New Known Issues in the 6.9.0 Release

The following known issues were identified in the ClearPass Policy Manager 6.9.0 release. For a list of known issues identified in previous releases, see Known Issues Identified in Previous Releases.

This section includes:

* AirGroup
* APIs
* CLI
* Cluster Upgrade and Update
* Device Insight
* Endpoint Context Servers
* Insight
* Onboard
* OnGuard
* Policy Manager
* Profiler and Network Discovery

AirGroup

Table 1: AirGroup Known Issues in 6.9.0

Bug ID

Description

CP‑28810

CP‑37128

While trying to create an AirGroup profile in the AOS Mobility Controller, an IPv6 address cannot be entered in the Controller ip field at Mobility Controller > Configuration > System > Add Profile > AirGroup Profile. Users should be aware that the AirGroup communication protocol only works on IPv4 at this time, and only IPv4 addresses are accepted by the Controller ip field. This issue occurs on AOS 8.5.0.0 and 8.7.0.0. For more information on the AOS issue, refer to AOS-198886 in the AOS Release Notes.

APIs

Table 2: API Known Issues in 6.9.0

Bug ID

Description

CP‑35907

No content is displayed on the API Explorer page when it is accessed using an IPv6 address.

Workaround: Access the API Explorer through IPv4 addresses or through IPv6 DNS names rather than literal IP addresses.

CLI

Table 3: CLI Known Issues in 6.9.0

Bug ID

Description

CP‑36833

The error message “Invalid syntax: Configure NTP server(s) or Date-Time” is displayed when executing configure date CLI commands with both the -s and -A options. Both options are not supported in the same command. Execute separate commands using the -p and -s option or the the -p and -A option.

CP‑36895

In an Azure instance, the output of the CLI show ip command shows the error message “argument ‘data’ is wrong: table id value is invalid.”

This issue only occurs in Azure instances. It does not occur in other environments.

This is a cosmetic issue and can be ignored.

CP‑41482

HTTPS connection checks fail in cluster diagnostics with a custom port. The cluster diagnostics command does not currently support custom ports.

Workaround: Only the standard port 7432 should be used. To verify for HTTPS connection between cluster nodes, be sure to use the following commands:

cluster diagnostics -s <with/without port 7432>

cluster diagnostics -c <IP> <cluster password>

Cluster Upgrade and Update

Table 4: Cluster Upgrade and Update Known Issues in 6.9.0

Bug ID

Description

CP‑37399

After a cluster is upgraded to 6.9.0 through the Cluster Upgrade page from a 6.7.x version below 6.7.13 or from a 6.8.x version through 6.8.4, the value of the Enable Publisher Failover parameter changes from FALSE to TRUE on the Cluster-Wide Parameters > Standby Publisher tab.

This issue only occurs when upgrading to 6.9.0 from a version in the 6.7.0 through 6.7.12 range or from a version in the 6.8.0 through 6.8.4 range.

Workaround: After upgrading through the Cluster Upgrade page, change the value for the Enable Publisher Failover parameter:

* If the standby publisher feature is not used, set the value for the parameter to FALSE .
* If the standby publisher feature is used, toggle the value of parameter by first setting it to FALSE and then setting it back to TRUE. Select the Designated Standby Publisher from the drop-down list, and then click Save.

Device Insight

Table 5: Device Insight Known Issues in 6.9.0

Bug ID

Description

CP‑37019

Users should be aware that ClearPass Policy Manager integration with ClearPass Device Insight is currently not supported when Policy Manager is in IPv6-only mode.

CP‑42029

Enabling Device Insight integration sometimes fails and the error message "Failed to verify server certificate(s)" is displayed.

This issue occurs if the Starfield Services Root Certificate Authority is not present in the trust list. This issue is seen in ClearPass 6.8.x and 6.9.x.

Workaround: Users on ClearPass 6.8.x or 6.9.x must manually import the Starfield Services Root Certificate Authority to the trust list at Administration > Certificates > Trust List. The certificate is available at https://www.amazontrust.com/repository/SFC2CA-SFSRootCAG2.pem.

