Aruba Instant 8.9.0.0 Release Notes Copyright Information © Copyright 2021 Hewlett Packard Enterprise Development LP
Total Page:16
File Type:pdf, Size:1020Kb
Aruba Instant 8.9.0.0 Release Notes Copyright Information © Copyright 2021 Hewlett Packard Enterprise Development LP. Open Source Code This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open source licenses. A complete machine-readable copy of the source code corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, send a check or money order in the amount of US $10.00 to: Hewlett Packard Enterprise Company 6280 America Center Drive San Jose, CA 95002 USA Contents Contents Contents 3 Revision History 4 Release Overview 5 Related Documents 5 Supported Browsers 5 Terminology Change 6 Contacting Support 6 New Features and Enhancements 7 ARM 7 Authentication 7 Central 7 CLI 8 Datapath / Firewall 9 DHCP 9 DNS 9 IoT 9 Platform 11 VPN 11 Supported Hardware Platforms 13 Regulatory Updates 14 Resolved Issues 15 Known Issues and Limitations 20 Limitations 20 Known Issues 20 Upgrading an Instant AP 22 Upgrading an Instant AP and Image Server 22 Upgrading an Instant AP Using the Automatic Image Check 24 Upgrading to a New Version Manually Using the WebUI 24 Upgrading an Instant AP Image Using CLI 26 Upgrade from Instant 6.4.x.x-4.2.x.x to Instant 8.9.0.x 26 Aruba Instant 8.9.0.0 | Release Notes 3 Revision History The following table provides the revision history of this document. Table 1: Revision History Revision Change Description Revision 01 Initial release. 4 | Revision History Aruba Instant 8.9.0.0 | Release Notes Chapter 1 Release Overview Release Overview This Aruba Instant release notes includes the following topics: n New Features and Enhancements on page 7 n Supported Hardware Platforms on page 13 n Regulatory Updates on page 14 n Resolved Issues on page 15 n Known Issues and Limitations on page 20 n Upgrading an Instant AP on page 22 For the list of terms, refer to the Glossary. Related Documents The following guides are part of the complete documentation for the Aruba user-centric network: n Aruba AP Software Quick Start Guide n Aruba Instant User Guide n Aruba Instant CLI Reference Guide n Aruba Instant REST API Guide n Aruba Instant Syslog Messages Reference Guide n Aruba Instant AP Troubleshooting Guide Supported Browsers The following browsers are officially supported for use with the Instant WebUI: n Microsoft Internet Explorer 11 on Windows 7 and Windows 8 n Microsoft Edge (Microsoft Edge 38.14393.0.0 and Microsoft EdgeHTML 14.14393) on Windows 10 n Mozilla Firefox 48 or later on Windows 7, Windows 8, Windows 10, and macOS n Apple Safari 8.0 or later on macOS n Google Chrome 67 or later on Windows 7, Windows 8, Windows 10, and macOS Aruba Instant 8.9.0.0 | Release Notes 5 Terminology Change As part of advancing HPE's commitment to racial justice, we are taking a much-needed step in overhauling HPE engineering terminology to reflect our belief system of diversity and inclusion. Some legacy products and publications may continue to include terminology that seemingly evokes bias against specific groups of people. Such content is not representative of our HPE culture and moving forward, Aruba will replace racially insensitive terms and instead use the following new language: Usage Old Language New Language Campus Access Master-Slave Conductor-Member Points + Controllers Instant Access Master-Slave Conductor-Member Points Switch Stack Master-Slave Conductor-Member Wireless LAN Mobility Master Mobility Conductor Controller Firewall Blacklist, Whitelist Denylist, Allowlist Configuration Types of Black Hat, White Hat Unethical, Ethical Hackers Contacting Support Table 2: Contact Information Main Site arubanetworks.com Support Site https://asp.arubanetworks.com/ Airheads Social Forums and Knowledge community.arubanetworks.com Base North American Telephone 1-800-943-4526 (Toll Free) 1-408-754-1200 International Telephone arubanetworks.com/support-services/contact-support/ Software Licensing Site lms.arubanetworks.com End-of-life Information arubanetworks.com/support-services/end-of-life/ Security Incident Response Team Site: arubanetworks.com/support-services/security-bulletins/ Email: [email protected] 6 | Terminology Change Aruba Instant 8.9.0.0 | Release Notes Chapter 2 New Features and Enhancements New Features and Enhancements This chapter describes the features and enhancements introduced in this release. ARM Configure Beacon Rates in WLAN SSID Settings Two new parameters a-beacon-rate and g-beacon-rate are introduced in the WLAN SSID profile configuration to allow control of the beacon rates independently of the basic rates configured on the profile. Authentication Fall Back to Internal Authentication Only During Authentication Server Timeout A new option to configure