New Known Issues in the 6.8.0 Release

The following known issues were identified in the ClearPass 6.8.0 release. For a list of known issues identified in previous releases, see Known Issues Identified in Previous Releases.

 

Do not update to 6.7.10 or upgrade to 6.8.0 if you think your hardware appliance is affected by the issue described in the Aruba Support Advisory ARUBA‑SA‑-20190802_PLL302, “Failure to Boot after Upgrade/Update to 6.7.10 or 6.8.0,” and in CP‑34406 and CP‑34776 below.

This section includes:

* CLI
* Cluster Upgrade and Update
* Endpoint Context Servers
* Guest
* Insight
* Onboard
* OnGuard
* Policy Manager

CLI

Table 1: CLI Known Issues in 6.8.0

Bug ID

Description

CP‑33482

Symptom: On a ClearPass hardware appliance, when the user tries logging in to initiate the bootstrapping process for a new partition, The default password is not accepted after the system install-image command is executed.

Scenario: This issue is seen after the user installs the new 6.8.0 image on a ClearPass hardware appliance, logs in to the appadmin CLI and executes the install-image command. When the system reboots after the install-image command and the user tries to log in to initiate the bootstrapping process, the default password is not accepted.

Workaround: Use the password from the previous partition when logging in to bootstrap the second partition.

Cluster Upgrade and Update

Table 2: Cluster Upgrade and Update Known Issues in 6.8.0

Bug ID

Description

CP‑42106

Symptom: On the Cluster Update page, the notification sometimes stays at the reboot and migration stage even after the publisher upgrade is successfully completed.

Scenario: This issue occurs if subscribers are selected for upgrade at the same time as the publisher upgrade.

Workaround: To avoid this issue, only the publisher should be selected for the first stage of the cluster upgrade process. After the publisher upgrade is complete, verify that it was successful (all services are up and running, all nodes are in sync, no database certificate errors, etc.). After the publisher upgrade is verified, the subscribers can be upgraded in batches.

Endpoint Context Servers

Table 3: Endpoint Context Server Known Issues in 6.8.0

Bug ID

Description

CP‑23093

Symptom: The Palo Alto Networks (PANW) firewall fails to register role information for admin users associated with more than 32 IP-Role-Mapping tags that are being sent from ClearPass. The PANW firewall allows up to 32 IP-Role-Mapping tags. If ClearPass is configured to send the Register Role action as part of Palo Alto Networks integration, you must be sure to stay within the 32‑tag limit.

Scenario: If an admin user is part of more than 32 admin groups, that admin user is authenticated against ClearPass and that they are part of more than 32 admin groups. If you configure a Session notification profile in ClearPass to send a Register Role action, then ClearPass sends all their groups as roles to the PANW firewall. In return, the firewall might fail to do the registration of IP-Role mapping due to the allowable size configured in the PANW firewall.

Workaround: There is no workaround at this time.

CP‑31417

CP‑31594

Symptom: ClearPass leaves stale entries when a client roams from one ClearPass server to another.

Scenario: In a cluster environment where the user first authenticated on one ClearPass server and later authenticated on a different ClearPass server, ClearPass might leave a stale entry in a Palo Alto Networks (PANW) server.

Workaround: If you use a load balancer to load-balance ClearPass RADIUS traffic, configure a load balancing algorithm that maintains connection persistence based on a RADIUS username.

CP‑32440

Symptom/Scenario: ClearPass fails to send login updates to a Palo Alto Networks server when an IP address is changed in Acct:Interim.

Workaround: To track IP address changes with Interim Update and to send updates to the endpoint context server, enable the Log Accounting Interim-Update Packets option in the RADIUS  service parameters on the Administration > Server Manager > Server Configuration > Service Parameters tab.

Guest

Table 4: Guest Known Issues in 6.8.0

Bug ID

Description

CP‑33553

Symptom: When sending a guest account receipt for a non-English language, a different receipt is sent than the one selected.

Scenario: A data migration problem might exist when sending receipts from non-English devices, resulting in a completely different receipt being sent.

