Enhancements for KB 16.10

Table 1: Enhancements
Version	Software	Description	Category
16.10.0025	KB	Support for https-based firmware downloads from Aruba Central has been added. The firmware has been embedded with trust anchor for verifying the firmware repository server certificate. Updates are made to verify the Subject Alternative Name (SAN) from the server certificate and to limit the newly added trust anchor for only https-based firmware downloads.	Central Integration
16.10.0024	KB	No enhancements were included in version 16.10.0024.	NA
16.10.0023	KB	No enhancements were included in version 16.10.0023.	NA
16.10.0022	KB	The IP Auth manager feature has been added to close a TCP connection from an unauthorized client by sending a TCP RST immediately after receiving a TCP SYN packet, rather than allowing a complete three-way TCP handshake and then sending a TCP RST. NOTE: When an unauthorized client connects via the OOBM port, the existing behaviour remains unchanged.	Security
16.10.0021	KB	No enhancements were included in version 16.10.0021.	NA
16.10.0020	KB	OSPF Route Filtering feature provides an option to filter the intra-area routes from installing into local FIB table. By using this, operator can create `distribute-list` with one or more network addresses which will be used to filter the intra area routes in OSPFv2/OSPFv3. Syntax: OSPFv2: distribute-list <IP-ADDR>/<Prefix-Len> OSPFv3: distribute-list <IPV6-ADDR>/<Prefix-Len> Refer to the Aruba 3810/5400R Multicasting and Routing Guide for AOS-S Switch 16.11 and Aruba 3810/5400R IPv6 Configuration Guide for AOS-S Switch 16.11 for more information.	OSPF/OSPFv3
16.10.0020	KB	Added support in Device fingerprinting (DFP) module to send protocol data to Aruba Central for telemetry. Added options-list parameter to device-fingerprinting CLI. Switch software is enhanced to collect DHCP options list and up to three instances of HTTP user agent headers. Syntax: device-fingerprinting [policy]<PROFILE_NAME> dhcp [option-num <NUM> \| options-list]. Refer to the Aruba 3810/5400R Access Security Guide for AOS-S Switch 16.11 for more information.	Device Finger Printing
16.10.0019	KB	No enhancements were included in version 16.10.0019.	NA
16.10.0018	KB	The Enrollment over Secured Transport (EST) client feature is updated to download and renew the CA certificates from an EST server independent of application certificate enrollment. A new command `est-server <profile-name> cacerts-download` is added to enable independent CA certificate download from the EST server. This enhancement initiates automatic CA certificate download and renewal when the existing TA profile is about to expire. The switch will use the existing `est-server <profile-name> re-enrollment-prior-expiry` command to determine how many days in advance the renewal is to be done. A MIB has also been added to enable automatic download and renew of the CA certificates from the EST server. Refer to the Aruba 3810/5400R Access Security Guide for AOS-S Switch 16.10 and Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information.	EST
16.10.0017	KB	TCP timestamps are an extension to the original TCP stack, that was introduced to identify and reject old duplicate packets (PAWS) and to improve round-trip-time measurement. Using a scanner or other tool, an attacker can observe the TCP timestamp and determine the system uptime to gain information about the operational state of the system. To avoid such risks, a new command `ip tcp randomize-timestamp` has been introduced to randomize the TCP timestamp offsets per connection. Once the command is issued, all the newly established TCP sessions will a use random offset along with the timestamp. A MIB has also been added to enable or disable the randomization of TCP timestamp offsets. Refer to the Aruba 3810/5400R Management and Configuration Guide for AOS-S Switch 16.10 and Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information.	Security
16.10.0017	KB	This is an enhancement to an existing User-Based Tunneling `vlan-extend-enable` (VLAN-aware) mode. Silent devices like Programmable Logic Controller (PLC) devices do not initiate any traffic until they receive a message from the uplink server. Thus, such devices cannot leverage the benefits of colorless ports, which include being authenticated through a RADIUS server and being dynamically placed in a VLAN or being tunneled to a controller. To support such silent devices, a new command `tunneled-node-server ubt-wol-enable vlan <VLAN-ID-LIST>` has been introduced. This command configures the silent client so that the controller allows the first packet from the silent server to reach the silent client without a user tunnel. This will initiate user authentication and tunnel formation. A MIB has also been added to enable User-Based Tunneling Wake-on-LAN (WoL) on the specified VLANs. Refer to the Aruba 3810/5400R Management and Configuration Guide for AOS-S Switch 16.10 and Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information.	Support for Silent Device
