What's New in AOS 10.4

New Features

The following sections provide an overview of the new features that are added to ArubaOS 10.4 release.

Microbranch or Campus AP

6 GHz Configuring Support

The following 6 GHz Gigahertz. related support is introduced in the Aruba Central:

The 6 GHz band is only supported for devices with 6 GHz capability.

AirGroup Custom Services

AirGroup allows administrators to define and add custom services in addition to the seven predefined services. This feature is available only for advanced subscriptions.

For more information, see AirGroup.

AirGroup Support for Wired Devices

AirGroup supports wired devices in underlay deployments.

For more information, see AirGroup.

AirMatch Channel Quality Metric

The AirMatch channel quality metric enhances the channel computation during high retry-rate conditions, non WiFi interference, MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. error, or PHY error conditions. Based on channel quality metric, AirMatch avoids the impacted channels for a predefined period of time.

For more information, see Enabling Channel Quality Metric.

AirMatch Threshold per Band

AirMatch supports per band thresholds at the global configuration level. The AirMatch thresholds can be defined separately for 2.4 GHz, 5 GHz, and 6 GHz radios.

For more information, see Configuring per Band AirMatch Threshold.

AirMatch 160 MHz Support

AirMatch supports 160 MHz Megahertz bandwidth on the 5 GHz and 6 GHz radios of access points.

For more information, see AirMatch.

AP1X Certificate Support

Aruba Central now supports AP1X CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. and AP1X Client Cert certificate types on access points running ArubaOS 10.4.0.0.

For more information, see Mapping Access Point Certificates.

BLE Beacons Configuration and Monitoring Support

Aruba Central supports the configuration and monitoring of Access Points’ BLE Bluetooth Low Energy. The BLE functionality is offered by Bluetooth® to enable devices to run for long durations with low power consumption. beacons. This is applicable to access points running AOS 10.4.0.0.

BLE Beacon Service Profiles (configuration) can be configured through the Devices > Access Points > Config > IoT Internet of Things. IoT refers to the internetworking of devices that are embedded with electronics, software, sensors, and network connectivity features allowing data exchange over the Internet. page.

Monitoring of the AP BLE Beacons can be done through the Devices > Access Points > List view page.

For more information, see BLE Beacons Table.

Channel Quality Threshold Support

Aruba Central allows you to set the Channel Quality Threshold range between 0 to 100% on Radios > RF Coverage page for access points running ArubaOS 10.4.0.0.

For more information, see Configuring Radio Parameters.

Device Provisioning Protocol (DPP) Support

Aruba Central supports enabling the Device Provisioning Protocol (DPP Device Provisioning Protocol. DPP is a provisioning protocol certified by the Wi-Fi Alliance that allows onboarding IoT devices easily, securely, and on a large scale.) on Wireless > Radios > RF Coverage page.

For more information, see Configuring Radio Parameters.

Live Packet Capture Supported for Wireless Clients

Aruba Central now supports live packet capture for wireless clients connected to APs running ArubaOS 10.4.0.0.

For more information, see Packet Capture.

Manually set Data Center Preferences

You can configure a primary hub for a Microbranch group.

For more information, see Configuring Manual Data Center Preferences.

Microbranch Alert

A Route-Table-Limit alert is generated when the route entries in the routing table on Microbranch exceeds 80% of the capacity. For more information, see Access Points > Overview > Routing.

Microbranch Deployment in SD-Branch Overlay Network

The Overlay Tunnel Orchestrator and Overlay Route Orchestrator pages now also display Microbranch deployments on SD-Branch Overlay network in the WebUI.

Under Manage, click Network Services > SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. Overlay to view the Overlay Tunnel Orchestrator and Overlay Route Orchestrator topology pages consisting of Microbranch deployments. The VPNC groups and Branch groups tabs are now replaced with Hubs and Spokes in the WebUI.

For more information, see the following topics:

Pointer Records in DDNS Updates

Aruba Central supports updating of Pointer Records (PTR) by Dynamic DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. (DDNS) clients, along with the A (host) records in AP and DL3 DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  profile. A DDNS PTR resolves an IP address to a fully-qualified domain name (FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet.) and ensures that the IP address of the AP officially connects to the host. Under Manage, click Devices > Access Points and navigate to Services or LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. sections in the WebUI to configure DDNS PTR feature.

