HP ProCurve MSM7xx controllers / MSC-5xxx controllers Release Notes

Transcription

1 HP ProCurve MSM7xx controllers / MSC-5xxx controllers Release Notes Introduction These Release Notes apply to the HP ProCurve MSM Controllers as follows: MSM710 / MSC-5100, MSM730 / MSC-5200, MSM750 / MSC HP ProCurve Product Naming Release Release Release Release Release Release Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

2 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 2 HP ProCurve Product Naming As of October 1st, 2008, Colubris Networks has been acquired by HP ProCurve. HP ProCurve has integrated the Colubris product line into its ProCurve Networking product portfolio ( Colubris product names have been changed to their equivalent HP ProCurve product names. In this release, the management tool user interface and online help use the new HP ProCurve product names. Some of the documentation continues to use the Colubris product names. Note: SOAP and SNMP MIBs retain the Colubris naming so you do not need to change your existing SOAP and MIB usage. The Colubris Networks product names and their corresponding new HP ProCurve product names are as follows: Colubris name MSC-5100 MultiService Controller MSC-5200 MultiService Controller MSC-5500 MultiService Controller MSC-3200 MultiService Controller MSC-3200R MultiService Controller MSC-3300 MultiService Controller MSC-3300R MultiService Controller MAP-320 MultiService Access Point MAP-320R MultiService Access Point MAP-330 MultiService Access Point MAP-330R MultiService Access Point MAP-330 AP+Sensor MultiService Access Point MAP-625 MultiService Access Point MAP-630 AP+Sensor MultiService Access Point WCB-200 Wireless Client Bridge Visitor Management Tool RF Manager 1500 Enterprise RF Manager 1300 Basic RF Planner HP ProCurve name MSM710 Controller MSM730 Controller MSM750 Controller MSM313 Access Point MSM313-R Access Point MSM323 Access Point MSM323-R Access Point MSM310 Access Point MSM310-R Access Point MSM320 Access Point MSM320-R Access Point MSM325 Access Point MSM422 Access Point MSM335 Access Point M111 Client Bridge Guest Management Software RF Manager 100 S/IPS system RF Manager 50 S/IPS system RF Planner

3 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 3 Release Contents General information Fixes Known issues General information Terminology The following terminology is used in these Release Notes and other 5.2.x documentation as follows: Term AP Service controller The term access point is generally abbreviated as AP. Refers to the HP ProCurve MSM7xx controllers / MSC-5xxx controllers. Updating to software Update the service controller to version as described in the Firmware updates section of the MSC-5000 Series Admin Guide. Once the service controller is updated, it automatically updates all of its controlled APs to Note: All pre devices updated to or higher will use the new HP ProCurve product names in the management tool as identified in HP ProCurve Product Naming on page 2. Note: An HP ProCurve MSM7xx / MSC-5xxx controller must be upgraded to at least version before it can recognize and configure the new HP ProCurve MSM410 access point. Sensors and RF Manager MSM325 / MAP-330 sensors and MSM335 / MAP-630 sensors at version are ONLY compatible with RF Manager version If you choose not to upgrade to RF Manager , DO NOT upgrade a service controller that is controlling a sensor, that will be used with RF Manager, to version See also, the RF Manager 5.5 Release Notes. Documentation You can download documentation from the HP ProCurve Networking manuals Web page at:

4 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 4 Regulatory update REGULATORY NOTICE for European Union HP ProCurve MSM Controllers and MSM Access Points purchased after April 1, 2009 are subject to new ETSI radar interference requirements that limit the available channels in the 5 GHz band. The software version that is loaded on your device is compliant with these new requirements. The 5 GHz channels 120, 124, and 128 are excluded to prevent illegal operation in the 5600 to 5650 MHz band. When using this device with an HP ProCurve MSM Controller that was purchased prior to April 1, 2009, and the software version on your controller is or earlier, you should perform one of the following two tasks before placing your MSM access point into service. This step is necessary to maintain compliance with the R&TTE Directive. OR Upgrade the controller software to the latest version by using the Software Upgrade Managers (SUM) utility. Customers with support contracts can obtain the latest software via the Software Upgrade Manager (SUM). For more information on this process, visit the HP Software Releases & Media website at: Customers without support contracts who wish to obtain the latest software release can purchase a software Care Pack service by contacting their local HP sales representative or authorized HP reseller. Manually add 5 GHz channels 120, 124, and 128 to the Channel Exclusions list to prevent illegal operation in the 5600 to 5650 MHz band. If the software on your controller is version or higher, no action is required. Other regulatory information In the USA and Canada, no DFS channels are available on radio 1 of the MSM422 / MAP-625 even when operating in legacy modes. As of 5.2.6, the a Turbo mode (local mesh) is certified for use in the following countries (For the MSM422 / MAP-625, this only applies to Radio 2): Argentina Australia Azerbaijan Belgium Belize Bolivia Brazil Brunei Canada China Colombia Costa Rica Cyprus Czech Republic Denmark Dominican Republic Egypt Estonia Finland France Georgia Germany Greece Guatemala Hong Kong Hungary Iceland India Iran Ireland Italy Liechtenstein Lithuania Luxembourg Macau Malaysia Mexico Monaco Netherlands New Zealand Norway Panama Philippines Poland Portugal Puerto Rico Singapore Slovakia Slovenia Sweden Switzerland Taiwan Turkey United Kingdom United States Venezuela Local mesh in controlled mode Ignore any statements in the documentation indicating that only autonomous APs can be used for local mesh. Both autonomous and controlled APs support local mesh.