16.10.0016	KB	Added support for the new SSH data integrity algorithm hmac-sha2-256, which is defined in RFC 6668. Refer to the Aruba 3810/5400R Access Security Guide for AOS-S Switch 16.10 and Aruba 3810/5400R IPv6 Configuration Guide for AOS-S Switch 16.10 for more information.	SSH
16.10.0016	KB	Added support to configure the size of the EAP-TLS fragments sent from the switch to the RADIUS server. Configuring EAP-TLS fragment size based on the MTU of the network avoids IP fragmentation in the network, and thus, the fragmented packets will not be dropped by the firewall or gateways. Added a MIB to indicate the maximum size of the EAP-TLS fragment sent to the RADIUS server. Refer to the Aruba 3810/5400R Access Security Guide for AOS-S Switch 16.10 and Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information.	EAP-TLS Fragmentation
16.10.0015	KB	No enhancements were included in version 16.10.0015.	NA
16.10.0014	KB	No enhancements were included in version 16.10.0014.	NA
16.10.0013	KB	Added support to user roles to establish user-based tunneling to tunnel voice and data traffic selectively and authenticate critical-role user in the event of RADIUS server unavailability. Refer to the Aruba 3810/5400R Access Security Guide for AOS-S Switch 16.10 and the Aruba 3810/5400R Management and Configuration Guide for AOS-S Switch 16.10 for more information.	Enhancement in traffic tunneling and critical-role authentication
16.10.0013	KB	Added MIBs to display the count of total and operational members in a VSF and BPS stack. Refer to the Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information.	Back Plane Stacking (BPS) and Virtual Switch Framework (VSF)
16.10.0012	KB	Added `concise` parameter to display port-access and spanning-tree attributes in a consolidated format, when executing `show config` and `show running-config` commands.	Enhancement for `show config` and `show running-config` commands
16.10.0012	KB	Added support to enable SNMP traps for a specified event. This helps to filter out particular traps from all SNMP trap messages. Syntax: `snmp-server enable traps event-list <EVENT-LIST-STR>`	Customization for SNMP Traps
16.10.0012	KB	Added `recv-disable` parameter to configure loop-protect from blocking the receiving port when a loop is detected. Syntax: `no loop-protect <PORT-LIST> receiver-action [recv-disable]`	Configuration for loop-protect receiver-action
16.10.0012	KB	Added support to maintain the current role of the User Based Tunneling client in the switch instead of de-authenticating the client during controller maintenance. The client traffic flow is resumed at the switch ingress port when the controller is reachable. NOTE: The client is de-authenticated when the controller is not available even after the configured maintenance period.	Enhancement for `tunneled-node-server` command
16.10.0011	KB	Improved performance when executing `show config` command.	Performance improvements for `show config` command
16.10.0011	KB	Added support to format MAC address in upper case for the Called and Calling Station IDs. Refer to the Access Security Guide for more information.	Port Access Enhancement
16.10.0011	KB	Added support to include the Port VLAN information in RADIUS access request for all authentication types. Refer to the Access Security Guide for more information.	Port Access Enhancement
16.10.0011	KB	Added support to enable AES 256-bit encryption for SNMP. Refer to the Management and Configuration Guide for more information.	AES 256-bit encryption for SNMP
16.10.0011	KB	Added support to configure a prefix string along with the switch IP address or hostname in the logs sent to the Syslog servers. This helps to classify and group log entries based on the string value. Syntax:`logging prefix <ASCII-STR>` Refer to the Management and Configuration Guide for more information.	Syslog Enhancement
16.10.0011	KB	Added support to schedule a stack or chassis reboot. Syntax: `reload <after\|at> [system]` Refer to the Management and Configuration Guide for more information.	Stacking Enhancement
16.10.0010	KB	Added support to provide the option to specify the source interface or VLAN for Central connectivity. The existing IP source-interface command is enhanced to override current configuration check for provisioning using Aruba Activate. Refer to the Management and Configuration Guide for more information.	Source interface option for Central connectivity
16.10.0010	KB	Added support to allow more PoE devices to be connected to the switch by using `poe-alloc-by-usage`, when using Device Profiles. This can be based on either Usage or Class. Default allocation will be based on Class. Refer to the Management and Configuration Guide for more information.	Device Profile Enhancement
16.10.0010	KB	Added support for FQDN (only IPv4) while configuring TACACS server along with the existing support of IP address. Refer to the Access Security Guide for more information.	TACACS Option