the Instant AP to fallback to internal authentication only when the response from the authentication server times out is introduced. When enabled, the Instant AP uses the internal authentication server to authenticate management users only when the response from the authentication server times out. This can be configured through the CLI and the command to enable this is mgmt-auth- server-timeout-local-backup. Managing Authentication Certificates Before downgrading an Instant AP to an earlier version clear the certificate assignment for all applications in the Instant AP. If Central or AirWave is used for managing certificates on an Instant AP, clear the certificates using the Central UI, AirWave UI, or the Instant AP CLI. Support for Using EST Certificate with AP1X Authentication A new parameter ap1x tls est is introduced to allow EST certificates to be used for AP1X authentication. Support for Using EST Certificate with RADSEC A new CLI command radsec-use-est-certificate is introduced to allow RADSEC to use EST certificates instead of custom or default certificates. Central Provisioning AP1X Certificates through Aruba Central or AirWave Aruba Instant supports provisioning of AP1X certificates through AirWave or Central. A common AP1X certificate can now be applied to all Instant APs in the cluster by executing the following CLI command: Aruba Instant 8.9.0.0 | Release Notes 7 (Instant AP)(config) # wlan cert-assignment-profile (Instant AP) (cert assignment) # pki-cert-assign application ap1x cert-type TrustedCA certname <cert_name> If an AP1X common cert already exists in the Instant AP and needs to be replaced with a per-device AP1X certificate, you must first remove the common cert uploaded through Central or AirWave and then re-upload the per-device cert. This is because the common certificate has a higher priority than the per-device certificate, the per-device cert will not be used if the common is removed. The following CLI commands are used to remove the common AP1X CA certificate installed through AirWave or Central: (Instant AP)# clear-cert ap1x-common-cert (Instant AP)# clear-cert ap1x-common-ca Report Configuration Sync Error on Member AP to Central In a scenario where a configuration sync error is observed on a member AP in an Instant cluster, or a new member AP joins the cluster, a checksum error is generated. This checksum error is now reported to Central, in order to determine whether to collect the configuration audit from the member AP. Support for Alternate Image Server When Provisioning an Instant AP AP provisioning is either done through a mandatory upgrade or image sync through Aruba Activate. Typically, Aruba Activate returns the default image URL as a HTTPS body payload, and the AP uses this URL to download and upgrade the image. However, in some scenarios, the default URL returned by Aruba Activate can be unreachable, because users configure a firewall that only allow specific URLs or static IP addresses; but the default URL is served with a dynamic IP address. Starting from Aruba Instant 8.9.0.0, Instant introduces an alternative image URL service function which supplies a reachable image URL from the cache list when the conductor or member APs report a mismatch. The AP will then use the reachable image URL to download the image and provision the AP. CLI Report Crash Information for Conductor and Member APs A new entry called Crash Info is added to the output of the show aps command, to indicate if a crash has occurred on a conductor or a member AP. Change in the Denotation of Radio Bands in Show Commands The denotation of radio bands in the output of the following commands were changed from 802.11a and 802.11b/g to 5 GHz and 2.4 GHz respectively: n show ap monitor n show ap debug received-reg-table n show ap bss-table n show ap allowed-channels Change in Default SSL Protocol Used for Web Server Connections 8 | New Features and Enhancements Aruba Instant 8.9.0.0 | Release Notes The default SSL protocol used for web server connections has been changed to TLS v1.2. This change in default SSL protocol is only applicable to factory default APs running Aruba Instant 8.9.0.0 and later versions. APs that are upgraded to Aruba Instant 8.9.0.0 or later versions from earlier versions will continue to use the pre-existing SSL protocol configuration for web server connections. Datapath / Firewall Enhancement to Ethernet and Wi-Fi Uplink Preemption Instant now supports configuring two layer-3 wired uplinks. However, only one uplink can remain active at a time, while the other uplink server as a backup in case a failover is initiated. DHCP DHCP Information Reporting Instant APs can now forward DHCP information of clients to a server in Local, Local L3, Centralized L3, Distributed L3, and Virtual Controller assigned networks.