Endpoint Context Servers

Table 6: Endpoint Context Server Known Issues in 6.9.0

Bug ID

Description

CP‑37598

Setting Policy Manager to FIPS mode or Common Criteria (CC) mode causes a timeout error during SNMP polling, and a failure to send SNMP traps. This is only an issue in FIPS or CC mode. It is not an issue in standard mode.

Insight

Table 7: Insight Known Issues in 6.9.0

Bug ID

Description

CP‑36905

When reports reach the configured report retention limit, they are no longer displayed in Insight's

Reports list; however, non-scheduled reports are not deleted from the database and are still reflected in the Insight > Dashboard > System Monitor > Insight Disk Usage count.

This is only an issue for non-scheduled reports. It is not an issue for scheduled reports (daily, weekly, monthly).

CP‑37940

When a system backup image is restored, the enabled or disabled status of the Insight configuration is not updated correctly. Instead of taking the value specified in the backup file, the enabled/disabled status in the Insight configuration is still as it was before the backup was applied.

Workaround: To restore the backup Insight configuration on the server, go to Administration > Server Manager > Server Configuration and select the server. On the System tab, set the value of the Insight Setting field to match what was in the backup file by either marking or unmarking the Enable Insight check box, as appropriate.

Onboard

Table 8: Onboard Known Issues in 6.9.0

Bug ID

Description

CP‑36243

Authentication fails with the error “The Security Code is incorrect ” in Onboard provisioning and Web Login pages.

This issue occurs if CAPTCHA and Multi-Factor Authentication (MFA) are both enabled. Onboard and Web Logins currently allow this configuration to be entered; however, it is not supported and will not work.

Workaround: If this occurs, correct the configuration to use only CAPTCHA or only MFA. If both CAPTCHA and MFA are desired, CAPTCHA activity should only be performed on the MFA service.

OnGuard

Table 9: OnGuard Known Issues in 6.9.0

Bug ID

Description

CP‑35241

The ClearPass OnGuard Agent does not work when ClearPass is on an Azure instance that is configured with an Azure public IP address.

Workaround: Configure the ClearPass server's public IP address instead of its private IP address in the Administration > Agents and Software Updates > OnGuard Settings > Policy Manager Zones > Override Server IPs field.

CP‑36950

The ClearPass OnGuard Agent does not work when ClearPass is in AWS Azure.

Workaround: Configure the ClearPass server's public IP address in the Override Server IPs field at Administration > Agents and Software Updates > OnGuard Settings > Policy Manager Zones.

CP‑37443

Due to changes in Apple notarization policies, users should be aware of the following:

* Upgrading macOS OnGuard Agents to 6.9.0 from a version equal to or earlier than 6.7.13 or 6.8.4 is not supported.
* Installing the OnGuard Agent Library update version 10.0.21.x on macOS clients having an OnGuard Agent Library Update version equal to or earlier than 6.7.13 or 6.8.4 is not supported.

Workaround: Customers using macOS with one of these older OnGuard versions should uninstall the older client and then do a fresh installation of the 6.9.0 client.

CP‑40437

CP‑40456

Agentless OnGuard is not supported in FIPS mode.

Policy Manager

Table 10: Policy Manager Known Issues in 6.9.0

Bug ID

Description

CP‑18876

CP‑22331

CP‑22337

In a cluster where an IPsec tunnel configuration is enabled between the publisher and the subscribers, the tunnel cannot be established, the subscribers cannot connect to the publisher, and the error message “No proposal chosen” is displayed.

If you upgrade to 6.9.0 while an IPsec connection is enabled, the subscribers can never connect back to the publisher. This is only an issue if you upgrade a cluster to 6.9.0 while an IPsec connection configuration is still enabled for the cluster. It is not an issue when updating from 6.9.0 to 6.9.x. Customers using IPsec VPNs are generally unaffected by upgrades and updates. The use of IPsec VPNs on ClearPass Policy Manager is supported for connectivity between cluster members and remote systems that might not otherwise support encrypted communication options (for example, LDAP over SSL or with TLS encoding). However, users should be aware that because communications are already encrypted between members of a Policy Manager cluster, the use of IPsec VPNs is not a recommended deployment.