Workaround: If you experience this issue with a receipt, go to Guest > Configuration > Receipts > Templates, select the receipt you want to send, and then select Edit. At the bottom of the Edit Print Template form, in the Translations field enable the Skip automatic translation handling option, and then click Save Changes. The English version of the receipt will now be sent at all times. Do this for each default receipt.

Insight

Table 5: Insight Known Issues in 6.8.0

Bug ID

Description

CP‑33079

Symptom: Some Insight servers might experience a large backlog of NetEvents files and slow performance.

Scenario: Users should be aware that the Insight Endpoint table is updated for tags, events, updates, and other events every five minutes for a MAC address that already exists in the database. This means a delay lasting a maximum of five minutes can be expected whenever the latest column value is read from the Insight Endpoint Database.

CP‑33350

Symptom: Netevents insertions to the database fail, causing a loss of Insight data, and the error message “Integrity Error: acct_id,calling_station_id violates check constraint” is displayed.

Scenario: The accounting ID and calling station ID are the primary key for a partitioned radius_acct table. This issue occurs if a calling station ID accessing from multiple network devices somehow reuses the same accounting ID that was used earlier but associated with a different session ID.

Users should be aware that, in order for the Insight database to correctly accept a Netevents insertion, the combination of the RADIUS Accounting ID and the calling_station_id must be unique.

CP‑33487

Symptom: A error message “Proxy Error: The proxy server received an invalid response from an upstream server” is displayed when trying to access the Insight user interface.

Scenario: This is sometimes seen in a cluster setup if the wrong login credentials are entered.

Workaround: Launch the Insight application again and enter the correct credentials.

Onboard

Table 6: Onboard Known Issues in 6.8.0

Bug ID

Description

CP‑33418

Symptom: Onboarding an iOS device fails on the Firefox browser, and no error message is displayed.

Scenario: Users should be aware that only the Safari browser should be used to onboard Apple iOS devices. The Firefox browser and the Chrome browser cannot be used. An error message is displayed if the Chrome browser is used, advising the user that the browser is not supported and asking them to use Safari, but the error message is not currently displayed for Firefox.

OnGuard

Table 7: OnGuard Known Issues in 6.8.0

Bug ID

Description

CP‑32633

Symptom: OnGuard installation fails on some Linux operating systems.

Scenario: This issue occurs on the Ubuntu, CentOS, RHEL, Fedora, and OpenSUSE Linux-based operating systems.

Workaround: First install the Qt 5 library on the client, and then install the OnGuard Persistent Agent or Native Dissolvable Agent.

Users should be aware that in ClearPass 6.8, the OnGuard Agent for Linux uses the Qt 5 library instead of the Qt 4 library. Although Qt 5 is installed by default on some Linux systems, other Linux systems still have Qt 4. The Qt 5 library must be installed on the Linux client before installing OnGuard.

CP‑32813

Symptom/Scenario: Antivirus products, such as Symantec, block the winexesvc.exe process, causing Agentless OnGuard to fail.

Workaround: Whitelist the C:\Windows\winexesvc.exe executable file in the antivirus product to allow Agentless OnGuard to run.

CP‑33431

Symptom/Scenario: The Native Dissolvable Agent does not detect the correct status of the service for the Service Health Class on the Fedora or SUSE operating systems. Even if the service is running, the Native Dissolvable Agent detects the status of the service as stopped.

Workaround: There is no workaround at this time.

CP‑33442

Symptom: Agentless OnGuard does not launch on clients if the working directory name has a trailing backslash character ( \ ) — for example, C:\OnGuard\.

Workaround: Remove any trailing backslash character from the working directory name.

CP‑33450

Symptom/Scenario: Agentless OnGuard does not launch on the client if the checksum field is empty.

Workaround: Go to Configuration > Posture > Agentless OnGuard > Agentless OnGuard Settings. Edit the Agentless OnGuard settings and enter the checksum to use in the Agentless OnGuard Checksum fields for 64 bit and for 32 bit.

CP‑40437

CP‑40456

Agentless OnGuard is not supported in FIPS mode.

