A question, I hear very often. How to migrate ClearPass to a new server? The reason can be, you have reached the end of the evaluation phase and want to use the evaluation installation for production, but you need to change the specs. Or you need to upgrade the specs of your appliance to meet the new needs. If you are running a cluster environment, this is quite easy, simply start a new subscriber. But if you have only one ClearPass server or you need to replace the running server, this post will guide you.
I assume, you have ClearPass up and running and you need to migrate ClearPass to a new server with the same IP on a new hardware platform or within a new VM.
Migrate ClearPass: Backup the Existing Server
The first step is to backup any data on the existing server.Make also sure, that you have license key handy or save the key from the old server as well. Start with the backup. Login to ClearPass and go to “Administration–>Server Manager–>Server Configuration” and click the “Backup” button:
Press the “Start” button and wait until the backup process is complete. Now, download the backup file:
Save the certificates for ClearPass server as well. Go to “Administration–>Certificates–>Server Certificate” and export both, the “Radius Server Certificate” and the “HTTPS Server Certificate”:
Keep all the files save.
Migrate ClearPass: Prepare the new Server
Install the new server and follow the normal installation process. When it comes to the IP configuration, make sure, the old server is down. Configure the old server IP to the new server.
After the server configuration, use the web interface to install the license key:
Afterward, enter the “Subscription ID”. Go to “Administration–>Agents and Software Updates–>Software Updates”:
Install all updates to the same version as the old ClearPass server. This could take some time, depending on the internet connection. While the server downloads the update, you can install the licenses to your server. Go to “Administration–>Server Manager–>Licensing” and click the “Add License” button:
After the update is done and the new server has the same version as the old one, restore the backup to the new server. Go to “Administration–>Server Manager–>Server Configuration” and click the “Restore” button:
Restore the server certificates as well. Go to “Administration–>Certificates–>Server Certificate” and “Import Server Certificate”:
The “Private Key Password” is the one, you create during initial creation of the certificate.
The last step is to join the domain if ClearPass was joined to a domain. Go to “Administration–>Server Manager–>Server Configuration” and click on the server to open the server configuration. On the bottom of the page, there is the “Join AD” button:
Afterward, all steps are done and your ClearPass server runs on the new server.
If have any questions about this topic or if you would like to give feedback, please use the comment function below.
Can I install clearpass with one provisional IP and do all the restores, and then change the IP?
Hi ljregib,
Sure, that’s not a problem. Just make sure that the new ip is in your certificates, if you use ip addresses in the certificate. And make sure that your devices are aware of the new ip.
BR
Florian
Can I not Restore Backup Clearpass 6.6.X TO
Clearpass 6.8 it alet
INFO : backup is from a different version. Try with migration option enable
ERROR – Restore failed .
Can i not Restore Backup Clearpass 6.6.x > Clearpass 6.8.x It alert
INFO : Backup is from a different version. Try with migration option enabled.
Error : Restore failed.
Hi kris,
I would not try to restore a backup from a different version. I would always use the same version to backup and restore. You either update the old one to the version you like and do the backup (my preferred way), or you install the older version first to restore the backup and upgrade afterward.
Restoring through minor versions should work but from 6.6.x to 6.8.x? I would not expect this to work.
BR
Florian
nice guide
can you offline active the new node whilst the current cluster is up and running? we arte trying to migrate to a new VM whilst the current cluster is running. were in the process of making a cluster in the backgroung (Offline) but we dont know if we can offline activate the nodes.
any insight would be helpful mate, cheers
nice guide
do you know if you can active via offline when the current cluster is running? we are in the midst of migrating our Clearpass prod environment to a new VM. We are trying to create the new cluster in the backgroung (offline) but we are not sure if we can activate via offline mode when the current cluster is up and running.
any insight will be more than appreicated mate, cheers
Hi tuna,
I’m not sure if this is possible. My recommendation would be to contact your local SE from Aruba or partner and work with them. They might be able to provide an EVAL license to use during migration.