Workaround: Before you upgrade a cluster to 6.9.0, you must first disable any IPsec tunnel configurations between the publisher and subscribers. IPsec configurations should be deleted from the subscribers first, and then from the publisher. After all the appliances in the cluster are upgraded to 6.9.0, the IPsec tunnel settings can be reconfigured.

CP‑22879

IPsec tunnel creation fails between ClearPass Policy Manager and an Aruba controller using the MD5 method.

Users should be aware that the HMAC MD5 hash algorithm is not supported for IPsec connections between Aruba Controllers and ClearPass Policy Manager.

CP‑32857

CP‑37178

Support for the ClearPass C2010 appliance has been added. This appliance is supported at version 6.8.0 and later. However, although the system is actually a C2010, it is incorrectly displayed as a C3010 in ClearPass 6.8.x and 6.9.x. This issue is seen in both the user interface and the CLI.

CP‑32956

Users should be aware that ClearPass Policy Manager only supports Nessus versions 6.x and earlier in the Audit Servers page. Later versions require the use of the Extension capabilities.

CP‑33563

At Configuration > Authentication > Sources > Add, if an AD or LDAP server signs the certificate with RSASSA-PSS, the error message "Failed to connect to the server. Error: simple bind failed" is displayed.

This message does not affect authentications and can be ignored.

CP‑34592

While installing ClearPass Policy Manager 6.9.0 and configuring IPv4 and IPv6 addresses on the management and data interfaces, pinging the IPv4 address through the CLI is successful but pinging the IPv6 address fails with a "command not supported" error.

Workaround: When you use the network ping6 command to ping the IPv6 loopback address ::1, be sure to enclose it within quotes — for example:

network ping6 "::1"

CP‑34897

In dual-stack configurations, RADIUS and TACACS+ requests received over IPv6 interfaces always display the IPv4 address in the Access Tracker’s Server column. The session details show the IPv6 information as well as the IPv4.

CP‑35002

Users should be aware that Aruba 7210 controllers running versions 6.5.4.6 and 8.4.0.0 do not support the TACACS+ password reset feature. When you try to change the password, the controllers close the connection instead of processing and responding to the TACACS+ response from Policy Manager.

Workaround: We recommend that users upgrade to a later AOS version.

CP‑35282

When deploying ClearPass Policy Manager in a virtualized environment running ESXi 5.5 or earlier, the installer displays the error message "This OVF package uses features that are not supported when deploying directly to an ESX host." This issue occurs because VMware has ended general support for ESXi 5.5.

Workaround: Upgrade the hypervisor to a supported version (ESXi 6.0 or later).

CP‑35484

The Insight System Monitor Dashboard might not correctly display the data for all nodes when hostnames have a dot ( . ) character in the hostname portion of their fully qualified domain name. The Graphite application will limit itself to the portion of the hostname prior to the first dot when storing and displaying data.

Examples of conditions where this will occur are:

* cppm.location1.example.com
* cppm.location2.example.com

Examples of conditions where this is not a problem are:

* cppm1.location1.example.com
* cppm2.location2.example.com

CP‑35836

In IPv6-only mode, the policy server does not recognize the RADIUS service if it includes a Connection type rule that says the NAD‑IP‑Address equals the IPv6 address.

This issue occurs in IPv6-only mode if a dual stack NAD sends an IPv4 address along with the IPv6 address.

Workaround: In this scenario, use Radius:IETF:NAS-IPv6-Address to select the service instead.

CP‑35878

The RadSec service does not run when ClearPass Policy Manager is in IPv6-only mode.

Users should be aware that RadSec is not currently supported in ClearPass Policy Manager 6.9.0.

CP‑35983

Before upgrading to 6.9 from 6.8.1, 6.8.2, 6.8.3, or 6.8.4, the ClearPass Policy Manager 6.9.0 Upgrade Preparation Patch from 6.8.1 - 6.8.4 for Software Updates Portal Downloads must be applied. This patch is currently required for ClearPass Policy Manager 6.8.1 through 6.8.4 appliances to successfully upgrade to ClearPass Policy Manager 6.9.0 through the Software Updates portal. This patch is not required when performing a manual upgrade. For customers using the Cluster Upgrade page, this patch is only required to be installed on the publisher.

