do a typical upgrade. Instead, you need to build the clearpass from scratch on the new code.

Here are some key notes. For the purposes of the discussion, I'm going to call the old boxes prod subscriber and publisher, and the new boxes eval publisher and eval subscriber. Note, however, that the eval subscriber will actually be in publisher mode all the way up until the clustering at the end. Also, I will continue referring to the eval boxes as eval even after they are moved into production.

Prep work:

  • We had the legacy single-line format for the prod licenses, so we needed to open a TAC case to have that converted to the multi-line format.
  • We created two VMs on the new code, with different IPs on the same networks as prod, and with temp eval licenses.
  • DO NOT CLUSTER THE EVAL BOXES BEFOREHAND. This caused a lot of problems that even reverting the snapshot couldn't fix.
  • We backed up the config on both prod boxes, but we only restored the prod publisher onto the eval publisher. We kept the eval subscriber as blank as possible with the intention of having the clustering provide the configuration later.
  • We generated and imported new HTTPS RSA certificates for each eval box using the new name and without the IP in the SAN. We also exported the prod certificate from the Trust List, and moved it into the Trust list on the eval boxes.
  • Note the static routes on both boxes.

Cutover Window:

  • Look for a device that auth'd into the prod subscriber (JAX). We chose Panorama for our test. Test login to make sure it works now.
  • Shut down the prod subscriber vnics first (JAX). Tested login to Panorama and make sure the access tracker shows it going to PHX. Note: the access tracker was broken if I included JAX CP in the search.
  • Shut down the prod publisher vnics (PHX). Tested login to Panorama with AD (failed) and then with local auth (successful).
  • With the vnics still shut down, update the IPs of the eval publisher to re-use the prod publisher's IPs. You can only change one IP at a time in the GUI, so we did the mgmt IP first, and then the data IP. Changing the data IP took a few minutes to restore. Once it comes up, test your login back to Panorama. It should work again with AD creds.
  • Now change the IPs of the eval subscriber to re-use the IPs of the prod subscriber. As with the publisher, we did mgmt IP first, and then the data IP. Note that once you steal the mgmt IP, devices that point to JAX CP will be broken.
  • Once the eval subscriber comes back online after the IP changes, update the static routes on both eval boxes. We believe the static routes were removed during the IP change. We wanted both mgmt networks to routes to each other over the mgmt networks for clustering.
  • Once the static routes are in place, turn the eval subscriber into a subscriber of the eval publisher (which took over the prod function).
  • When clustering completes, test panorama again.
  • If testing looks okay, now import the converted licenses onto the eval boxes.
  • Under the software updates section, we had to re-generate the API token to talk to clearpass.
⚠️ **GitHub.com Fallback** ⚠️