For more information, see Configuring Dynamic DNS for Microbranch

Resource Management Information Element (RRM IE) Profiles support

Aruba Central supports the Radio Resource Management Information Element (RRM IE) profiles advertised by the AP. You can configure the RRM IE profiles on the Services > RRM IE WebUI page.

For more information, see Configuring RRM IE Profile.

You can assign the RRM IE profiles to the radio profiles on the Wireless > Radios > Radio Profiles WebUI page.

For more information, see Configuring Radio Parameters.

Support for SHA2-256 Hash of IPSec keys for Microbranch/WLAN Overlay

All Microbranch/WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. overlay tunnels between Devices that support SHA2-256, automatically switch to using SHA2-256 authentication algorithm, provided that both the tunnel endpoints (APs or Gateways) are running AOS 10.4 or above.

For more information, see Tunnels.

Campus AP or SD Branch

AAA Password Policy for New Management User

Your company might want to enforce a best practices password policy for management users with root access to network equipment. For more information about the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. password policy for new management users, see Implementing Specific AAA Password Policy.

Aruba USB-LTE Modem Support

Support for Aruba USB Universal Serial Bus. USB is a connection standard that offers a common interface for communication between the external devices and a computer. USB is the most common port used in the client devices. -LTE Long Term Evolution. LTE is a 4G wireless communication standard that provides high-speed wireless communication for mobile phones and data terminals. See 4G. modem is added for the following APs:

  • AP-303H, AP-303HR, AP-304, AP-305, AP-314, AP-315, AP-324, AP-325, AP-334, AP-335

  • AP-504, AP-505, AP-505H, AP-505HR, AP-514, AP-515, AP-534, AP-535, AP-555, AP-635, AP-655

The following enhancements are made on Microbranch:

Support for Aruba USB-LTE modem is added for the following Gateways:

  • 7000 Series

  • 9004

  • 9012

Bypassing IDPS Inspection for Large Dataflows

The Bypass Inspection for Large Dataflows toggle switch is added to the Gateway IDS/IPS > Policies tab. For more information, see Managing Rules in Aruba IDPS Policies.

Firmware Upgrade Recommendations for Access Points Using AIOps

Aruba Central now utilizes an AIOps based firmware recommendation for access points. The AIOps recommender engine now provides a firmware version that is valid, safe, and optimal for the networking needs of the user. The AIOps recommender engine learns and determines pattern from the last six months of data to recommend the optimal firmware version for the varying networking needs of a user.

For more information, see:

Introduction of Remark-Only ACLs

When configuring session ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port., network administrators can now select a new type of action—Remark-Only. With this action, the traffic inspection would continue after the QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. remarking, allowing traffic to be allowed or denied in subsequent ACE Access Control Entry. ACE is an element in an ACL that includes access control information. entries belonging to the same policy or another one that may be part of the same user role.

In the Basic mode, Aruba Central supports bundling all the remark-only ACLs into a single QoS policy. When you configure a QoS policy for a user role with remark-only ACLs, all the remark-only ACLs will be bundled into a single QoS policy.

For more information, see Configuring a QoS Policy.

Aruba recommends leaving all QoS remarking policies in the highest positions in any given role or firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies. This would allow network administrators looking at the policies to get a clear view about which policies are dedicated for QoS and which ones are dedicated for security enforcement.

For more information, see Creating a Firewall Policy for Network Services.

Enhancements

The following sections provide an overview of the enhancements introduced in AOS 10.4 release.

Microbranch or Campus AP

Filtering Capability on Access Points List

Aruba Central allows you to filter the Device Name, IP Address, WLANs, and Radio Profile in the access points table on Access Points > List page.

For more information, see Monitoring APs in List View.

PPPoE support for Microbranch

Point-to-Point Protocol over Ethernet Ethernet is a network protocol for data transmission over LAN. (PPPoE Point-to-Point Protocol over Ethernet. PPPoE is a method of connecting to the Internet, typically used with DSL services, where the client connects to the DSL modem.) is now supported for Microbranch. For more information, see Configuring PPPoE

TACACS/RADIUS Based Authentication Support

The Authentication Server with fallback to Internal when timeout authentication option is supported on System > Administrator WebUI page of Microbranch in Aruba Central.