16.10.0010	KB	Added support to work with the default setting in OpenSSH 8.2 by choosing an inherently more secure algorithm as the default on the switch for SSH communication. Refer to the Access Security Guide for more information. The list of new Host-Key algorithms are as follows: rsa-sha2-512 rsa-sha2-256 The list of new SSH KEX algorithms are as follows: ecdh-sha2-nistp521 ecdh-sha2-nistp381 ecdh-sha2-nistp256 diffie-hellman-group-exchange-sha256	Support for OpenSSH 8.2
16.10.0010	KB	Improved performance when displaying large configurations.	Performance improvements for `show running-config` command
16.10.0010	KB	Added RMON logging for the failure events in SSH, Web UI, Syslog over TLS sessions, and x509 certificate processing. Refer to the Event Log Message Reference Guide for more information.	RMON logging
16.10.0009	KB	Added support for the manager password enforcement to ensure that the switch prompts the user to configure the manager password on the switch before configuring any other features. If the manager password is not configured, then the user will have read-only access to the switch. This is applicable only to switches with factory default configuration. Refer to the Access Security Guide for more information.	Manager Password Enforcement
16.10.0009	KB	Added support to enhance the payload size for the REST API interfaces. The increased payload size for 3810M and 54xxR platforms is 1024K. Refer to the REST API Guide for more information.	REST API Payload Enhancement
16.10.0009	KB	Added support for Server Name Indication (SNI), which is a TLS extension defined in RFC 6066. This feature is enabled by default to include the SNI extension in the Client Hello sent from the switch to all the TLS client applications. Refer to the Access Security Guide for more information.	Server Name Indication for TLS
16.10.0008	KB	Version 16.10.0008 was never released.	NA
16.10.0007	KB	Added additional support for pipe "\|" option to grep for pattern match the output of CLI commands, such as: Case-insensitive option to allow a case insensitive pattern match Up to four consecutive pattern matches in one CLI command Added support for a per-session based command to wrap column display in the CLI output using session wrap-text option when its length is exceeding the column width. Refer to the Management and Configuration Guide for more information.	CLI
16.10.0007	KB	Added the following REST enhancements: Support for ARP table data. Support for downloadable user-roles configuration. Support for primary VLAN. Support for reserved-vlan and clearpass options to configure dynamic segmentation. REST API schema moved under device-rest-api/services/server.html. Refer to the REST API Guide for more information.	REST
16.10.0007	KB	Added support for the following 1G and 10G TAA transceivers: JL745A - Aruba 1G SFP LC SX 500m MMF TAA XCVR JL746A - Aruba 1G SFP LC LX 10km SMF TAA XCVR JL747A - Aruba 1G SFP RJ45 T 100m Cat5e TAA XCVR JL748A - Aruba 10G SFP+ LC SR 300m MMF TAA XCVR JL749A - Aruba 10G SFP+ LC LR 10km SMF TAA XCVR	Transceivers
16.10.0007	KB	Added support for the new activate endpoint devices-v2.arubanetworks.com which has the following two major differences compared to the old endpoint device.arubanetworks.com: It works on the standard TLS handshake mechanism and uses mutual authentication. It uses certificates issued by HP CA for establishing TLS connections. Zero Touch Provisioning (ZTP) improvements were made to deal with situations such as unresponsive DNS servers. Refer to the Management and Configuration Guide for more information.	Zero Touch Provisioning
16.10.0006	KB	Version 16.10.0006 was never released.	NA
16.10.0005	KB	No enhancements were included in version 16.10.0005.	NA
16.10.0004	KB	Version 16.10.0004 was never released.	NA
16.10.0003	KB	New command `aaa accounting session-id include-switch-identity` was added. When this command is invoked, an accounting session ID is generated with Switch Base MAC, Client MAC, and Timestamp for network accounting type. The other accounting types (exec, system, commands) do not include Client MAC and hence the session ID is generated with Switch Base MAC, Track ID, and Timestamp. If the same client is accessing the network from multiple switches, then the accounting session ID can be duplicated. This caused issues in Clearpass where client insertion in the database failed with an error similar to Integrity Error: acct_id, calling_station_id violates check constraint. This new command alleviates that problem.	AAA
16.10.0003	KB	Extended the device identify capability by just matching based on the attribute MAC OUI to the Sys name and Sys description attributes.	Device profile
16.10.0003	KB	This enhancement will only be in effect if the CoA/Disconnect request has a message authenticator attribute in request packet. The message authenticator attribute is used to verify the integrity (HMAC-MD5) of the RADIUS packet. This is an optional attribute in the Access/CoA/Disconnect packet. If the received packet has this attribute in the RADIUS packet, the receiver will validate the integrity value and discard it if the value is incorrect.	RADIUS
16.10.0002	KB	No enhancements were included in version 16.10.0002.	NA
16.10.0001	KB	No enhancements were included in version 16.10.0001.	NA