CP‑36011

A change of authorization (CoA) fails in either pure IPv6 mode or dual stack with an HP switch.

If an HP switch is in either pure IPv6 mode or dual stack and has the NAS-IPv6-Address attribute instead of NAS-IP-Address, the default enforcement profiles will not work. This is because the NAS IPv6 address cannot be inserted in the NAS-IP-Address field that is included by default in the enforcement profile.

Workaround:

1. At Configuration > Enforcement > Profiles, create a copy of the enforcement profile to be used.

2. Replace the NAS-IP-Address field with NAS-IPv6-Address.

3. Replace the %{Radius:IETF NAS-IP-Address} value with %{Radius:IETF NAS-IPv6-Address} in the Value field.

4. Save this profile and use it instead.

CP‑36012

A RADIUS Dynamic Authorization request (DM or CoA) fails for Windows dual stack (IPv4/IPv6) clients. The AOS 8.5.X controller sends unsolicited Accounting Stop packets, which clears the Multi-Master Cache entry. This issue is not see with AOS 6.5.x. For more information on the AOS issue, refer to AOS-198298 in the AOS Release Notes.

Workaround: If this occurs, go to the Administration > Server Manager > Server Configuration > Service Parameters tab for the server and select Policy server as the service. Configure the Additional time before session deletion from multi-master cache parameter by replacing the default value of 0 with some number of seconds. This will keep the session alive so a Dynamic Authorization request can be triggered.

CP‑36074

Incorrect Serial Number values are displayed on the ClearPass Policy Manager System Information window when operating on some Hyper-V instances. These values should be None or Not Specified.

CP‑36103

Users should be aware that, in Common Criteria (CC) operating mode, SAML certificates require the Basic Constraints setting to be set to True. Certificates with False will not be allowed to import to the Trust List.

CP‑36221

Virtual appliances might display different input/output per second (IOPS) values during boot time depending on the hypervisor in use. This issue may result in the displayed IOPS values having differences between boot and current times. To address this, the warnings during boot for disk performance have been suppressed.

CP‑36376

At Administration > Server Manager > Server Configuration, the Services Control tab shows the Ingress logger service as running even though ingress events processing is disabled on the System tab. The CLI, however, does correctly show the Ingress logger service as stopped.

This issue does not have any system performance impact and can be ignored.

CP‑36468

Users should be aware that, if you have upgraded to 6.9 and re-enabled Post-Authentication v1 functionality, you must convert back to Post-Authentication v2 for any IPv6 operations. Post-Authentication v1 does not support IPv6 functionality.

CP‑36629

A change of authorization (CoA) using tunnel-based EAP (TEAP) as the authentication method fails.

Workaround: To ensure that CoA works properly with TEAP when using Username from Method-1 in the Access Tracker:

1. Go to Configuration > Enforcement > Profiles > Add and create an enforcement profile called Set-TEAP-Method1-Username with the following attributes:

Type = Radius:IETF

Name = User-Name

Value = %{Authentication:TEAP-Method-1-Username}

2. Save the profile.
3. Go to Configuration > Services and select the service.
4. In the Enforcement tab, add the profile to the enforcement policy that is associated with the service.
5. Click Save.

CP‑36681

ClearPass Policy Manager may be configured with IPv6 addresses within the same prefix on the management and data interface. This is most common in SLAAC environment configurations. Recommended best practice is to always ensure that the IPv6 addresses are in different prefix spaces when used in production environments.

CP‑36760

When ClearPass Policy Manager is in FIPS mode, or in FIPS plus Common Criteria (CC) mode, policy simulations of the RADIUS authentication type fail for PEAP and EAP-based methods if the RADIUS authentication type was specified at Configuration > Policy Simulation. This is only an issue in FIPS or CC modes. It is not an issue in non-FIPS clusters, and it is not an issue with the PAP or CHAP methods.

