Behavior Changes in the 6.11.0 Release

Users should be aware of the following important changes in ClearPass Policy Manager behaviors, resources, or support that might require changes in existing system configurations after upgrading to 6.11.0. For more information, refer to the ticket descriptions in these Release Notes, and to the Policy Manager User Guide and Guest User Guide.

* To install ClearPass 6.11, use the 6.11.1 Installation ISO image that is available in the HPE Networking Support Portal. The 6.11.0 image was removed. This was done because the original ClearPass 6.11.0 image required customers to have a valid/active license support end date for RHEL licenses in order to continue with a system update or upgrade. This would usually be verified by connecting to the clearpass.arubanetworks.com web server. ClearPass systems that are online with access to the Clearpass web server can fetch this information, and system updates and upgrades are allowed on these systems based on the validity of RHEL support license. However, for ClearPass systems that are offline, there is no way to contact the Clearpass web server to validate their RHEL support license. This means that customers with offline systems would not be able to update or upgrade their ClearPass system even if they have a valid support license with RHEL. This issue has been addressed in the 6.11.1 image that is available in the HPE Networking Support Portal. (CP‑49415)
* ClearPass 6.11 includes significant underlying changes that continue to strengthen security throughout. Due to these changes, you will experience substantial differences in installation, upgrade, and licensing behaviors. Existing ClearPass systems cannot be upgraded to 6.11; a fresh installation must performed instead. You will need to first take a backup image of your existing 6.9.x or 6.10.x system configuration, make a copy of the license keys, and export the CA-signed server certificates. You will then perform a fresh installation from an ISO file for if it's a hardware appliance, or deploy a new virtual appliance. After the new system is installed, you will add your existing license keys, restore the configuration backup, and import the CA-signed server certificates on the new system. For details, please see the Installation and Licensing Changes for 6.11 section of these Release Notes and the ClearPass 6.11 Installation Guide. (CP‑47582)
* Starting with the ClearPass 6.11.0 release, ClearPass on Hyper‑V will be deployed as a Generation 2 virtual appliance. As part of this change, users should be aware that Generation 2 only supports UEFI boot instead of BIOS, so UEFI boot must be enabled for a ClearPass VA deployed on a Hyper‑V server. In addition, the boot behavior of some Linux virtual appliances running Windows Server 2012 R2 might require configuration changes. (CP‑46509)
* Users should be aware that the aggressive cleanup behavior is now changed as part of the partition schema changes in ClearPass 6.11. Cleanup tasks and alerts are now triggered separately for the "/", "/var", and "/var/log" partitions. This differs from previous ClearPass releases, where all of the system logs, application logs, backed up configurations, stored reports, and past authentication records where cleared as part of the "/" partition. (CP‑47074, CP‑47476)
* The ClearPass 6.11.0 release includes enhanced accuracy of license accounting and reporting. In order to upgrade a ClearPass cluster to a higher version (> 6.11), you must have a current, valid Support Agreement Entitlement ID (SAID) tied to the Platform license key on every server in the cluster. If any server in a cluster does not have a valid PAK and license, a  warning message is displayed when the upgrade is attempted and the upgrade or update cannot proceed. For more information, see CP-42582.
* Users should be aware of the following configuration requirements starting with the ClearPass 6.11.0 release: (CP‑46268)
- When you create any new, non-default configuration that uses the insightdb or tipsLogDb database as an authentication source, it must be configured to use port number 5433.
- After you restore a configuration backup on 6.11.0 that was taken from an older version (6.9.X. or 6.10.X), any custom (not default) configuration that uses the insightdb or tipsLogDb database as an authentication source must be updated to use port number 5433 instead of 5432.
* New Support Model: Starting with the 6.11.0 release, ClearPass will follow the Long Support Release and Short Support Release models, as follows:
- ClearPass 6.11.0 is a Long Support Release (LSR), and will include certifications and active support for two or more years. In a Long Support Release, HPE Aruba Networking introduces new features and new hardware, and "parks" hardware (last major release supported) as needed. LSR releases are supported from release until the time that the next LSR is available. For more information, see the HPE Aruba Networking End of Life Policy page.
- In a Short Support Release, HPE Aruba Networking introduces new features and new hardware, but does NOT "park" any hardware. SSR releases are supported from release until the date of the next SSR or LSR release.
- A maximum of two releases are supported at any point in time (one LSR and one SSR).