5 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 5 Fixes The following issues have been fixed since the previous release: (Applies only to the MSM410 and the MSM422 / MAP-625 in these countries: Austria, Bulgaria, El Salvador, Indonesia, Jordan, Latvia, South Africa, Trinidad and Tobago, and South Korea.) It is not possible to configure n channels in the 5GHz range in countries that do not support 40MHz channels. Known issues The following known issues are present in this release: 3944 The RIP2 MIB does not work in this release If accounting support is enabled on the Public Access > Access Control page after the service controller has authenticated itself to the RADIUS server, accounting is not started. To enable accounting, restart the service controller x user cannot re-authenticate in the event the RADIUS accounting STOP message is not acknowledged by the RADIUS server On the Public Access > Access Control page, the Allow any IP address option is not supported when NAT is disabled on the Internet port Source NAT (Allow any IP address and to use Dynamic IP) does not work with the option to support clients using an HTTP proxy An 802.1x user logging out via the session page may not get redirected to the Goodbye page Client stations that use static IP addresses with access control are not compatible with the Layer 3 mobility feature If the management IP address is defined to be on the same subnet as the LAN port, changing the LAN port addressing method may cause the management IP address to be lost. The management IP address is defined on the Network > Ports > LAN port page (Only applies to the MSM320, MSM325 / MAP-330 and MSM335 / MAP-630.) Do not attempt to change the radio 1 channel and the radio 2 channel at the same time (error message "The same frequency exists on other radios" will appear). Instead, change the radio 2 channel first and Save. Then change the radio 1 channel and Save If you add or delete a static route or if you change the IP address of the LAN port, the RIP protocol will not announce the new routes until after the next restart The CLI command Show radius users shows only non-access Controlled users Traffic on the management LAN is blocked. After a reboot, the management LAN is reachable.

6 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers When MAC address filters are set to Allow for an access-controlled VSC, the clients that match a MAC address in the list are not able to associate with the SS and login to access the network An undesired Suspicious state is occurring for controlled APs that are moving between service controllers or are powered off for several days Static NAT mappings do not apply to VPN connections or VLANs on the Internet port The default-user-one-to-one-nat site attribute is never applied to users. As a workaround, create a user account profile (Service Controller >> Users > Account profiles) and enable VPN one-to-one-nat in the profile (Applies only when VLANs are configured.) The Network topology diagram (Service Controller >> Status > Network Topology) may display APs on the LAN port instead of the Internet port For n APs (MSM410, MSM422 / MAP-625), setting the radio power to 0dBm actually causes the power to be set to 100% power. Instead, set the power to 1% or 1db For n APs (MSM410, MSM422 / MAP-625)) operating in controlled mode, the auto channel feature is not working for the 2.4GHz n mode on channels 12 and (Only applicable to provisioning local mesh on an MSM410 in controlled mode.) MSM410 devices cannot be provisioned for local mesh as a group. They must be provisioned individually. To do this, select an individual MSM410 from Controlled APs in the Network Tree. Then choose Provisioning > Connectivity, clear Inherited, and provision your local mesh radio settings.

7 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 7 Release Fixes The following issues have been fixed since the previous release: Trace is not available for download or viewing when tracing controlled APs that have letters in their MAC address On page Service Controller >> Users > Account profiles, the Session time attributes > Terminate action=reauthenticate option does not work. It just terminates the client session The SOAP Function: "GetLocalConfigDefaultUserOneToOneNAT()" is not working (Only applies to the default Windows wireless supplicant.) For domain-based computers with "Authenticate as computer" (computer authentication) enabled on the wireless interface, and authentication done via Active Directory, a user can successfully log in if they provide valid credentials to the Active Directory server, even if the user is NOT a member of a group defined on the service controller Password fields in the management tool are not protected against the auto-complete feature in web browsers, causing existing passwords to be overwritten with incorrect values The 802.1x supplicant time-out value fails to be applied to EAP Request Identity packets When using HTML authentication with Active Directory, authenticating a user from an Active Directory child sub-domain does not work On APs operating in b/g mode, if the Allowed Wireless Rates options are modified for a VSC, all supported wireless rates will be advertised as BSS Basic, which can cause problems for b-only clients attempting to connect Setting up a firewall with an Accept rule followed by a Drop All rule drops all traffic, instead of preserving the data matched by the Accept rule The CLI command access control which disables access control on a VSC, does not work On the Controlled APs >> Configuration > LEDs page, controlled AP status lights can be turned off completely, or set to only show a blinking power light, or the lights can be set to function as normal, showing full status information The CLI command to turn off the wireless security filters option for a VSC is missing on the service controller.