CP‑36779

An IPv4 address cannot be removed from a dual stack standalone ClearPass Policy Manager appliance when the cluster communication mode is set to IPv4.

Workaround: On the Administration > Server Manager > Server Configuration > Cluster-Wide Parameters > Mode tab, set the Cluster Communication Mode to ipv6.

CP‑36824

When configuring an NTP server, if a single NTP server is configured to be both the primary and the secondary NTP server but different keys are assigned to each server, the key entered for the secondary server has no effect. Instead, the key configured for the primary is also applied to the secondary. This can be seen in the UI at Administration > Server Manager > Server Configuration > Set Date & Time.

CP‑36843

CP‑36876

The ClearPass Policy Manager upgrade images for 6.7.0 and 6.8.0 do not work correctly when the system install-image command is executed from the CLI. The system gets stuck while booting up the alternate partition.

CP‑36885

In a cluster, a discrepancy is sometimes seen where some data that is shown in Insight's System Monitor Dashboard on the publisher is not shown for the subscriber.

Users should be aware that, when configuring a hostname that includes a period character ( . ), the substring before the first period character must be unique for each appliance. This is because a hostname field that includes a period character is interpreted to be a Fully Qualified Domain Name (FQDN), in which case the substring before the first period character is the hostname.

Examples of valid hostname configurations:

* cppm1.arubanetworks.com
* cppm2.arubanetworks.com

Examples of invalid hostname configurations:

* cppm1.santaclara.arubanetworks.com
* cppm1.bangalore.arubanetworks.com

CP‑36953

Post Authentication session notifications do not work if custom ports are used with IPv6 literal addresses.

CP‑36973

On an Azure instance, some ClearPass applications can still be accessed from restricted IPs even though access to them had been restricted in the Administration > Server Manager > Server Configuration > Network tab's Application Access Control > Restrict Access options.

Workaround: On the Restrict Access form, make sure that the IP address or network entered in the Network field is the IP address from which the Azure instance receives the connection, and not the IP address of the final device.

CP‑36984

IPv6 subnet addresses (subnet definitions) are not currently supported when adding or editing a device in the IP or Subnet Address field of Configuration > Network > Devices.

CP‑36988

If an enforcement profile is added to a copy of a policy and the policy is then renamed, after upgrading to 6.9.0 the profile does not appear in the copied (renamed) policy anymore, and null is displayed in its place. The profile appears in the default policy instead. Because default names are usually enclosed in square brackets, do not use square brackets to enclose the name of a user-provided enforcement profile if the default name might later be used in the policy.

Workaround: If an enforcement profile is added to a non-default policy, and then that policy's name is changed and this issue occurs, the enforcement policy must be edited to use the appropriate default enforcement profile again.

CP‑36990

When configuring an external Network Time Protocol (NTP) server, if the NTP server is configured incorrectly and time synchronization fails, the error message "Date & Time change failed" is displayed, but the NTP server configuration persists in the Policy Manager database.

CP‑36992

On KVM instances running on Ubuntu 18.04 LTS, during deployment of the Policy Manager virtual appliance, the total memory shown does not match the allocated memory specifications. This issue can safely be ignored, as the total memory is shown correctly when Policy Manager comes up after installation.

CP‑37122

CP‑37263

Ingress Events fail for syslog messages that include a source port field if the IP address is in IPv6 format and has a port associated with it.

CP‑37171

Memory usage by the RADIUS server might gradually but steadily increase when TEAP is used as the RADIUS authentication method.

Workaround: If the memory usage exceeds acceptable limits, restart the RADIUS server.

CP‑37183

When ClearPass Policy Manager is in IPv6-only mode, session restriction based on the Active Session count does not work.

CP‑37243

After all identity provider (IdP) fields are correctly configured on the Configuration > Identity > Single Sign-On page, if the Certificate/Two-Factor Authentication for ClearPass Application Login service template is used to create the service, the IdP configuration is reset and the Single Sign-On page displays the error message "Identity Provider (IdP) Signing Certificate is mandatory."

