Wireless Access

If I restore a backup of 6.7 onto a new CPPM device (migrating from a HW device to VM - new IP and certificate on CPPM) will i need to re-onboard devices?

As far as I know, the Onboard CAs and issued certificates are restored from a backup. In the (far) past, I remember that I had to import he Onboard CA root in the Trust List manually to get the authentication accepted, but think that is fixed in recent releases.

Also, if you configured OCSP to include the name of the ClearPass server in the client certificate, and you do OCSP checking based on the ocsp-url in the client certificate, and that name changed, you might need to re-provision all your client certificates or do an override of the OCSP url in your Authentication Method to check at localhost (recommended anyway).

With a pretty standard, straightforward implementation, you are likely okay. Good thing is that you will have both servers in parallel and can test before you swap over.

Thanks Hermann, good information there, I have checked and the certificates are in place so thats good news. Is there a way to export and import the certificates only? since we took the backup, and restored onto the new CPPMs there have been a few more provisionings so there is a small discrepancy between the old and new setup.

I just checked and could not find such a specific backup/restore of just an Onboard CA. You could contact Aruba TAC if they know a way to do that.