8 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 8 Release Fixes The following issues have been fixed since the previous release: RADIUS VLAN assignment and the optional L3 mobility feature cause a traffic loop to occur When using EAP-TTLS, the service controller reports username as >anonymous< rather than the actual username The accountsd process reports a query execution failure when a user session expires based on subscription plan settings The SOAP process crashes when calling GetSatelliteListStatus When using PPPoE and adding TCP NAT mappings on the service controller to reach a TCP server on the LAN side of the controller, the connection to the TCP server does not work due to large packets being dropped It is not possible to manage an AP on the management subnet through NAT mapping When enabled, One-to-One NAT blocks VPN connections Cannot join an Active Directory domain with a username/password that contains special characters such as: & $ ( ) ; < > \ When the service controller of an AP becomes temporarily unavailable, and another service controller is available on the network, the controlled AP reboots (Applies only to the MSM750 / MSC-5500.) When a large number of access-controlled users log in during a short time period, the MSM750 / MSC-5500 may reboot due to a memory-management issue The service controller is unable to join an Active Directory domain when the DNS server returns very large packets (Applies only to VPNs configured with PPTP client.) The auto-route discovery option (Service Controller >> VPN > PPTP client) is not working in this release The User Tracking feature does not output any logging packets Error messages related to running out of memory are appearing due to inadequate resource release The MSM750 / MSC-5500 cannot support more than 100 APs when the optional L3 mobility feature is used Service controllers still communicate with each other after disabling mobility controller discovery.

9 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers The Microsoft Zero Configuration wireless client authentication does not work with Active Directory When NAT is enabled on the Internet port (Network > Ports > Internet port) it is also possible to enable Allow any IP address > to use Dynamic IP on page Public access > Access control. The two options should be mutually exclusive When an implicit license is in use and connection with the service controller is lost, wireless services are stopped It is not possible to configure Redirect-URL with local attributes because the choice is missing Authentication using Active Directory does not work for child domains VPN connections fail when one-to-one NAT is enabled and no alternative IP address is defined The MSM422 / MAP-625 reverts to legacy data rates when VSC bindings are changed A memory leak in the openvpn process causes the process to terminate. As a consequence, communication to all APs is lost momentarily while tunnels are being setup The MTU configuration of the Internet port is not properly adjusted when the path is lower than HTML authentication using Active Directory does not work for child domains (Applies only to n on the MSM422 / MAP-625.) A Linksys WPC600N client device sometimes loses IP connectivity The Location-aware placeholder %G does not get assigned the Groupname value for wired users Occasionally, a controlled AP may become de-synchronized and it then re- discovers its service controller. This occurs quickly and is effectively transparent In the management tool, some address lists (NOC and others) are not wide enough to display the full IP address and Mask (Applies only to the optional L3 mobility feature.) Some client devices roaming between subnets handled by the same service controller are not seen in the Visitors and Travelers tables When using NOC authentication, if the certificate used to identify the device contains an IP address instead of a hostname, HTTP Proxy users are unable to login (Applies only to the MSM710 / MSC-5100.) The Service Controller >> Network > Ports page now provides an option to swap the LAN and Internet ports. This makes it possible to use PoE on the Internet port Wireless neighborhood information (Service Controller > Controlled APs > Overview > Neighborhood) for APs in controlled mode is missing from the service controller GUI.

10 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers Users cannot establish a PPTP connection through the service controller using a VPN client The built-in RADIUS server crashed due to lack of memory under certain circumstances The following invalid error message is seen in the log when a DNS packet that is larger than 512 bytes is received by the service controller: assert: masquerade.c HandleMasqueradeTimeoutEvent 384 (MAX_DNS_PACKET_SIZE >= (masqueradeentry->mpacketlength + sizeof(struct CompressedResourceRecord)+ sizeof(in_addr))) Authentication via an Active Directory server does not work with Windows Server 2008-based domain controllers (Active Directory servers) The MSM7xx / MSC-5000 series controllers were limited to five simultaneous HTML logins. The limits are now as follows: MSM710 / MSC-5100=25, MSM730 / MSC-5200=50, MSM750 / MSC-5500=100.