CP‑37264

The Configuration > Enforcement > Profiles form for an AOS‑CX Aruba Downloadable User Role Enforcement profile allows both the IP Precedence and DSCP options to be specified in the policy and class configurations. However, the AOS‑CX enforcements fail when the switch commands are executed.

Workaround: When you configure an AOS‑CX based enforcement profile, do not use IP Precedence and DSCP in the same class or policy.

CP‑37268

In the Configuration > Enforcement > Profiles form for an Aruba Downloadable User Role Enforcement profile, the Captive Portal Configuration form in standard mode displays the URL hash key fields as available for the AOS‑CX product. However, URL hash keys are not allowed in Aruba Downloadable User Roles (DUR) for the AOS-CX switch. If they are configured for the switch, it causes command executions to fail.

Workaround: To successfully enforce the captive portal configurations, leave the URL Hash‑Key (PlainText) and URL Hash‑Key (CipherText) fields empty when you configure the AOS-CX captive portal.

CP‑37270

When configuring a class definition for an AOS-CX enforcement profile on the Configuration > Enforcement > Profiles > Class Configuration form, the Rule Configuration tab displays the fields for source ports and destination ports as available for every protocol. However, these fields should only be used for the TCP and UDP protocols. Configuring them for any other protocol causes command executions to fail.

Workaround: Only enter values for the Source Port, Source Port Value, Destination Port, or Destination Port Value fields if you are configuring the TCP or UDP protocols in an AOS-CX enforcement profile. If you are configuring any other protocol type, leave these four fields empty.

CP‑37326

 

If the RADIUS Accounting field group is selected for session logs export filters in syslog, the value for the RADIUS Framed IP Address is not shown in the Access Tracker > Request Details > Accounting tab or the logs, although the Framed IPv6 Address is.

Workaround: If you need to capture the framed IPv6 address, use the Insight syslog export filter with the RADIUS Accounting predefined field group instead.

CP‑37327

At Administration > Certificates > Trust List, when trying to configure additional values in the Usage field for an existing CA certificate, the error message "Cannot modify Usage as it is root / intermediate CA certificate for <Subject DNs>" is displayed.

Workaround: In the Usage field for the CA certificate, first include the EAP type for the certificate. You can then enter the additional usage types that are required.

CP‑37336

On the Summary tab of the Monitoring > Live Monitoring > Access Tracker > Request Details form for a RADIUS request, IPv6 addresses are displayed incorrectly in the Access Device IP/Port field. The IPv4 format is currently used in this field, where a colon character ( : ) separates the IP address and port value. However, since IPv6 addresses already include a colon, when the port value is added with another colon it can look like a different IPv6 address.

Users should be aware that the last number in the string is the port. The IPv6 address is displayed correctly on the Input tab. This is not an issue for IPv4 addresses.

CP‑37390

When the system morph-vm CLI command is used to morph a virtual appliance (VA) to a larger size, all the licenses are deleted. This issue does not affect configuration data. This issue is observed on 6.7.x, 6.8.x, and 6.9.

Workaround: After the upgrade, contact Aruba's Technical Assistance Center (TAC) to have the licenses activated again.

CP‑37403

The Event Viewer and SNMP events do not correctly indicate the status of C2010 hard drives. When a hard drive is removed from the C2010, the associated SNMP event is not generated and the Event Viewer does not indicate this has occurred.

CP‑37464

If the value for the Administration > Server Manager > Server Configuration > Cluster-Wide Parameters > Allow Concurrent Admin Login field is set to False , then when a session expires due to inactivity based on the Admin Session Idle Timeout value, the admin user will not be able to log in to the user interface and the error message "Error 404: Page not found" is displayed.

Workaround: If this error occurs, open the CLI and restart the cpass-admin-server service to recover UI access.

To prevent it from happening, do one of the following:

* Set the Allow Concurrent Admin Login value to True.
* Set the Admin Session Idle Timeout value to 1440 minutes.

CP‑37483

Autobackups for Policy Manager or for Insight reports do not work over SFTP if sent to a Windows operating system running an SFTP server. This is only an issue on Windows; it is not an issue on Linux.

Workaround: SFTP the reports to Linux-based SSH servers, or use the SCP method with Windows servers.

