Security

 View Only
  • 1.  Clearpass Migration from C2000V to C3000V

    Posted May 21, 2026 11:29 PM

     

    Hi All, 

    We are currently planning an upgrade from ClearPass C2000V to C3000V in our Azure environment. 

    Due to constraints, we are unable to perform an in-place upgrade/morph. Instead, our approach is to: 

    Deploy a new ClearPass instance (C3000V) in Azure 

    Validate that everything is working as expected 

    Replace the existing C2000V instance by assigning the same IP address to the new node 

    Before proceeding, we would like to ensure we have covered all necessary considerations for a smooth migration. 

    Key questions: 

    Backup Scope 
    Is taking a Full Backup via 
    Administration → Server Manager → Server Configuration 
    sufficient to capture everything, including: 

    Services 

    Role mappings 

    Enforcement policies 

    Endpoint database 

    Guest data 

    Certificates (including server/EAP certs) 

    Trust list 

    Or is it recommended to individually back up certain components (e.g., certificates, guest data, policies) separately as an extra precaution? 

    Migration Considerations 
    For those who have performed a similar migration (new VM + restore), are there any key items we should pay special attention to, such as: 

    Certificate handling 

    AD/LDAP re-joins 

    Licensing changes (C3000V) 

    Network/IP reassignment in Azure 

    Cluster reconfiguration (if applicable) 

    We want to make sure we avoid any gaps and ensure minimal disruption during the cutover. 

    Any guidance, best practices, or lessons learned would be greatly appreciated. 

    Thanks in advance! 



    -------------------------------------------


  • 2.  RE: Clearpass Migration from C2000V to C3000V

    Posted May 22, 2026 02:45 AM

    With the scenario to replace the current server with a new server with the same IP and name, you can take a config backup of your current server and restore on the new server. This will include "everything", except some parts and settings. Make sure to include extensions if you have any extensions installed.

    The normal config backup includes all cluster wide parameters, everything under under Configuration such as services policies, profiles, Authentication sources etc. The backup does not include any service specific parameters changed under Server Manager and the specific server. Such as hardening, domain join, service parameters. This must be entered again.

    Server certificate and licenses can be restored under some circumstances, but I always export the certificates to p12 files and make sure I have the licenses in the Networking Support Portal, or exported to file from the CLI with the command 'show license'

    A ticket may be required to TAC to enable the licenses for activation again.

    Logs, and Insight data will not be restored as part of the configuration backup. If you need this data you have to take separate backups and restore this to the server after the config restore.

    To minimize disruptions I would opt to set up the new server with new name and IP. Make the new server a subscriber to the current server, this will replicate almost all data. Except the mentioned above. Certificates must be installed on the new server, and if you have any extension this must also be configured.

    This way you can verify everything before the cut over.

    One extra step that is needed with this is to reconfigure all network equipment to use the new server. Hopefully you have DNS record and just need to update the DNS with the new IP address.

    If you opt for the replacement strategy and have never done this, I would estimate the downtime to a full day.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Clearpass Migration from C2000V to C3000V

    Posted May 28, 2026 05:56 PM

    Hi jonas 

    thank you for the heads up 

    we finally got some ideas now with the statement you made 

    our idea now is to migrate out lab server first and move to production considering what you said 

    appreciate 

    -------------------------------------------



  • 4.  RE: Clearpass Migration from C2000V to C3000V

    Posted 10 days ago

    Hi @JH-09f195

    Coming back again

    We do have DNS records in place, and that approach works fine for our 6200 switches. However, all of our 2930F switches are configured with the ClearPass authentication servers using IP addresses rather than hostnames.

    We would prefer not to update those IP addresses individually, as we have more than 1,000 Aruba 2930F switches and over 300 routers that would also require DHCP relay/helper address changes.

    Our proposed approach is:

    1. Build a new ClearPass C3000V cluster in Azure.
    2. Perform all testing and validation on the new environment.
    3. During the cutover window, swap the production IP addresses and hostnames from the existing ClearPass servers to the new cluster.
    4. Retain the existing production IPs used by network devices so that no switch or router configuration changes are required.

    Since these servers are hosted in Azure, we are hoping to reassign the IP addresses at the Azure networking layer during the migration.

    In your experience, is this a supported and recommended approach for a ClearPass migration?

    Thanks in advance.




  • 5.  RE: Clearpass Migration from C2000V to C3000V

    Posted 8 days ago

    I had to deploy azure VM's for clearpass recently. I will be changing the IP at somepoint as well. Clearpass will just get dhcp from the nic adapter in azure. I would have suggested some other methods if it was on-prem. 

    If your boxes are just subscribers this should be a fairly easy task to swap and replace. I am not sure if you have multiple radius IP's configured in the switches or just a single IP. I suppose this comes back to original design and intentions. If you haver multiple radius servers in a server group. There should be no issue taking that box out of service while migrating from C2000v to C3000v. 

    If you only have a single host, then yes building new and migrating everything would be the suggestion there. When everything is done and tested then swap the IP's at the end. 

    I am not sure how many subscribers you have. I am not able to provide much more until understanding more info.