You can also contact Support, as they might be able to help with EVAL as well, or can even activate the license while the old cluster is still running.
BR
Florian
hi, when i restore the configuration, you know if it makes a merge or simply rewrite everything?
Hi Chrisitan,
From my point of view, it completely restores the configuration and ignores changes you already made to the new system, except the settings you set during the initial setup of the new system.
BR
Florian
Hi, can i use this procedure to copy the configurations from one client and apply this to another environment to save some time and not going through the configuration from scratch. They have similar configuration requirements.
I’m worried about licensing conflict and affecting the live environment. Are licences exported and imported or just the config files?
What about guest configuration?
Hi eb,
I would not recommend using the backup/restore function between clients. I haven’t seen any two clients which are equal in their configuration and searching for the little differences and find them all could be very time consuming as well.
But If you really want to go down this road, make sure to replace the licenses with the ones of the customer.
Guest is a different beast. You need to go to the guest part and go to “Administration–>Import Configuration–>Import Configuration” and click the “Create a customized backup” link to create the backup. On the same screen, you can also restore it from that backup.
BR
Florian
I did exactly the steps but when restore backup i get error in migration for policy manager
Hi Mohammed,
What is the error message? I would also create a ticket with Aruba TAC so they can have a look.
BR
Florian
Hi,
I’m facing an upgrade to 6.8 from 6.7. Our idea is to create a new Server with a provisional IP, install the 6.8 and restore the backup previously done in the 6.7, and finally, once it’s done, change the provisional IP to the old server’s IP (obviously shutting down the old server beforehand).
Would it be possible to do this backup from the 6.7 to the 6.8 without problems?
Thanks.
A
Hi Albert,
Officially, it is not supported to restore a backup from a different version. From my personal experience, it might work but is not guaranteed. From my point of view, I would do as below:
1. do the backup with 6.7
2. install a new server with 6.8
3. restore the backup from 1. to the new server
4. Check if everything is working
If number 4 fails, go back to 2. and install 6.7 instead and upgrade to 6.8 after you restored the backup.
hope this helps.
BR
Florian
Hi,
I’m trying to perform an upgrade from 6.7 to 6.8 in a new server, can i restore a backup done in the 6.7 to this new server with the 6.8 version installed?
Thanks for the post,
BR.
Great article. The licensing seemed a quick wash over. Suppose you have an existing deployment on EoL hardware and you want to migrate to VM, what do you do with the licensing? If you try the existing license key that will fail.
Hi Drew,
As far as I know, You can get in touch with Aruba Support and they will convert your old licenses to the new ones.
BR
Florian
We have ClearPass cluster setup, now we want to migrate with new ClearPass, which is the best option can we join new ClearPass to current cluster as subscriber and later remove the current publisher and promote the new as publisher?
hi Sri,
If you think if a new ClearPass server, I woud fully agree with your idea to
1. bring up the new server
2. join the new server to the existing cluster
3. wait for the new server to sync sucessfully
4. promote the new server to the new publisher
BR
Florian
Hi
Very good guide, we are going from 6.10 to 6.11 which has to be a rebuild because to the move to RHEL. We will be building new cluster and get EVAL licenses from our Aruba SE to complete the build and testing before we change the IPs back to the current cluster. This will help us to avoid changing all the infrastructure device using the current cluster IPs.
My question is around the cluster config restore sequence:
Plan is to:
1. Start with building the Publisher restore the config and certs then join the domain.
2. Build the 2 subscribers and join the domain, and once we join them to the cluster the config sync from the publisher should take care of the config restore except for base IP config etc.
Is this login correct or should we build the cluster then restore config to the Publisher?
Hi durkensa,
thans for the feedback. Much appreciated.
Your steps to totally fine. I would do it the same way. Just make sure to restore the certs on the subscribers as well. They will not be pushed from the publisher. I think you also have to rebuild your VRRP config, if you use that feature.
BR
Florian
Thank you for confirming and the certs feedback, we don’t use the VRRP feature as we have the nodes in different Data Centres.
sure, youre welcome.
BR
Florian