For more information, see Configuring User Accounts in Microbranch and Configuring Users Accounts for the AP Management Interface

USB-based IoT Device Support

Aruba Central now supports USB-based IoT devices on APs running AOS 10.4.0.0. USB devices plugged into the AP are enabled and managed via an app installed within IoT Operations. For more information, see IoT Operations.

Apps for USB-based IoT devices available with 10.4/2.5.6 include: EnOcean, Hanshow, Solu-M, Amberbox, and Piera.

UTB Filter Block

In Aruba Central, System > Properties WebUI page, UTB Filter Block is now supported that allows you to control the band on which the UTB limitation is applied in the regulatory-domain-profile.

For more information, see Configuring Properties for Microbranch.

Campus AP or SD Branch

Audit Trail Tab Includes Cloud Connect Logs

The Audit Trail tab now includes the Cloud Connectconfiguration and device logs for SD-Branch integration through ArubaCloud Connect.

For more information, see Integrating Cloud Security through Cloud Connect Service.

Branch Gateway Cluster Deployment

Aruba Central now mitigates underlay/overlay client traffic issues and reduces the delay in publishing bucket map, VDG, and DDG in Branch Gateway cluster deployments. The bucket map, VDG, and DDG are published based on the client load on each node (leader and member) in a cluster.

For more information, see Gateway Cluster Deployment.

Configuring Multicast on a Gateway

In Central, you can configure Multicast networks on your Gateway device using Protocol Independent Multicast (PIM Protocol-Independent Multicast. PIM refers to a family of multicast routing protocols for IP networks that provide one-to-many and many-to-many distribution of data over a LAN, WAN, or the Internet.) protocol, in the Dense mode.

For more information, see Configuring Multicast.

Configuring Packet Capture

Gateway support for protocol based packet capture is added.

For more information, see Configuring Packet Capture.

Configuring Ruleset

AOS 10.x now supports IDPS Intrusion Detection and Prevention System (IDPS) monitors, detects, and prevents threats in the inbound and outbound traffic. Aruba IDPS provides an extra layer of protection that actively analyzes the network and takes actions on the traffic flows based on the defined rules. It inspects data packets, and if any threat is identified, acts real-time to prevent it. engine version 6.x on the device with 5.x ruleset configuration.

An information () icon with Ruleset Generated On and Ruleset Activated On timestamps is added on the General tab when you select a version from the Update To drop-down list under Gateway IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network./IPS Intrusion Prevention System. The IPS monitors a network for malicious activities such as security threats or policy violations. The main function of an IPS is to identify suspicious activity, log the information, attempt to block the activity, and report it. > Config. The Ruleset Type parameter is added to the show idps summary CLI output.

For more information, see Updating Ruleset for Aruba IDPS.

EST Profile Support

Aruba Central allows you to configure the EST profile on the Security > Certificate Usage > EST Profile page for access points running ArubaOS 10.4.0.0.

For more information, see Configuring an EST Profile.

EST Status for Manually Deployed Virtual Gateways

You can now view the Enrollment Over Secure Transport (EST) status for manually deployed Virtual Gateways.

For more information, see Verifying the Deployment Status.

Gateway Move Enhancements

Aruba Central has been providing validation to ensure gateway moves can be performed safely. When a gateway is moved from one group to another, Aruba Central validates that the new group configuration is compatible with the device that is being moved into it. The device is then moved into the new group along with its overrides.

As part of AOS 10.4, and working in conjunction with the latest Aruba Central enhancements, Gateways now have additional mechanisms to ensure risk-free group moves. With AOS 10.4 and higher versions, Gateways take a snapshot of their last working configuration before a move. Gateways then perform a full configuration sync (receiving the configuration corresponding to the new group) and reboot. If the Gateway is unable to talk to Central after reboot, it goes back to the snapshot taken immediately before the move.

For more information, see Moving Devices between Groups.

Monitoring Gateways in List View

The Gateways list table under Devices > Gateways displays additional information Inspection Engine, Ruleset, Ruleset Type, Last Successful Ruleset Update, and Ruleset Update Status, if IDPS is enabled.

For more information, see Monitoring Gateways in List View.

Prevent ARP-Cache Poisoning For Critical Network Resources (Not In User Table)

You can now add the allowed list of IP or MAC addresses in Deny all IP/ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. spoofing to prevent ARP Poisoning. For more information, see Configuring Global Firewall Parameters.

SD-Branch Integration with Third-Party Cloud Security Providers Through Cloud Security Service

Aruba Central now allows you to integrate SD-Branch Gateways with Netscope, iboss, and McAfee using Cloud Security service.

