Enhancements

This section lists enhancements added to this branch of the software.

Software enhancements are listed in reverse-chronological order, with the newest on the top of the list. Unless otherwise noted, each software version listed includes all enhancements added in earlier versions.

Table 1: Enhancements

Version

Software

Description

Category

16.10.0025

YC

Support for https-based firmware downloads from Aruba Central has been added.

The firmware has been embedded with trust anchor for verifying the firmware repository server certificate. Updates are made to verify the Subject Alternative Name (SAN) from the server certificate and to limit the newly added trust anchor for only https-based firmware downloads.

Central Integration

16.10.0024

YC

No enhancements were included in version 16.10.0024.

NA

16.10.0023

YC

No enhancements were included in version 16.10.0023.

NA

16.10.0022

YC

The IP Auth manager feature has been added to close a TCP connection from an unauthorized client by sending a TCP RST immediately after receiving a TCP SYN packet, rather than allowing a complete three-way TCP handshake and then sending a TCP RST.

NOTE:

When an unauthorized client connects via the OOBM port, the existing behaviour remains unchanged.

Security

16.10.0021

YC

No enhancements were included in version 16.10.0021.

NA

16.10.0020

YC

No enhancements were included in version 16.10.0020.

NA

16.10.0019

YC

No enhancements were included in version 16.10.0019.

NA

16.10.0018

YC

No enhancements were included in version 16.10.0018.

NA

16.10.0017

YC

TCP timestamps are an extension to the original TCP stack, that was introduced to identify and reject old duplicate packets (PAWS) and to improve round-trip-time measurement. Using a scanner or other tool, an attacker can observe the TCP timestamp and determine the system uptime to gain information about the operational state of the system.

To avoid such risks, a new command ip tcp randomize-timestamp has been introduced to randomize the TCP timestamp offsets per connection. Once the command is issued, all the newly established TCP sessions will a use random offset along with the timestamp.

A MIB has also been added to enable or disable the randomization of TCP timestamp offsets.

Refer to the Aruba 2540 Management and Configuration Guide for AOS-S Switch 16.10 and Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information.

Security

16.10.0016

YC

Added support for the new SSH data integrity algorithm hmac-sha2-256, which is defined in RFC 6668.

Refer to the Aruba 2540 Access Security Guide for AOS-S Switch 16.10 and Aruba 2540 IPv6 Configuration Guide for AOS-S Switch 16.10 for more information.

SSH

16.10.0016

YC

Added support to configure the size of the EAP-TLS fragments sent from the switch to the RADIUS server. Configuring EAP-TLS fragment size based on the MTU of the network avoids IP fragmentation in the network, and thus, the fragmented packets will not be dropped by the firewall or gateways.

Added a MIB to indicate the maximum size of the EAP-TLS fragment sent to the RADIUS server.

Refer to the Aruba 2540 Access Security Guide for AOS-S Switch 16.10 and Aruba MIB and Trap Support Matrix for AOS-S Switch 16.10 for more information.

EAP-TLS Fragmentation

16.10.0015

YC

No enhancements were included in version 16.10.0015.

NA

16.10.0014

YC

No enhancements were included in version 16.10.0014.

NA

16.10.0013

YC

No enhancements were included in version 16.10.0013.

NA

16.10.0012

YC

Added concise parameter to display port-access and spanning-tree attributes in a consolidated format, when executing show config and show running-config commands.

Enhancement for show config and show running-config commands

16.10.0012

YC

Added support to enable SNMP traps for a specified event. This helps to filter out particular traps from all SNMP trap messages.

Syntax: snmp-server enable traps event-list <EVENT-LIST-STR>

Customization for SNMP Traps

16.10.0012

YC

Added recv-disableparameter to configure loop-protect from blocking the receiving port when a loop is detected.

Syntax: no loop-protect <PORT-LIST> receiver-action [recv-disable]

Configuration for loop-protect receiver-action

16.10.0011

YC

Added support to format MAC address in upper case for the Called and Calling Station IDs.

Refer to the Access Security Guide for more information.

Port Access Enhancement

16.10.0011

YC

Added support to include the Port VLAN information in RADIUS access request for all authentication types.

Refer to the Access Security Guide for more information.

Port Access Enhancement

16.10.0011

YC

Added support to enable AES 256-bit encryption for SNMP.

Refer to the Management and Configuration Guide for more information.

AES 256-bit encryption for SNMP

16.10.0011

YC

Added support to configure a prefix string along with the switch IP address or hostname in the logs sent to the Syslog servers. This helps to classify and group log entries based on the string value.

Syntax:logging prefix <ASCII-STR>

Refer to the Management and Configuration Guide for more information.