Policy Manager

Table 8: Policy Manager Known Issues in 6.8.0

Bug ID

Description

CP‑22337

Symptom: In a cluster where an IPsec tunnel configuration is enabled between the publisher and the subscribers, the tunnel cannot be established, the subscribers cannot connect to the publisher, and the error message “No proposal chosen” is displayed.

Scenario: If you upgrade to 6.8.0 while an IPsec connection is enabled, the subscribers can never connect back to the publisher. This is only an issue if you upgrade a cluster to 6.8.0 while an IPsec connection configuration is still enabled for the cluster. It is not an issue when updating from 6.8.0 to 6.8.x. Customers using IPsec VPNs are generally unaffected by upgrades and updates. The use of IPsec VPNs on ClearPass is supported for connectivity between cluster members and remote systems that might not otherwise support encrypted communication options (for example, LDAP over SSL or with TLS encoding). However, users should be aware that because communications are already encrypted between members of a ClearPass cluster, the use of IPsec VPNs is not a recommended deployment.

Workaround: Before you upgrade a cluster to 6.8.0, you must first disable any IPsec tunnel configurations between the publisher and subscribers. IPsec configurations should be deleted from the subscribers first, and then from the publisher. After all the appliances in the cluster are upgraded to 6.8.0, the IPsec tunnel settings can be reconfigured.

CP‑23011

Symptom: If RadSec was enabled and is later disabled, the configured RADIUS server stops working.

Scenario: This issue is observed with some older versions of Aruba controllers (for example, 6.4.x). The issue is not seen with newer 8.x controller versions.

Workaround: To successfully disable RadSec and make the RADIUS server active again, reboot the controller.

CP‑31281

Users should be aware that ClearPass Policy Manager no longer supports attached USB mass storage devices. When ClearPass boots, the ability to attach a USB mass storage device is disabled when the ClearPass appliance loads after the BIOS power-on self-test (POST). This applies to all appliance formats, both physical and virtual. Normal USB input devices such as keyboard or mouse will continue to work, but mass storage devices (CD/DVD drive, HDD, etc.) cannot be mounted or used.

CP‑32450

Symptom: After upgrading to ClearPass 6.8, all existing RadSec tunnels are torn down and attempts to establish a new tunnel connection fail.

Scenario: As part of the new Individual Certificate Trust List feature introduced in ClearPass 6.8, users will need to update the usage settings for the RadSec trusted certificate authority (CA). The default usage settings now specify only RADIUS (EAP) and Others.

Workaround: After upgrading to ClearPass 6.8, to enable a CA certificate for RadSec, go to Administration > Certificates > Trust List. In the View Certificate Details form for the CA that should be trusted by RadSec, select the RadSec option.

CP‑32454

Symptom/Scenario: The default admin password that was set during the system boot at the Network Management wizard level does not work when enabling Common Criteria (CC) mode.

Workaround: Use the admin-passwd-reset command from apadmin CLI to reset the admin UI password to eTIPS123. Users can also enable the Policy Manager Admin Network Login Service before changing to CC mode to ensure that the ClearPass configuration password is also applicable to CC mode.

CP‑32632

Symptom: When joining a ClearPass server to a cluster using the make-subscriber operation, it sometimes takes several minutes (> 30) for the initial synchronization of data from the publisher to the subscriber to finish, and the error message “Node with <IP address> out of sync by <##> minutes” is displayed.

Scenario: This is mostly observed with new installations of ClearPass.

Workaround: ClearPass detects and fixes the problem automatically, so the error message can be ignored.

CP‑32828

Symptom: The RadSec service reloads with no warning if any of the following occurs:

* A RadSec-enabled authentication source, proxy target, or NAD is added or modified.
* The RadSec server certificate, client certificate, or trust certificate is changed.

Scenario: Users should be aware that any of the above changes will reload the RadSec service, causing all existing RadSec sessions to be re-established.

CP‑32857

CP‑33740

CP‑37178

Support for the ClearPass C2010 appliance has been added. This appliance is supported at version 6.8.0 and later. However, although the system is actually a C2010, it is incorrectly displayed as a C3010 in ClearPass 6.8.x and 6.9.x. This issue is seen in both the user interface and the CLI.