CP‑37484

When changes are saved for a server that has a SLAAC IPv6 address in the data port, the Administration > Server Manager > Server Configuration > Save Server Details window shows the error message "Error: Invalid IPv6 Gateway address."

This message can be ignored. This issue does not affect functionality, and the server configuration changes are successfully updated in the database.

CP‑37534

In a dual-stack domain controller environment, if the Join AD Domain option is entered in the UI or the ad netjoin command is executed in the CLI, the output shows the domain join as successful; however, the server is not actually joined to the Active Directory and the error message “WARNING - Failed to fetch trusted domain list information” is displayed.

This issue may occur in either of the following scenarios:

* If there is a SLAAC IPv6 address on the interface in a dual stack environment and the router that advertises the SLAAC subnet is not correctly configured to reach the domain controller.
* If the IPv6 address is statically configured but the specified gateway is not correctly configured to reach the domain controller.

Workaround: If this error is seen while attempting a domain join, first make sure the Policy Manager server can reach both the IPv4 and the IPv6 address of the domain controller, and then use the ad netleave CLI command to leave the Active Directory and then perform the domain join again.

CP‑37536

When Policy Manager is in FIPS mode or Common Criteria (CC) mode, the nmsagent and nmstrapagent services fail. This causes a timeout error in SNMP polling (walk, get), and SNMP traps might not be received.

This is only an issue in FIPS or CC mode. It is not an issue in standard mode.

CP‑37640

ClearPass Policy Manager 6.9 implements the Advanced Intrusion Detection (AIDE) package to perform filesystem integrity checks on a regular basis. Customers might receive intermittent warning messages (level = WARN, Action = Failure) in Monitoring > Event Viewer or Syslog audit. These messages may safely be ignored at this time.

CP‑37669

TACACS+ authentication fails and the error message "Error reading TACACS PAP authentication packet header" is displayed in logs.

This issue only occurs with TACACS+ authentications if the NAD is defined using an IPv4 subnet. Individual IP addresses or IPv4 address ranges are not impacted. RADIUS authentications are not impacted.

Workaround: After upgrading to ClearPass Policy Manager 6.9.0, users should apply the ClearPass 6.9.0 Hotfix for TACACS+ using subnet defined NADs.

CP‑37688

If the 6.9.0 upgrade image file is downloaded from the Support site and then manually uploaded to the Administration > Agents and Software Updates > Software Updates page, the More Information window that opens when the file is clicked shows the version number twice.

This is a cosmetic issue and can be ignored.

CP‑37698

Customers operating ClearPass Policy Manager on the following hardware appliances will not be able to upgrade to the 6.9 version. These appliance models will be limited to the 6.8 major software version and it’s updates:

* CP‑HW‑5K operating as C2000 in version 6.7, C2000 (R210) in version 6.8, or C2000 (R220) in version 6.8
* CP‑HW‑25K operating as C3000 in version 6.7 or C3000 (R610) in version 6.8

CP‑37811

On versions 6.8.1 through 6.8.4, if the 6.9.0 Upgrade Preparation Patch is installed but then a different patch or hotfix is applied before the upgrade is performed, upgrading through the Cluster Upgrade page does not work. The subscribers hang and are not upgraded and the Cluster Upgrade page on the publisher is blank after the upgrade.

This is only an issue when upgrading from 6.8.1 through 6.8.4. It is not an issue when upgrading from other versions.

Workaround: In this scenario, do not use the Cluster Upgrade page. If you have applied other patches or hotfixes after installing the 6.9.0 Upgrade Preparation Patch, the upgrades must be done individually on each appliance. Contact Aruba's Technical Assistance Center (TAC) to help you with the upgrade.

CP‑37998

In an Azure instance, the Data/External Port is always shown as the localhost IP address on the Administration > Server Manager > Server Configuration > System tab.

CP‑38402

During Device Insight Integration configuration, if the Comodo RSA Certification Authority root certificate authority (CA) is not included in the trust list, the integration cannot be enabled and the error message "Failed to verify server certificate(s)" is displayed.

