Migrate ClearPass to a new Server

Reading Time: 3 minutes

A question, I hear very often. How to migrate ClearPass to a new server? The reason can be, you have reached the end of the evaluation phase and want to use the evaluation installation for production, but you need to change the specs. Or you need to upgrade the specs of your appliance to meet the new needs. If you are running a cluster environment, this is quite easy, simply start a new subscriber. But if you have only one ClearPass server or you need to replace the running server, this post will guide you.

I assume, you have ClearPass up and running and you need to migrate ClearPass to a new server with the same IP on a new hardware platform or within a new VM.

Migrate ClearPass: Backup the Existing Server

The first step is to backup any data on the existing server.Make also sure, that you have license key handy or save the key from the old server as well. Start with the backup. Login to ClearPass and go to “Administration–>Server Manager–>Server Configuration” and click the “Backup” button:

Migrate ClearPass - Create Backup of old Server
Migrate ClearPass – Create Backup of old Server

Press the “Start” button and wait until the backup process is complete. Now, download the backup file:

Migrate ClearPass - Download Backup of old Server
Migrate ClearPass – Download Backup of old Server

Save the certificates for ClearPass server as well. Go to “Administration–>Certificates–>Server Certificate” and export both, the “Radius Server Certificate” and the “HTTPS Server Certificate”:

Migrate ClearPass - Export Server Certificates
Migrate ClearPass – Export Server Certificates

Keep all the files save.

Migrate ClearPass: Prepare the new Server

Install the new server and follow the normal installation process. When it comes to the IP configuration, make sure, the old server is down. Configure the old server IP to the new server.

After the server configuration, use the web interface to install the license key:

Migrate ClearPass - Install Policy Manager License
Migrate ClearPass – Install Policy Manager License

Afterward, enter the “Subscription ID”. Go to “Administration–>Agents and Software Updates–>Software Updates”:

Migrate ClearPass - Enter Subscription ID
Migrate ClearPass – Enter Subscription ID

Install all updates to the same version as the old ClearPass server. This could take some time, depending on the internet connection. While the server downloads the update, you can install the licenses to your server. Go to “Administration–>Server Manager–>Licensing” and click the “Add License” button:

Migrate ClearPass - Add Licenses
Migrate ClearPass – Add Licenses

After the update is done and the new server has the same version as the old one, restore the backup to the new server. Go to “Administration–>Server Manager–>Server Configuration” and click the “Restore” button:

Migrate ClearPass - Restore Backup
Migrate ClearPass – Restore Backup

Restore the server certificates as well. Go to “Administration–>Certificates–>Server Certificate” and “Import Server Certificate”:

Migrate ClearPass - Restore Server Certificates
Migrate ClearPass – Restore Server Certificates

The “Private Key Password” is the one, you create during initial creation of the certificate.

The last step is to join the domain if ClearPass was joined to a domain. Go to  “Administration–>Server Manager–>Server Configuration” and click on the server to open the server configuration. On the bottom of the page, there is the “Join AD” button:

Migrate ClearPass - Join AD
Migrate ClearPass – Join AD

Afterward, all steps are done and your ClearPass server runs on the new server.

If have any questions about this topic or if you would like to give feedback, please use the comment function below.

25 thoughts on “Migrate ClearPass to a new Server”

    • Hi ljregib,
      Sure, that’s not a problem. Just make sure that the new ip is in your certificates, if you use ip addresses in the certificate. And make sure that your devices are aware of the new ip.
      BR
      Florian

      Reply
  1. Can I not Restore Backup Clearpass 6.6.X TO
    Clearpass 6.8 it alet

    INFO : backup is from a different version. Try with migration option enable
    ERROR – Restore failed .

    Reply
  2. Can i not Restore Backup Clearpass 6.6.x > Clearpass 6.8.x It alert

    INFO : Backup is from a different version. Try with migration option enabled.

    Error : Restore failed.

    Reply
    • Hi kris,

      I would not try to restore a backup from a different version. I would always use the same version to backup and restore. You either update the old one to the version you like and do the backup (my preferred way), or you install the older version first to restore the backup and upgrade afterward.

      Restoring through minor versions should work but from 6.6.x to 6.8.x? I would not expect this to work.