16.10.0025

KB

Support for https-based firmware downloads from Aruba Central has been added.

The firmware has been embedded with trust anchor for verifying the firmware repository server certificate. Updates are made to verify the Subject Alternative Name (SAN) from the server certificate and to limit the newly added trust anchor for only https-based firmware downloads.

Central Integration

16.10.0024

KB

No enhancements were included in version 16.10.0024.

NA

16.10.0023

KB

No enhancements were included in version 16.10.0023.

NA

16.10.0022

KB

The IP Auth manager feature has been added to close a TCP connection from an unauthorized client by sending a TCP RST immediately after receiving a TCP SYN packet, rather than allowing a complete three-way TCP handshake and then sending a TCP RST.

NOTE:

When an unauthorized client connects via the OOBM port, the existing behaviour remains unchanged.

Security

16.10.0021

KB

No enhancements were included in version 16.10.0021.

NA

16.10.0020

KB

OSPF Route Filtering feature provides an option to filter the intra-area routes from installing into local FIB table.

By using this, operator can create distribute-list with one or more network addresses which will be used to filter the intra area routes in OSPFv2/OSPFv3.

Syntax:

OSPFv2: distribute-list <IP-ADDR>/<Prefix-Len>

OSPFv3: distribute-list <IPV6-ADDR>/<Prefix-Len>

Refer to the Aruba 3810/5400R Multicasting and Routing Guide for AOS-S Switch 16.11 and Aruba 3810/5400R IPv6 Configuration Guide for AOS-S Switch 16.11 for more information.

OSPF/OSPFv3

16.10.0020

KB

Added support in Device fingerprinting (DFP) module to send protocol data to Aruba Central for telemetry.

Added options-list parameter to device-fingerprinting CLI. Switch software is enhanced to collect DHCP options list and up to three instances of HTTP user agent headers.

Syntax: device-fingerprinting [policy]<PROFILE_NAME> dhcp [option-num <NUM> | options-list].