For more information on how to configure the third-party Cloud Security providers, see the following:

Source Protocol Selection for Aggregate Routes

You can select either BGP Border Gateway Protocol. BGP is a routing protocol for exchanging data and information between different host gateways or autonomous systems on the Internet.  or Overlay source protocols for aggregate routes. For more information, see Advertising Networks to BGP.

Support for AES256 Encryption with SHA2-256 for Intra-cluster Communication

With this enhancement all Gateway cluster tunnels between devices supporting SHA2-256 automatically switch to using SHA2-256 authentication algorithm, provided that both the tunnel endpoints (Gateways) are running AOS 10.4 or above.

For more information, see Tunnels.

Support for AWS EC2 C5 Instance

Aruba Central now supports C5 AWS instance.

While C5 instances are preferred in Aruba Central, depending on the region in which the Virtual Gateway is being deployed, only C4 instances are be supported.

In addition, AWS EC2 Instance size has been introduced in place of instance type. The dropdown will have different size options like xlarge, 2xlarge, 4xlarge. For more information, see Deploying Aruba Virtual Gateways in AWS.

Support for SD-Branch Overlay Tunnels Over L2 Networks

SD-Branch Gateways can now build SD-WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. overlays over L2 circuits when the uplink type is set to MPLS Multiprotocol Label Switching. The MPLS protocol speeds up and shapes network traffic flows. .

For more information, see Configuring Uplinks.

Supported Hubs in Data Center Table

You can now add a maximum of sixteen hubs in the Data Center table.

For more information, see Configuring Data Center VPNCs with Microbranch.

Threats List

The following enhancements are made to the Threats List table:

  • The Geo Location column is added with Source and Destination details to the Threats List table.
  • The Ruleset Type column is added to the Threats List table.
  • The Alert, Description, and Impact information is added to the Additional Details of a threat in the Threat details page under View Packet Info.
  • Four new threat types—RFB, MQTT, RDP, and HTTPZ are added to the Threats List table.

For more information, see Threats List.

Traffic Inspection

IDPS engine version 6.x inspects encrypted traffic using JA3 JA3 is a TLS fingerprinting method used in security monitoring to detect and prevent malicious activity. Intrusion detection systems (IDS) monitors the network for any suspicious activity, but cannot analyze encrypted traffic. TLS fingerprinting technique extracts fields from the TLS ClientHello message to generate a fingerprint to recognize a particular client. and JA3S.

For more information, see Enabling Traffic Inspection on Aruba Gateways.

VIA Configuration Simplified

Two new tabs, VIA Virtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network. connection and VIA policies are introduced for the VIA configuration. For more information, see Configuring VIA Connections.

Warning for Missing Site ID

A warning message is displayed with the list of gateways that are missing the site ID configuration when you are trying to configure automatic gateway cluster. For more information, see Configuring Automatic Gateway Cluster.

ZTP and OTP Support for the 9004-LTE Configuration

When onboarding a gateway, you can now configure LTE parameters with Zero Touch Provisioning (ZTP Zero Touch Provisioning. ZTP is a device provisioning mechanism that allows automatic and quick provisioning of devices with a minimal or at times no manual intervention.) and One Touch Provisioning (OTP) methods for the external USB dongle and internal modem. This allows the gateway to establish an uplink, get the DHCP IP, and communicate with Aruba Central for a cellular connection.

For more information, see ZTP and OTP Support for the LTE Configuration

Behavioral Changes

Listed below are the ArubaOS10.4 features that have behavioral changes: 

Content Filtering Support

The Content Filtering option on the Interfaces > + Add Port Profile page for wired access points running ArubaOS 10.4.0.0 has been removed.

OpenDNS Support

Aruba Central no longer supports OpenDNS. For ArubaOS 10.4.0.0, Aruba recommends that you use WebCC instead of OpenDNS.

For more information on WebCC, see Configuring AppRF and Deep Packet Inspection and AppRF and Deep Packet Inspection.

Newly Supported Devices on AOS 10.x

The following are the newly supported APs and gateways in this release:

  • AP-584
  • AP-585
  • AP-585EX
  • AP-587
  • AP-587EX
  • AP-635
  • AP-655
  • 9240 gateway

For more information about the supported APs and gateways in Aruba Central, see Supported Devices.