This issue is only seen if a user tries to enable Device Insight integration at Administration > Server Manager > Device Insight, and only if the certificate is not already present and enabled.

Workaround: Manually import the COMODO certificate to the trust list and enable it at Administration > Certificates > Trust List.

CP‑38573

CP‑43000

Manually loaded patches do not appear after uploading to Policy Manager. This issue is only observed with patches that are not available on the download server, and only if the HPE Passport credentials are defined in the Software Updates page.

Workaround: Remove the HPE Passport credentials from the Software Updates page and click Save, and then manually load the patch. The patch will then be visible to install. After the patch is installed, you can re-enter the HPE Passport credentials to resume normal operation.

CP‑39496

CP‑36896

CP‑37701

On an Azure instance, the Virtual IP tab and its Failover Wait Time field are available at Administration > Server Manager > Server Configuration > Cluster-Wide Parameters, even though the virtual IP feature is not supported by Policy Manager running on Azure. Although the fields are available and a configuration can be entered, the configuration will not take effect.

CP‑39499

CP‑36828

HTTP proxy settings are currently unavailable in service parameters for Azure deployments.

CP‑39502

CP‑36952

After FIPS mode is enabled in an Azure deployment, the system does not reflect the FIPS status in the administration footer even though the functionality is actually enabled.

CP‑39574

CP‑39843

After a service is imported that includes an Agent Enforcement profile, attribute names are displayed as Agent Script instead of the default names on the Configuration > Enforcement > Profiles > Edit Enforcement Profile tab.

This issue is only seen when importing existing profiles; it is not seen when a new profile is added.

CP‑43283

After upgrading from ClearPass 6.7.14 to 6.9.0, or after using the ClearPass Policy Manager upgrade image for 6.9.7.131609 to upgrade directly to 6.9.7 from 6.7.14 or 6.8.9, RadSec does not work and the error message “ERROR RadSec - Error in block client 0.0.0.0/0, defaulting validation to None” is seen in the Debug logs.

Users should be aware that if a ClearPass 6.7.x system uses RadSec, then during upgrade to 6.9.0 or direct upgrade to 6.9.7 all RadSec functionality is lost. This issue occurs because the source override IP address feature that was introduced after 6.7.x must be configured, and because the Trust List usage for RadSec needs to be updated.

Workaround:

* On the Configuration > Network > Devices > Device tab, open the Edit Device Details form for the RadSec-enabled device. In the Source Override IP Address field on the RadSec Settings tab, enter the same IP address as the network access device (NAD) IP for RadSec. This will need to be done for all NAD definitions on upgraded appliances; however, it will not need to be done thereafter for new NAD definitions.
* At Administration > Certificates > Trust List, for each Certificate Authority (CA) root certificate that will be used for RadSec, open the View Certificate Details form and add RadSec in the Usage list.

 

Note: After a ClearPass server that uses RadSec is upgraded to 6.9.0 or directly upgraded to 6.9.7, port 2083 is only allowed for the devices that are added through the Source Override IP Address field at Configuration > Network > Devices.
In ClearPass 6.7.x, port 2083 is allowed for any device.

CP‑43728

CP‑44639

During an upgrade to ClearPass 6.9.0, any attributes in a custom change of authorization (CoA) dictionary will be removed, which can result in failure to export RADIUS services or Access Tracker events if they reference the custom dictionary.

Workaround: To retain attributes in custom CoA dictionaries after the 6.9.0 upgrade, first export the custom CoA dictionary before the upgrade and then re-import it after the upgrade.

CP‑44053

After upgrading or updating to 6.9.7, trying to update the ClearPass license fails.

Users should be aware that, starting with the ClearPass 6.9.7 release, tighter checks on license formats were implemented. Before a system is upgraded or updated to 6.9.7, Aruba Support should be contacted to replace the legacy Platform license with an updated license format.

Profiler and Network Discovery

Table 11: Profiler and Network Discovery Known Issues in 6.9.0

Bug ID

Description

CP‑37118

All profiling activity on IPv6 networks is not currently supported. Profiling is supported on dual-stack networks using the IPv4 addresses exclusively.