CP‑32959

Symptom/Scenario: Upgrading to ClearPass 6.8.0 from 6.7.x using the 6.8.0 upgrade patch fails in an Amazon Web Services (AWS) instance. ClearPass does not support the direct upgrade of ClearPass to a major version in AWS instances.

Workaround: To upgrade ClearPass from 6.7.X to 6.8.0 on an AWS instance, first take a complete backup of the 6.7.x version from the existing AWS instance, and then deploy a new 6.8.0 AWS instance. You can then restore the configuration backup from the existing instance to the new instance which will restore the full configuration and data.

CP‑33015

Symptom: When the management IP address is changed, the cluster goes out of sync indefinitely.

Scenario: When the management IP address is changed on the publisher of a cluster where the management IP and data IP interfaces are both configured, it causes a replication lag that keeps increasing.

Workaround: If the management IP for the publisher is changed and the hostname is not resolvable by DNS, perform the following steps to get the cluster back into sync:

1. In the cluster, add an external certificate authority (CA) to the trust list with HTTPS and database certificates enabled.
2. Create a certificate signing request (CSR) for an HTTPS certificate by changing the Common Name to the IP address of the new IP to be added into the management port (as the hostname is not resolvable).
3. After all the services come up, create a CSR for an HTTPS certificate by changing the Common Name to the IP address for the subscriber (as the hostname is not resolvable).
4. Change the database certificate on the publisher to the new IP address.
5. Restart the system.
6. After all the services come up, you should see that both the nodes are in sync and no replication lag is seen.

Note: There is no need to change the database certificate on the subscriber.

CP‑33054

Symptom: A user role for an Aruba Downloadable Role Enforcement profile can not be downloaded by ArubaOS-Switch 16.08.

Scenario: This occurs if the user role includes the vlan-name-tagged attribute in the command. It occurs in both the standard and advanced modes for an enforcement profile.

Workaround: Users should be aware that the ArubaOS-Switch 16.08 does not accept the vlan-name-tagged attribute, but it does accept the vlan-id-tagged attribute.

To have tagged VLAN work correctly on ArubaOS-Switch 16.08, go to the Configuration > Enforcement > Profiles > Add > Profile tab, select Aruba Downloadable Role Enforcement as the template and ArubaOS-Switch as the product, and then do one of the following:

* Select Standard as the Role Configuration Mode. On the Role Configuration tab, select VLAN ID Tagged.
* Select Advanced as the Role Configuration Mode. On the Attributes tab, choose either Aruba or Hewlett-Packard-Enterprise as the type and Aruba-CPPM-Role or HPE-CPPM-Role as the name. Use the vlan-id-tagged attribute in the command, and copy and paste the entire command in the Value field.

CP‑33114

Symptom/Scenario: Before upgrading to 6.8, the ClearPass 6.8.0 Upgrade Preparation Patch for Software Updates Portal Downloads must be applied. This patch is currently required for ClearPass appliances to successfully download the ClearPass 6.8.0 upgrade image from the Software Updates portal. This patch will also clean up any failed downloads of the ClearPass 6.8.0 upgrade image. This patch is not required when performing a manual upgrade. For customers using the Cluster Upgrade page, this patch is only required to be installed on the publisher. After you install the Upgrade Preparation Patch, click Check Status Now. This patch does not require a reboot after installation.

CP‑33229

Symptom/Scenario: In Eduroam networks using RadSec proxies, RadSec tunnels may be torn down and clients connected for a long period of time are disconnected.

Workaround: Enable the Status-Server Messages option on both the proxy target (using the Configuration > Network > Proxy Targets dialog) and the authentication server (using the Configuration > Authentication > Sources dialog).

CP‑33238

Symptom/Scenario: The Auth Type field at Monitoring > Live Monitoring > Access Tracker is not populated with values for any type of record.

Workaround: Use the Source field and/or the new Auth Method field to retrieve the information instead. The Auth Type field is deprecated and will be removed in a future release.

CP‑33324

Symptom/Scenario: After upgrading to 6.8.0, the Platform Activation Key (PAK) is sometimes lost and the user is prompted to add a Platform Activation Key.

