Enhancements
This section lists enhancements added to this branch of the software.
Software enhancements are listed in reverse-chronological order, with the newest on the top of the list. Unless otherwise noted, each software version listed includes all enhancements added in earlier versions.
Version |
Software |
Description |
Category |
---|---|---|---|
16.10.0025 |
YA/YB |
Support for https-based firmware downloads from Aruba Central has been added. The firmware has been embedded with trust anchor for verifying the firmware repository server certificate. Updates are made to verify the Subject Alternative Name (SAN) from the server certificate and to limit the newly added trust anchor for only https-based firmware downloads. |
Central Integration |
16.10.0024 |
YA/YB |
No enhancements were included in version 16.10.0024. |
NA |
16.10.0023 |
YA/YB |
No enhancements were included in version 16.10.0023. |
NA |
16.10.0022 |
YA/YB |
The IP Auth manager feature has been added to close a TCP connection from an unauthorized client by sending a TCP RST immediately after receiving a TCP SYN packet, rather than allowing a complete three-way TCP handshake and then sending a TCP RST.
When an unauthorized client connects via the OOBM port, the existing behaviour remains unchanged.
|
Security |
16.10.0021 |
YA/YB |
No enhancements were included in version 16.10.0021. |
NA |
16.10.0020 |
YA/YB |
No enhancements were included in version 16.10.0020. |
NA |
16.10.0019 |
YA/YB |
No enhancements were included in version 16.10.0019. |
NA |
16.10.0018 |
YA/YB |
No enhancements were included in version 16.10.0018. |
NA |
16.10.0017 |
YA/YB |
TCP timestamps are an extension to the original TCP stack, that was introduced to identify and reject old duplicate packets (PAWS) and to improve round-trip-time measurement. Using a scanner or other tool, an attacker can observe the TCP timestamp and determine the system uptime to gain information about the operational state of the system. To avoid such risks, a new command A MIB has also been added to enable or disable the randomization of TCP timestamp offsets. Refer to the Aruba 2530 Management and Configuration Guide for AOS-S Switch 16.10 and Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information. |
Security |
16.10.0016 |
YA/YB |
Added support for the new SSH data integrity algorithm hmac-sha2-256, which is defined in RFC 6668. Refer to the Aruba 2530 Access Security Guide for AOS-S Switch 16.10 and Aruba 2530 IPv6 Configuration Guide for AOS-S Switch 16.10 for more information. |
SSH |
16.10.0016 |
YA/YB |
Added support to configure the size of the EAP-TLS fragments sent from the switch to the RADIUS server. Configuring EAP-TLS fragment size based on the MTU of the network avoids IP fragmentation in the network, and thus, the fragmented packets will not be dropped by the firewall or gateways. Added a MIB to indicate the maximum size of the EAP-TLS fragment sent to the RADIUS server. Refer to the Aruba 2530 Access Security Guide for AOS-S Switch 16.10 and Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information. |
EAP-TLS Fragmentation |
16.10.0015 |
YA/YB |
This release brings the ability for REST clients to use RADIUS/TACACS+ for authorization instead of using per-switch passwords. This ability for REST clients has the following limitation: When RADIUS is used for the REST authorization, the VSAs HP-URI-String, HP-URI-Access, HP-URI-Exception, and HP-URI-Json-String should be configured in the correct order, for each URIs to be authorized. Also the RADIUS server should send the VSA in RADIUS ACCESS ACCEPT in the same order as it is configured. If the order of VSAs are not maintained by RADIUS server while sending out RADIUS ACCESS ACCEPT, the switch can not use the authorization data. As a result, the authentication/authorization of REST user fails. Refer to the Aruba REST API for AOS-S Switch 16.10 for more information. |
AAA for REST Interface |
16.10.0014 |
YA/YB |
No enhancements were included in version 16.10.0014. |
NA |
16.10.0013 |
YA/YB |
No enhancements were included in version 16.10.0013. |
NA |
16.10.0012 |
YA/YB |
Added |
Enhancement for |
16.10.0012 |
YA/YB |
Added support to enable SNMP traps for a specified event. This helps to filter out particular traps from all SNMP trap messages. Syntax: |
Customization for SNMP Traps |
16.10.0012 |
YA/YB |
Added Syntax: |
Configuration for loop-protect receiver-action |
16.10.0011 |
YA/YB |
Added support to format MAC address in upper case for the Called and Calling Station IDs. Refer to the Access Security Guide for more information. |