Refer to the Aruba 3810/5400R Access Security Guide for AOS-S Switch 16.11 for more information.

Device Finger Printing

16.10.0019

KB

No enhancements were included in version 16.10.0019.

NA

16.10.0018

KB

The Enrollment over Secured Transport (EST) client feature is updated to download and renew the CA certificates from an EST server independent of application certificate enrollment. A new command est-server <profile-name> cacerts-download is added to enable independent CA certificate download from the EST server. This enhancement initiates automatic CA certificate download and renewal when the existing TA profile is about to expire. The switch will use the existing est-server <profile-name> re-enrollment-prior-expiry command to determine how many days in advance the renewal is to be done. A MIB has also been added to enable automatic download and renew of the CA certificates from the EST server.

Refer to the Aruba 3810/5400R Access Security Guide for AOS-S Switch 16.10 and Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information.

EST

16.10.0017

KB

TCP timestamps are an extension to the original TCP stack, that was introduced to identify and reject old duplicate packets (PAWS) and to improve round-trip-time measurement. Using a scanner or other tool, an attacker can observe the TCP timestamp and determine the system uptime to gain information about the operational state of the system.

To avoid such risks, a new command ip tcp randomize-timestamp has been introduced to randomize the TCP timestamp offsets per connection. Once the command is issued, all the newly established TCP sessions will a use random offset along with the timestamp.

A MIB has also been added to enable or disable the randomization of TCP timestamp offsets.

Refer to the Aruba 3810/5400R Management and Configuration Guide for AOS-S Switch 16.10 and Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information.

Security

16.10.0017

KB

This is an enhancement to an existing User-Based Tunneling vlan-extend-enable (VLAN-aware) mode. Silent devices like Programmable Logic Controller (PLC) devices do not initiate any traffic until they receive a message from the uplink server. Thus, such devices cannot leverage the benefits of colorless ports, which include being authenticated through a RADIUS server and being dynamically placed in a VLAN or being tunneled to a controller.

To support such silent devices, a new command tunneled-node-server ubt-wol-enable vlan <VLAN-ID-LIST> has been introduced. This command configures the silent client so that the controller allows the first packet from the silent server to reach the silent client without a user tunnel. This will initiate user authentication and tunnel formation.

A MIB has also been added to enable User-Based Tunneling Wake-on-LAN (WoL) on the specified VLANs.

Refer to the Aruba 3810/5400R Management and Configuration Guide for AOS-S Switch 16.10 and Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information.

Support for Silent Device

16.10.0016

KB

Added support for the new SSH data integrity algorithm hmac-sha2-256, which is defined in RFC 6668.

Refer to the Aruba 3810/5400R Access Security Guide for AOS-S Switch 16.10 and Aruba 3810/5400R IPv6 Configuration Guide for AOS-S Switch 16.10 for more information.

SSH

16.10.0016

KB

Added support to configure the size of the EAP-TLS fragments sent from the switch to the RADIUS server. Configuring EAP-TLS fragment size based on the MTU of the network avoids IP fragmentation in the network, and thus, the fragmented packets will not be dropped by the firewall or gateways.

Added a MIB to indicate the maximum size of the EAP-TLS fragment sent to the RADIUS server.

Refer to the Aruba 3810/5400R Access Security Guide for AOS-S Switch 16.10 and Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information.

EAP-TLS Fragmentation

16.10.0015

KB

No enhancements were included in version 16.10.0015.

NA

16.10.0014

KB

No enhancements were included in version 16.10.0014.

NA

16.10.0013

KB

Added support to user roles to establish user-based tunneling to tunnel voice and data traffic selectively and authenticate critical-role user in the event of RADIUS server unavailability.

Refer to the Aruba 3810/5400R Access Security Guide for AOS-S Switch 16.10 and the Aruba 3810/5400R Management and Configuration Guide for AOS-S Switch 16.10 for more information.