Workaround: If this occurs, please contact Aruba Support, who can resolve the issue for you.

CP‑33332

Symptom/Scenario: When an SNMP scan is done through Agentless OnGuard, if a MAC address is not available then a hyphen character ( - ) is shown for entries at Monitoring > Live Monitoring > OnGuard Activity.

CP‑33342

Symptom/Scenario: SSH lockout fails for public-key-based authentications.

CP‑33368

Symptom: After adding an Entry license and an Access Upgrade license, multiple license overrun notifications are displayed.

Scenario: If your ClearPass server has Entry licenses and you add an equal number of Access Upgrade licenses, these license pairs are each managed by ClearPass as a single Access License. However, in the event of a licensing overrun, the Monitoring > Event Viewer page may incorrectly display licensing overrun values for both individual Entry licenses and the combined Access licenses.

Workaround: If this occurs, additional licenses must be added as Access licenses directly, rather than as Entry and Access Upgrade licenses.

CP‑33458

Symptom/Scenario: Devices do not connect to the network when Multi‑Pre-Shared Key (MPSK) and Radius Security (RadSec) are enabled between ClearPass and the controller.

Workaround: There is no workaround at this time.

CP‑33479

Symptom/Scenario: The model number of some C2000 hardware appliances is displayed as C3000 in the CLI and in the ClearPass user interface.

CP‑33503

Symptom: During a cluster upgrade, the Event Viewer displays “Database Server Certificate” errors for each subscriber in a cluster.

Scenario: These error messages can be ignored, and are no longer displayed after the upgrade is completed on all appliances in the cluster.

CP‑33514

Symptom: The error message “undefined” is shown in the Activate License form when trying to activate a Platform license for a subscriber from the publisher on the Administration > Server Manager > Licensing > Servers > Activate License form.

Scenario: This is seen in a cluster setup and is not seen in a standalone setup.

Workaround: If this occurs, do not activate the subscriber from the publisher. Instead, log in to the subscriber. On the Administration > Server Manager > Licensing > Servers tab, click the Click to Activate link in the subscriber’s row, and then click the Activate Now button in the Activate License form to activate the Platform license for the subscriber.

CP‑33590

Symptom: When trying to install ClearPass on a KVM hypervisor with SCSI/VirtIO as the bus type, the system does not boot up after the installation steps.

Scenario: This is only an issue with the KVM hypervisor; it does not affect VMware or Hyper-V hypervisors. This issue affects ClearPass 6.7 and 6.8.

Workaround: The Disk bus type must be set to IDE for new ClearPass installations and upgrades on KVM hypervisors.

CP‑33609

Symptom/Scenario: After upgrading through the Cluster Upgrade page, the value of the Enable Publisher Failover parameter changes from FALSE to TRUE on the Cluster Wide Parameters > Standby Publisher tab.

Workaround: After upgrading through the Cluster Upgrade page, change the value for the Enable Publisher Failover parameter:

* If the standby publisher feature is not used, set the value for the parameter to FALSE.
* If the standby publisher feature is used, toggle the value of the parameter by first setting it to FALSE and then setting it back to TRUE. Select the Designated Standby Publisher from the drop-down list, and then click Save.

CP‑33645

Symptom: A patch rollback operation fails after the ClearPass 6.8.0 Upgrade Preparation Patch is installed.

Scenario: Patch rollback is not supported with the Upgrade Preparation Patch. Users should be aware that rollbacks would never be needed after the Upgrade Preparation Patch is applied, as there are no RPMs installed and the patch already cleans up any unnecessary files.

CP‑33653

Symptom/Scenario: If the ClearPass 6.8.0 Upgrade Preparation Patch for Software Updates Portal Downloads patch is installed but, before the upgrade is performed, a different patch or hotfix is applied on versions 6.6.10 or on 6.7.0 through 6.7.9, the 6.8.0 upgrade image is not displayed in the Administration > Agents and Software Updates > Software Updates portal. 

Workaround: If this occurs, download the ClearPass 6.8.0 upgrade image from the Aruba Support site and manually install the upgrade image.