Port Access Enhancement |
16.10.0011 |
YA/YB |
Added support to include the Port VLAN information in RADIUS access request for all authentication types. Refer to the Access Security Guide for more information. |
Port Access Enhancement |
16.10.0011 |
YA/YB |
Added support to enable AES 256-bit encryption for SNMP. Refer to the Management and Configuration Guide for more information. |
AES 256-bit encryption for SNMP |
16.10.0011 |
YA/YB |
Added support to configure a prefix string along with the switch IP address or hostname in the logs sent to the Syslog servers. This helps to classify and group log entries based on the string value. Syntax: Refer to the Management and Configuration Guide for more information. |
Syslog Enhancement |
16.10.0010 |
YA/YB |
Added support to provide the option to specify the source interface or VLAN for Central connectivity. The existing IP source-interface command is enhanced to override current configuration check for provisioning using Aruba Activate. Refer to the Management and Configuration Guide for more information. |
Source interface option for Central connectivity |
16.10.0010 |
YA/YB |
Added support to allow more PoE devices to be connected to the switch by using Refer to the Management and Configuration Guide for more information. |
Device Profile Enhancement |
16.10.0010 |
YA/YB |
Added support to work with the default setting in OpenSSH 8.2 by choosing an inherently more secure algorithm as the default on the switch for SSH communication. Refer to the Access Security Guide for more information. The list of new Host-Key algorithms are as follows:
The list of new SSH KEX algorithms are as follows:
|
Support for OpenSSH 8.2 |
16.10.0009 |
YA/YB |
Added support for the manager password enforcement to ensure that the switch prompts the user to configure the manager password on the switch before configuring any other features. If the manager password is not configured, then the user will have read-only access to the switch. This is applicable only to switches with factory default configuration. Refer to the Access Security Guide for more information. |
Manager Password Enforcement |
16.10.0009 |
YA/YB |
Added support to enhance the payload size for the REST API interfaces. The increased payload size for 2530 YA/YB platforms is 64K. Refer to the REST API Guide for more information. |
REST API Payload Enhancement |
16.10.0009 |
YA/YB |
Added support for Server Name Indication (SNI), which is a TLS extension defined in RFC 6066. This feature is enabled by default to include the SNI extension in the Client Hello sent from the switch to all the TLS client applications. Refer to the Access Security Guide for more information. |
Server Name Indication for TLS |
16.10.0008 |
YA/YB |
Version 16.10.0008 was never released. |
NA |
16.10.0007 |
YA/YB |
Refer to the Management and Configuration Guide for more information. |
CLI |
16.10.0007 |
YA/YB |
Added support for monitoring authenticated devices with static IP address using the following CLI command:
Refer to the Access Security Guide for more information. |
Client Visibility |
16.10.007 |
YA/YB |
Added the following REST enhancements:
Refer to the REST API Guide for more information. |
REST |
16.10.0007 |
YA/YB |
Added support for the new activate endpoint
Zero Touch Provisioning (ZTP) improvements were made to deal with situations such as unresponsive DNS servers. Refer to the Management and Configuration Guide for more information. |
Zero Touch Provisioning |
16.10.0006 |
YA/YB |
Version 16.10.0006 was never released. |
NA |
16.10.0005 |
YA/YB |
Version 16.10.0005 was never released. |
NA |
16.10.0004 |
YA/YB |
Version 16.10.0004 was never released. |
NA |
16.10.0003 |
YA/YB |
New command If the same client is accessing the network from multiple switches, then the accounting session ID can be duplicated. This caused issues in ClearPass Policy Manager where client insertion in the database failed with an error similar to Integrity Error: |
AAA |
16.10.0003 |
YA/YB |
This enhancement will only be in effect if the CoA/Disconnect request has a message authenticator attribute in request packet. The message authenticator attribute is used to verify the integrity (HMAC-MD5) of the RADIUS packet. This is an optional attribute in the Access/CoA/Disconnect packet. If the received packet has this attribute in the RADIUS packet, the receiver will validate the integrity value and discard it if the value is incorrect. |
RADIUS |
16.10.0002 |
YA/YB |
No enhancements were included in version 16.10.0002. |
NA |
16.10.0001 |
YA/YB |
No enhancements were included in version 16.10.0001. |
NA |