Enhancement in traffic tunneling and critical-role authentication

16.10.0013

KB

Added MIBs to display the count of total and operational members in a VSF and BPS stack. Refer to the Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information.

Back Plane Stacking (BPS) and Virtual Switch Framework (VSF)

16.10.0012

KB

Added concise parameter to display port-access and spanning-tree attributes in a consolidated format, when executing show config and show running-config commands.

Enhancement for show config and show running-config commands

16.10.0012

KB

Added support to enable SNMP traps for a specified event. This helps to filter out particular traps from all SNMP trap messages.

Syntax: snmp-server enable traps event-list <EVENT-LIST-STR>

Customization for SNMP Traps

16.10.0012

KB

Added recv-disable parameter to configure loop-protect from blocking the receiving port when a loop is detected.

Syntax: no loop-protect <PORT-LIST> receiver-action [recv-disable]

Configuration for loop-protect receiver-action

16.10.0012

KB

Added support to maintain the current role of the User Based Tunneling client in the switch instead of de-authenticating the client during controller maintenance. The client traffic flow is resumed at the switch ingress port when the controller is reachable.

NOTE: The client is de-authenticated when the controller is not available even after the configured maintenance period.

Enhancement for tunneled-node-server command

16.10.0011

KB

Improved performance when executing show config command.

Performance improvements for show config command

16.10.0011

KB

Added support to format MAC address in upper case for the Called and Calling Station IDs.

Refer to the Access Security Guide for more information.

Port Access Enhancement

16.10.0011

KB

Added support to include the Port VLAN information in RADIUS access request for all authentication types.

Refer to the Access Security Guide for more information.

Port Access Enhancement

16.10.0011

KB

Added support to enable AES 256-bit encryption for SNMP. Refer to the Management and Configuration Guide for more information.

AES 256-bit encryption for SNMP

16.10.0011

KB

Added support to configure a prefix string along with the switch IP address or hostname in the logs sent to the Syslog servers. This helps to classify and group log entries based on the string value.

Syntax:logging prefix <ASCII-STR>

Refer to the Management and Configuration Guide for more information.

Syslog Enhancement

16.10.0011

KB

Added support to schedule a stack or chassis reboot.

Syntax: reload <after|at> [system]

Refer to the Management and Configuration Guide for more information.

Stacking Enhancement

16.10.0010

KB

Added support to provide the option to specify the source interface or VLAN for Central connectivity. The existing IP source-interface command is enhanced to override current configuration check for provisioning using Aruba Activate.

Refer to the Management and Configuration Guide for more information.

Source interface option for Central connectivity

16.10.0010

KB

Added support to allow more PoE devices to be connected to the switch by using poe-alloc-by-usage, when using Device Profiles. This can be based on either Usage or Class. Default allocation will be based on Class.

Refer to the Management and Configuration Guide for more information.

Device Profile Enhancement

16.10.0010

KB

Added support for FQDN (only IPv4) while configuring TACACS server along with the existing support of IP address.

Refer to the Access Security Guide for more information.

TACACS Option

16.10.0010

KB

Added support to work with the default setting in OpenSSH 8.2 by choosing an inherently more secure algorithm as the default on the switch for SSH communication. Refer to the Access Security Guide for more information.

The list of new Host-Key algorithms are as follows:

rsa-sha2-512
rsa-sha2-256

The list of new SSH KEX algorithms are as follows:

ecdh-sha2-nistp521
ecdh-sha2-nistp381
ecdh-sha2-nistp256
diffie-hellman-group-exchange-sha256

Support for OpenSSH 8.2

16.10.0010

KB

Improved performance when displaying large configurations.

Performance improvements for show running-config command

16.10.0010

KB

Added RMON logging for the failure events in SSH, Web UI, Syslog over TLS sessions, and x509 certificate processing. Refer to the Event Log Message Reference Guide for more information.

RMON logging

16.10.0009

KB

Added support for the manager password enforcement to ensure that the switch prompts the user to configure the manager password on the switch before configuring any other features. If the manager password is not configured, then the user will have read-only access to the switch. This is applicable only to switches with factory default configuration.