      BR
      Florian

      Reply
  3. nice guide

    can you offline active the new node whilst the current cluster is up and running? we arte trying to migrate to a new VM whilst the current cluster is running. were in the process of making a cluster in the backgroung (Offline) but we dont know if we can offline activate the nodes.

    any insight would be helpful mate, cheers

    Reply
  4. nice guide

    do you know if you can active via offline when the current cluster is running? we are in the midst of migrating our Clearpass prod environment to a new VM. We are trying to create the new cluster in the backgroung (offline) but we are not sure if we can activate via offline mode when the current cluster is up and running.

    any insight will be more than appreicated mate, cheers

    Reply
    • Hi tuna,

      I’m not sure if this is possible. My recommendation would be to contact your local SE from Aruba or partner and work with them. They might be able to provide an EVAL license to use during migration.
      You can also contact Support, as they might be able to help with EVAL as well, or can even activate the license while the old cluster is still running.

      BR
      Florian

      Reply
    • Hi Chrisitan,

      From my point of view, it completely restores the configuration and ignores changes you already made to the new system, except the settings you set during the initial setup of the new system.

      BR
      Florian

      Reply
  5. Hi, can i use this procedure to copy the configurations from one client and apply this to another environment to save some time and not going through the configuration from scratch. They have similar configuration requirements.
    I’m worried about licensing conflict and affecting the live environment. Are licences exported and imported or just the config files?
    What about guest configuration?

    Reply
    • Hi eb,

      I would not recommend using the backup/restore function between clients. I haven’t seen any two clients which are equal in their configuration and searching for the little differences and find them all could be very time consuming as well.
      But If you really want to go down this road, make sure to replace the licenses with the ones of the customer.
      Guest is a different beast. You need to go to the guest part and go to “Administration–>Import Configuration–>Import Configuration” and click the “Create a customized backup” link to create the backup. On the same screen, you can also restore it from that backup.

      BR
      Florian

      Reply
    • Hi Mohammed,

      What is the error message? I would also create a ticket with Aruba TAC so they can have a look.

      BR
      Florian

      Reply
  6. Hi,

    I’m facing an upgrade to 6.8 from 6.7. Our idea is to create a new Server with a provisional IP, install the 6.8 and restore the backup previously done in the 6.7, and finally, once it’s done, change the provisional IP to the old server’s IP (obviously shutting down the old server beforehand).

    Would it be possible to do this backup from the 6.7 to the 6.8 without problems?

    Thanks.
    A

    Reply
    • Hi Albert,

      Officially, it is not supported to restore a backup from a different version. From my personal experience, it might work but is not guaranteed. From my point of view, I would do as below:
      1. do the backup with 6.7
      2. install a new server with 6.8
      3. restore the backup from 1. to the new server
      4. Check if everything is working

      If number 4 fails, go back to 2. and install 6.7 instead and upgrade to 6.8 after you restored the backup.

      hope this helps.

      BR
      Florian

      Reply
  7. Hi,

    I’m trying to perform an upgrade from 6.7 to 6.8 in a new server, can i restore a backup done in the 6.7 to this new server with the 6.8 version installed?

    Thanks for the post,
    BR.

    Reply
  8. Great article. The licensing seemed a quick wash over. Suppose you have an existing deployment on EoL hardware and you want to migrate to VM, what do you do with the licensing? If you try the existing license key that will fail.

    Reply
    • Hi Drew,

      As far as I know, You can get in touch with Aruba Support and they will convert your old licenses to the new ones.

      BR
      Florian

      Reply
  9. We have ClearPass cluster setup, now we want to migrate with new ClearPass, which is the best option can we join new ClearPass to current cluster as subscriber and later remove the current publisher and promote the new as publisher?

    Reply
    • hi Sri,

      If you think if a new ClearPass server, I woud fully agree with your idea to
      1. bring up the new server
      2. join the new server to the existing cluster
      3. wait for the new server to sync sucessfully
      4. promote the new server to the new publisher

      BR
      Florian

      Reply
  10. Hi
    Very good guide, we are going from 6.10 to 6.11 which has to be a rebuild because to the move to RHEL. We will be building new cluster and get EVAL licenses from our Aruba SE to complete the build and testing before we change the IPs back to the current cluster. This will help us to avoid changing all the infrastructure device using the current cluster IPs.
    My question is around the cluster config restore sequence:
    Plan is to:
    1. Start with building the Publisher restore the config and certs then join the domain.
    2. Build the 2 subscribers and join the domain, and once we join them to the cluster the config sync from the publisher should take care of the config restore except for base IP config etc.

    Is this login correct or should we build the cluster then restore config to the Publisher?

    Reply
    • Hi durkensa,

      thans for the feedback. Much appreciated.
      Your steps to totally fine. I would do it the same way. Just make sure to restore the certs on the subscribers as well. They will not be pushed from the publisher. I think you also have to rebuild your VRRP config, if you use that feature.

      BR
      Florian

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.