Enhancements

This section lists enhancements added to this branch of the software.

Software enhancements are listed in reverse-chronological order, with the newest on the top of the list. Unless otherwise noted, each software version listed includes all enhancements added in earlier versions.

Table 1: Enhancements

Version

Software

Description

Category

16.10.0024

WB

No enhancements were included in version 16.10.0024.

NA

16.10.0023

WB

No enhancements were included in version 16.10.0023.

NA

16.10.0022

WB

Added support to configure the size of the EAP-TLS fragments sent from the switch to the RADIUS server. Configuring EAP-TLS fragment size based on the MTU of the network avoids IP fragmentation in the network, and thus, the fragmented packets will not be dropped by the firewall or gateways.

Added a MIB to indicate the maximum size of the EAP-TLS fragment sent to the RADIUS server.

Refer to the Aruba 2920 Access Security Guide for AOS-S Switch 16.10 and Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information.

EAP-TLS Fragmentation

16.10.0022

WB

The IP Auth manager feature has been added to close a TCP connection from an unauthorized client by sending a TCP RST immediately after receiving a TCP SYN packet, rather than allowing a complete three-way TCP handshake and then sending a TCP RST.

NOTE:

When an unauthorized client connects via the OOBM port, the existing behaviour remains unchanged.

Security

16.10.0021

WB

No enhancements were included in version 16.10.0021.

NA

16.10.0020

WB

No enhancements were included in version 16.10.0020.

NA

16.10.0019

WB

No enhancements were included in version 16.10.0019.

NA

16.10.0018

WB

No enhancements were included in version 16.10.0018.

NA

16.10.0017

WB

TCP timestamps are an extension to the original TCP stack, that was introduced to identify and reject old duplicate packets (PAWS) and to improve round-trip-time measurement. Using a scanner or other tool, an attacker can observe the TCP timestamp and determine the system uptime to gain information about the operational state of the system.

To avoid such risks, a new command ip tcp randomize-timestamp has been introduced to randomize the TCP timestamp offsets per connection. Once the command is issued, all the newly established TCP sessions will a use random offset along with the timestamp.

A MIB has also been added to enable or disable the randomization of TCP timestamp offsets.

Refer to the Aruba 2920 Management and Configuration Guide for AOS-S Switch 16.10 and Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information.

Security

16.10.0016

WB

No enhancements were included in version 16.10.0016.

NA

16.10.0015

WB

No enhancements were included in version 16.10.0015.

NA

16.10.0014

WB

No enhancements were included in version 16.10.0014.

NA

16.10.0013

WB

No enhancements were included in version 16.10.0013.

NA

16.10.0012

WB

No enhancements were included in version 16.10.0012.

NA

16.10.0011

WB

No enhancements were included in version 16.10.0011.

NA

16.10.0010

WB

No enhancements were included in version 16.10.0010.

NA

16.10.0009

WB

Added support to configure probe delay for the IP Client Tracker:

ip client-tracker probe-delay <INTERVAL>

Refer to the Access Security Guide for more information.

Probe Delay for Client Tracker

16.10.0009

WB

Added support for the following RADIUS enhancements:

  • Support to configure RadSec server as FQDN.

  • Support to configure per-port RADIUS server group for MAC authentication.

  • Support for automatic download of the certificate required to establish secur connection (HTTPS) with ClearPass Policy Manager server.

Refer to the Access Security Guide for more information.

RADIUS Enhancement

16.10.0008

WB

Version 16.10.0008 was never released.

NA

16.10.0007

WB

  • Added additional support for pipe "|" option to grep for pattern match the output of CLI commands, such as:

    • Case-insensitive option to allow a case insensitive pattern match

    • Up to four consecutive pattern matches in one CLI command

  • Added support for a per-session based command to wrap column display in the CLI output using session wrap-text option when its length is exceeding the column width.

Refer to the Management and Configuration Guide for more information.

CLI

16.10.0007

WB

Added the following REST enhancements:

  • Support for ARP table data.

  • Support for primary VLAN.

  • Support for reserved-vlan and clearpass options to configure dynamic segmentation.

  • REST API schema moved under device-rest-api/services/server.html.

Refer to the REST API Guide for more information.

REST

16.10.0007

WB

Added support for the new activate endpoint devices-v2.arubanetworks.com which has the following two major differences compared to the old endpoint device.arubanetworks.com:

  • It works on the standard TLS handshake mechanism and uses mutual authentication.

  • It uses certificates issued by HP CA for establishing TLS connections.

Zero Touch Provisioning (ZTP) improvements were made to deal with situations such as unresponsive DNS servers. Refer to the Management and Configuration Guide for more information.

Zero Touch Provisioning

16.10.0006

WB

Version 16.10.0006 was never released.

NA

16.10.0005

WB

No enhancements were included in version 16.10.0005.

NA

16.10.0004

WB

Version 16.10.0004 was never released.

NA

16.10.0003

WB

No enhancements were included in version 16.10.0003.

NA

16.10.0002

WB

No enhancements were included in version 16.10.0002.

NA

16.10.0001

WB

No enhancements were included in version 16.10.0001.

NA