* ClearPass now supports IPv6 for RadSec. Administrators can configure RadSec to use IPv6, allowing access to RadSec sources and to services for RadSec clients. (CP‑38724, CP‑42592, CP‑43321)
* Two changes were made in the Processes health class of the Universal System Health Validator for both macOS and Windows: The SHA256 Sum option is added and is available in both FIPS and non-FIPS modes. When ClearPass is in FIPS mode, the MD5 Sum option for Process to be absent is now hidden. Users should be aware that if the MD5 Sum option was previously configured for Process to be absent in FIPS mode in ClearPass 6.10.x or earlier, then after upgrading to 6.11.0 or later versions the MD5 option will not be displayed. Users must configure such policies with SHA256 Sum after the upgrade. (CP‑8483)
* In the ClearPass Universal System Health Validator for both Windows and macOS, the File Check health class now supports checking for the presence or absence of files based on the SHA256 checksum. Users should be aware that the MD5 Checksum is no longer available in FIPS mode. (CP‑42585)
* The ClearPass OnGuard Agent is no longer supported on Ubuntu 16.04 64-bit or 32-bit systems. (CP‑44843, CP‑47896, CP‑47897)
* Users should be aware that Windows 2008 Active Directory is not supported in FIPS or CC mode. (CP‑45041)
* Starting with ClearPass 6.11, the OpenSSL cryptography library in ClearPass does not support TLS 1.0 or TLS 1.1 when FIPS mode is enabled. As part of this change, the Disable TLSv1.0 support and Disable TLSv1.1 support options are hidden in Cluster-Wide Parameters when FIPS mode is enabled. (CP‑45130, CP‑45324)
* Starting with ClearPass 6.11, when in FIPS and CC mode, cipher suites that use RSA, DSA, or DH keys shorter than 2048 bits or ECC keys shorter than 224 bits are not supported. (CP‑45377)
* Users should be aware that starting in ClearPass 6.11, only SHA1 is supported as an NTP authentication algorithm type. While restoring backups on 6.11.0 installations, if there are any NTP servers configured with the SHA algorithm, the algorithm corresponding to those servers will be automatically changed to SHA1 as part of the upgrade procedure. (CP‑44382)
* Configuring trust settings is now mandatory for Android, ensuring compliance with WPA3 specifications for server certificate validation. The trusted servers configuration in Onboard must be manually configured and the FQDN of the ClearPass server entered. For details, see known issue CP‑40843, and the "Configuring Certificate Trust Settings" topic in the ClearPass Guest User Guide. (CP‑40843)
* For a cluster with self-signed certificates, now after the user changes the management IP address they do not need to regenerate the database certificate. The steps to generate the database certificate and restart the backend service are now handled automatically. Users may expect a delay of up to 10 minutes while all backend services are restarted and the configuration updates and replication setup are re-established. With this change, in a cluster with self-signed certificates, users no longer need to manually regenerate the database certificate or reboot the server after changing the management IP. This change only applies to clusters with self-signed certificates. It does not apply to clusters with CA-signed certificates. (CP‑45345)
* Now when a management IP address is changed on a ClearPass server, if it uses self-signed certificates then the database certificate regeneration and backend service restart are handled automatically, and the user does not have to manually regenerate the certificate or reboot to reflect the information. This is only true for self-signed certificates. If CA-signed certificates are used instead, the database server certificate might need to be updated after re-login. As part of this change, the warning message on the Server Configuration > Save Server Details window is updated to the CA-certificate scenario. (CP‑47195)
* Beginning in ClearPass 6.11 the use of M4 Amazon Web Services is no longer supported. Amazon indicates that all customers must move to M5 instances to be able to support operating ClearPass. (CP‑47664)
* The VMware ESXI 6.5 hypervisor is no longer supported in ClearPass. Starting with the ClearPass 6.11.0 release, ESXi 6.7 or later is required. (CP‑46388, CP‑46204)
* At Guest > Configuration > SMS Services > Gateways, the gateway ClearPass Guest SMS Service is now deprecated. ClearPass 6.11 is the final release where the ClearPass Guest SMS Service gateway will be available. The service will be removed entirely in a future release of ClearPass. The service itself is no longer available. (CP‑48060)
* In ClearPass 6.11.0, endpoint attributes records are limited to 4096 bytes. Customers who have more than 4096 bytes of attributes associated with their endpoints, or who are unsure of the size, are recommended to not upgrade to ClearPass 6.11 until this issue is resolved. (CP‑50009)
* Starting with the 6.11.0 release, after the system morph-vm command is run during a ClearPass upgrade and the new disk is added, the existing hard disk cannot be removed. This is because the existing disk is used to extend the disk space for the server, and is included in the calculations to determine the required capacity of the additional hard disk. (CP‑52950)
* In ClearPass 6.11.0 and later versions, the maximum single cluster size is limited to 32 servers. This includes the publisher, standby publisher, subscribers, dedicated Insight server, and standby Insight servers. (CP‑53551)