Security

-------------------------------------------

With the scenario to replace the current server with a new server with the same IP and name, you can take a config backup of your current server and restore on the new server. This will include "everything", except some parts and settings. Make sure to include extensions if you have any extensions installed.

The normal config backup includes all cluster wide parameters, everything under under Configuration such as services policies, profiles, Authentication sources etc. The backup does not include any service specific parameters changed under Server Manager and the specific server. Such as hardening, domain join, service parameters. This must be entered again.

Server certificate and licenses can be restored under some circumstances, but I always export the certificates to p12 files and make sure I have the licenses in the Networking Support Portal, or exported to file from the CLI with the command 'show license'

A ticket may be required to TAC to enable the licenses for activation again.

Logs, and Insight data will not be restored as part of the configuration backup. If you need this data you have to take separate backups and restore this to the server after the config restore.

To minimize disruptions I would opt to set up the new server with new name and IP. Make the new server a subscriber to the current server, this will replicate almost all data. Except the mentioned above. Certificates must be installed on the new server, and if you have any extension this must also be configured.

This way you can verify everything before the cut over.

One extra step that is needed with this is to reconfigure all network equipment to use the new server. Hopefully you have DNS record and just need to update the DNS with the new IP address.

If you opt for the replacement strategy and have never done this, I would estimate the downtime to a full day.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Hi jonas 

thank you for the heads up 

we finally got some ideas now with the statement you made 

our idea now is to migrate out lab server first and move to production considering what you said 

appreciate 

-------------------------------------------

Original Message:
Sent: May 22, 2026 02:45 AM
From: jonas.hammarback
Subject: Clearpass Migration from C2000V to C3000V

With the scenario to replace the current server with a new server with the same IP and name, you can take a config backup of your current server and restore on the new server. This will include "everything", except some parts and settings. Make sure to include extensions if you have any extensions installed.

The normal config backup includes all cluster wide parameters, everything under under Configuration such as services policies, profiles, Authentication sources etc. The backup does not include any service specific parameters changed under Server Manager and the specific server. Such as hardening, domain join, service parameters. This must be entered again.

Server certificate and licenses can be restored under some circumstances, but I always export the certificates to p12 files and make sure I have the licenses in the Networking Support Portal, or exported to file from the CLI with the command 'show license'

A ticket may be required to TAC to enable the licenses for activation again.

Logs, and Insight data will not be restored as part of the configuration backup. If you need this data you have to take separate backups and restore this to the server after the config restore.

To minimize disruptions I would opt to set up the new server with new name and IP. Make the new server a subscriber to the current server, this will replicate almost all data. Except the mentioned above. Certificates must be installed on the new server, and if you have any extension this must also be configured.

This way you can verify everything before the cut over.

One extra step that is needed with this is to reconfigure all network equipment to use the new server. Hopefully you have DNS record and just need to update the DNS with the new IP address.

If you opt for the replacement strategy and have never done this, I would estimate the downtime to a full day.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------