CP‑33651

Symptom/Scenario: In a cluster, when a self-signed certificate in .p12 format is imported from another ClearPass instance and added to the certificate trust list, the error "Content-type 'application/x-pks12' is not supported" is displayed.

Workaround: To import a self-signed certificate from one ClearPass instance to another in a cluster, do the following:

1. Go to Administration > External Servers > Endpoint Context Servers, and then click Add.
2. In the Select Server Type drop-down list, select Generic HTTP
3. Add the IP address and base URL of the ClearPass server you're adding, and in the Validate Server field mark the check box to enable the server certificate. The Certificates tab is added to the form.
4. Click Save.
5. Go to Administration > Certificates > Trust List and verify that the certificate is now included in the trust list.
6. You may now go back to Administration > External Servers > Endpoint Context Servers and delete the server configuration that was added to import the certificate.

CP‑33776

Symptom: When a ClearPass appliance is upgraded to 6.8.0 with an upgrade path of 6.5.3 > 6.7.x > 6.8.0, the upgrade fails with the error messages “Current running version is not marked as the Active boot image.... Fix this by rebooting to the Active version, or mark current version Active.... Exception performing upgrade: Pre-install task=20-remove-second-boot-entry failed.”

Scenario: This is not a valid upgrade path. Users should always review the “Upgrade Paths and Version Considerations” section of the Release Notes and verify the valid path to follow before upgrading.

Workaround: If you receive this error, please contact Aruba Customer Support for assistance.

CP‑34406

CP‑34776

Do not update to 6.7.10 or upgrade to 6.8.0 if you think the following scenario includes your hardware appliance:

Scenario: In the rare case where a CP-HW-5K or CP-HW-25K hardware appliance had originally been loaded with ClearPass Policy Manager version 5.0, 5.1, or 5.2, Policy Manager will fail to boot up after it is updated to cumulative patch 6.7.10 or upgraded to ClearPass 6.8.

There is no workaround after the update or upgrade is initiated.

NOTE: For instructions for determining whether your hardware appliance is affected, and for the appropriate actions to take if it is, please refer to the Aruba Support Advisory ARUBA‑SA‑- 20190802_PLL302, “Failure to Boot after Upgrade/Update to 6.7.10 or 6.8.0.”

CP‑34622

Symptom/Scenario: Publisher failover does not work for ClearPass deployed in an Amazon Web Services (AWS) environment.

CP‑37403

The Event Viewer and SNMP events do not correctly indicate the status of C2010 hard drives. When a hard drive is removed from the C2010, the associated SNMP event is not generated and the Event Viewer does not indicate this has occurred.

CP‑39375

Starting with Policy Manager 6.7.13, when trying to add a subscriber to a cluster where the publisher has application access control restrictions defined for ClearPass API access, if the subscriber's management subnet is defined as not allowed then the Make Subscriber operation fails and the error message "Connection to publisher failed" is shown.

This issue occurs on 6.7.13 and later versions. It is not an issue on earlier Policy Manager versions.

Workaround: Add the subscriber's subnet to the publisher's allowed application access control list for the ClearPass API. On the publisher, go to Administration > Server Manager > Server Configuration and click the publisher's row. In the Network tab's Application Access Control row, click Restrict Access. Select ClearPass API, set Access to Allow, and add the subscriber's subnet in the Network field.

CP‑40117

If the system install-image command is used to do a fresh installation of 6.8.0 on a 6.8.x or 6.9.x system, the user interface does not open after the installation and a 404 error is displayed.

This issue is caused by a mismatch in hardware model names.

Workaround: After the 6.8.0 image is installed, the appadmin user can use the system update command to upgrade to any version greater than 6.8.0. After that version upgrade, the user interface will open automatically.

Alternatively, you may contact Aruba Support to correct the mismatch in the hardware model names.

CP‑43728

CP‑44639

During an upgrade to ClearPass 6.8.0, any attributes in a custom change of authorization (CoA) dictionary will be removed, which can result in failure to export RADIUS services or Access Tracker events if they reference the custom dictionary.

Workaround: To retain attributes in custom CoA dictionaries after the 6.8.0 upgrade, first export the custom CoA dictionary before the upgrade and then re-import it after the upgrade.