Refer to the Access Security Guide for more information.

Manager Password Enforcement

16.10.0009

KB

Added support to enhance the payload size for the REST API interfaces. The increased payload size for 3810M and 54xxR platforms is 1024K.

Refer to the REST API Guide for more information.

REST API Payload Enhancement

16.10.0009

KB

Added support for Server Name Indication (SNI), which is a TLS extension defined in RFC 6066. This feature is enabled by default to include the SNI extension in the Client Hello sent from the switch to all the TLS client applications.

Refer to the Access Security Guide for more information.

Server Name Indication for TLS

16.10.0008

KB

Version 16.10.0008 was never released.

NA

16.10.0007

KB

Added additional support for pipe "|" option to grep for pattern match the output of CLI commands, such as:
- Case-insensitive option to allow a case insensitive pattern match
- Up to four consecutive pattern matches in one CLI command
Added support for a per-session based command to wrap column display in the CLI output using session wrap-text option when its length is exceeding the column width. Refer to the Management and Configuration Guide for more information.

CLI

16.10.0007

KB

Added the following REST enhancements:

Support for ARP table data.
Support for downloadable user-roles configuration.
Support for primary VLAN.
Support for reserved-vlan and clearpass options to configure dynamic segmentation.
REST API schema moved under device-rest-api/services/server.html. Refer to the REST API Guide for more information.

REST

16.10.0007

KB

Added support for the following 1G and 10G TAA transceivers:

JL745A - Aruba 1G SFP LC SX 500m MMF TAA XCVR
JL746A - Aruba 1G SFP LC LX 10km SMF TAA XCVR
JL747A - Aruba 1G SFP RJ45 T 100m Cat5e TAA XCVR
JL748A - Aruba 10G SFP+ LC SR 300m MMF TAA XCVR
JL749A - Aruba 10G SFP+ LC LR 10km SMF TAA XCVR

Transceivers

16.10.0007

KB

Added support for the new activate endpoint devices-v2.arubanetworks.com which has the following two major differences compared to the old endpoint device.arubanetworks.com:

It works on the standard TLS handshake mechanism and uses mutual authentication.
It uses certificates issued by HP CA for establishing TLS connections.

Zero Touch Provisioning (ZTP) improvements were made to deal with situations such as unresponsive DNS servers.

Refer to the Management and Configuration Guide for more information.

Zero Touch Provisioning

16.10.0006

KB

Version 16.10.0006 was never released.

NA

16.10.0005

KB

No enhancements were included in version 16.10.0005.

NA

16.10.0004

KB

Version 16.10.0004 was never released.

NA

16.10.0003

KB

New command aaa accounting session-id include-switch-identity was added. When this command is invoked, an accounting session ID is generated with Switch Base MAC, Client MAC, and Timestamp for network accounting type. The other accounting types (exec, system, commands) do not include Client MAC and hence the session ID is generated with Switch Base MAC, Track ID, and Timestamp.

If the same client is accessing the network from multiple switches, then the accounting session ID can be duplicated. This caused issues in Clearpass where client insertion in the database failed with an error similar to Integrity Error: acct_id, calling_station_id violates check constraint. This new command alleviates that problem.

AAA

16.10.0003

KB

Extended the device identify capability by just matching based on the attribute MAC OUI to the Sys name and Sys description attributes.

Device profile

16.10.0003

KB

This enhancement will only be in effect if the CoA/Disconnect request has a message authenticator attribute in request packet. The message authenticator attribute is used to verify the integrity (HMAC-MD5) of the RADIUS packet. This is an optional attribute in the Access/CoA/Disconnect packet. If the received packet has this attribute in the RADIUS packet, the receiver will validate the integrity value and discard it if the value is incorrect.

RADIUS

16.10.0002

KB

No enhancements were included in version 16.10.0002.

NA

16.10.0001

KB

No enhancements were included in version 16.10.0001.

NA