Syslog Enhancement

16.10.0010

YC

Added support to provide the option to specify the source interface or VLAN for Central connectivity. The existing IP source-interface command is enhanced to override current configuration check for provisioning using Aruba Activate.

Refer to the Management and Configuration Guide for more information.

Source interface option for Central connectivity

16.10.0010

YC

Added support to allow more PoE devices to be connected to the switch by using poe-alloc-by-usage when using Device Profiles. This can be based on either Usage or Class. Default allocation will be based on Class.

Refer to the Management and Configuration Guide for more information.

Device Profile Enhancement

16.10.0010

YC

Added support to work with the default setting in OpenSSH 8.2 by choosing an inherently more secure algorithm as the default on the switch for SSH communication. Refer to the Access Security Guide for more information.

The list of new Host-Key algorithms are as follows:

  • rsa-sha2-512
  • rsa-sha2-256

The list of new SSH KEX algorithms are as follows:

  • ecdh-sha2-nistp521
  • ecdh-sha2-nistp381
  • ecdh-sha2-nistp256
  • diffie-hellman-group-exchange-sha256

Support for OpenSSH 8.2

16.10.0009

YC

Added support for the manager password enforcement to ensure that the switch prompts the user to configure the manager password on the switch before configuring any other features. If the manager password is not configured, then the user will have read-only access to the switch. This is applicable only to switches with factory default configuration.

Refer to the Access Security Guide for more information.

Manager Password Enforcement

16.10.0009

YC

Added support to enable MAC pinning. This feature allows administrators to let clients stay authenticated to the switch by disabling the log-off period associated with the client.

Refer to the Access Security Guide for more information.

MAC Pinning

16.10.0009

YC

Added support to enhance the payload size for the REST API interfaces. The increased payload size for 3810M and 54xxR platforms is 1024K.

Refer to the REST API Guide for more information.

REST API Payload Enhancement

16.10.0009

YC

Added support for Server Name Indication (SNI), which is a TLS extension defined in RFC 6066. This feature is enabled by default to include the SNI extension in the Client Hello sent from the switch to all the TLS client applications. Refer to the Access Security Guide for more information.

Server Name Indication for TLS

16.10.0008

YC

Version 16.10.0008 was never released.

NA

16.10.0007

YC

  • Added additional support for pipe "|" option to grep for pattern match the output of CLI commands, such as:
    • Case-insensitive option to allow a case insensitive pattern match
    • Up to four consecutive pattern matches in one CLI command
  • Added support for a per-session based command to wrap column display in the CLI output using session wrap-text option when its length is exceeding the column width.

Refer to the Management and Configuration Guide for more information.

CLI

16.10.0007

YC

Added the following REST enhancements:

  • Support for ARP table data.
  • Support for primary VLAN.
  • Support for reserved-vlan and clearpass options to configure dynamic segmentation.
  • REST API schema moved under device-rest-api/services/server.html.

Refer to the REST API Guide for more information.

REST

16.10.0007

YC

Added support for the new activate endpoint devices-v2.arubanetworks.com which has the following two major differences compared to the old end point device.arubanetworks.com:

  • It works on the standard TLS handshake mechanism and uses mutual authentication.
  • It uses certificates issued by HP CA for establishing TLS connections.

Zero Touch Provisioning (ZTP) improvements were made to deal with situations such as unresponsive DNS servers. Refer to the Management and Configuration Guide for more information.

Zero Touch Provisioning

16.10.0006

YC

Version 16.10.0006 was never released.

NA

16.10.0005

YC

Version 16.10.0005 was never released.

NA

16.10.0004

YC

Version 16.10.0004 was never released.

NA

16.10.0003

YC

New command aaa accounting session-id include-switch-identity was added. When this command is invoked, an accounting session ID is generated with Switch Base MAC, Client MAC, and Timestamp for network accounting type. The other accounting types (exec, system, commands) do not include Client MAC and hence the session ID is generated with Switch Base MAC, Track ID, and Timestamp.

If the same client is accessing the network from multiple switches, then the accounting session ID can be duplicated. This caused issues in ClearPass Policy Manager where client insertion in the database failed with an error similar to Integrity Error: acct_id, calling_station_id violates check constraint. This new command alleviates that problem.

AAA

16.10.0003

YC

This enhancement will only be in effect if the CoA/Disconnect request has a message authenticator attribute in request packet. The message authenticator attribute is used to verify the integrity (HMAC-MD5) of the RADIUS packet. This is an optional attribute in the Access/CoA/Disconnect packet. If the received packet has this attribute in the RADIUS packet, the receiver will validate the integrity value and discard it if the value is incorrect.

RADIUS

16.10.0002

YC

An event is added to the log when the switch experiences an over temperature condition.

Event Log

16.10.0001

YC

No enhancements were included in version 16.10.0001.

NA