11 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 11 Release Fixes The following issues have been fixed since the previous release: If administrator authentication for the management tool is set to use a RADIUS server, the failover to a secondary RADIUS server does not occur when the primary server does not respond The following default public access attributes are now configurable via the management tool: default-user-max-output-rate, default-user-max-input-rate, default-bandwidth-level, default-use-access-list, default-welcome-url, default-goodbye-url DFS on Local Mesh is supported on a/b/g radios (no DFS support is provided on n radios). Previous workarounds are no longer required If a user authenticates with 802.1x/RADIUS (e.g., WPA Enterprise) and the RADIUS server is down or sends no response, and then the client disassociates, the AP continuously retries the RADIUS request at the configured interval In a controlled mode local mesh network, if there was a large amount of data going through the mesh, the service controller would not always be able to retrieve the state of APs, or push configuration changes The Fast Reconnect option of 802.1X supplicants was not honored when WPA2 Opportunistic Key caching was enabled Users authenticated through Active Directory were wrongly shown to be authenticated through RADIUS If you change a VSC from Access Controlled to Non-Access Controlled and you do not re-synchronize the AP, unexpected behavior may occur (Applies only to the MAP-630.) The MAP-630 includes internal antennas in its flaps and it supports the connection of external antennas. However, only the internal antennas can be selected when provisioning an AP to operate over local mesh. Affects page Controlled APs >> Provisioning > Connectivity on the service controller and page Provisioning > Connectivity on the MAP (Applies only to a MAP-630 in controlled mode.) Editing the Radio page of a controlled MAP-630 will not place the MAP-630 into an unsynchronized state (as it should). After making your changes, Synchronize the MAP-630 to make the changes take affect The system name is now displayed in the management tool top banner. It is configured by the System name item on the Management > SNMP page. It defaults to the device serial number.

12 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers When performing a configuration backup, the default file name is now named config_(system name).txt, where (system name) is configured by the System name item on the Management > SNMP page. It defaults to the device serial number The X.509 certificate for controlled mode authentication between the AP and the service controller was too short with a lifetime of three days. It now has a lifetime of 60 days when first created, and seven days thereafter Shared secret configuration changes only apply after a restart (Applies only to the WPA2 Opportunistic Key Caching option.) WPA2 Opportunistic Key Caching (previously called L2 Fast Authentication) can only be enabled when the Mode is set to WPA2 or (WPA or WPA2) and the key source is set to RADIUS. Previous releases allowed this feature to be configured without validation of the key source. When upgrading from a previous release (such as 5.1.3) to 5.2.1, certain configurations can cause MAPs to fail to establish a management tunnel after the upgrade Active Directory authentication did not work if the service controller was unable to create its binding at boot time If the shared secret for the service controller's RADIUS server was considered to be a weak secret, no error would appear but APs would no longer be able to synchronize with the controller It is not possible to start a packet trace from the SNMP TOOLS MIB The service controller attempts to configure unsupported Colubris APs (controlled mode) instead of reporting them as being unsupported After a date change on the service controller, some APs could not recover from a secure management connection failure. The only workaround was to power-cycle the AP On the local mesh configuration page, the preshared key for TKIP and AES is no longer displayed in clear text A radio could not be switched to sensor mode if its mode was set to a Turbo When doing html RADIUS authentication and site authentication is disabled, the "nasid" placeholder is empty on the redirect URL With APs in controlled mode, communicating with the service controller through a VLAN, the CDP information sent by the AP did not contain the correct IP address of the AP For Access controllers, when using the DNAT-SERVER action in an access- list attribute, the domain name can now be a wildcard, for example: *.colubris.com (Applies only to the MAP-630.) In some cases, when connected to a gigabit switch, the Ethernet receiver can get stuck at boot up, causing communication to fail In controlled mode, the secure control tunnel between an AP and the service controller depends on the path MTU discovery (PMTU) to set the tunnel MTU. In some networks, the PMTU did not work due to other network elements. This caused large frames inside the control tunnel to be lost and eventually led to the AP losing its connectivity with the service controller.

13 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers The Source IP of RIP packets sent over the LAN port could be incorrect if the Management subnet, DHCP Server, or DHCP Relay per VSC were enabled Non-access-controlled VSCs generate false errors related to the egress VLAN Malicious network traffic can cause the service controller to reboot The public access portal stops due to a memory limit being reached and is unable to restart due to a socket being still in use If the SOAP management interface is disabled and then re-enabled, it will no longer start automatically on power up Using a wildcard in an access-control list may not work on first try, but it does work on subsequent tries When changing local mesh encryption of a local-mesh-provisioned MAP, a reboot of the slave is required to recover (Applies to the SNMP Maintenance MIB.) Object certificateexpirydate returns the wrong date.

14 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 14 Release Fixes The following issues have been fixed since the previous release: (Applies only to the L3 Mobility option.) DHCP renew requests coming from a traveler were not always forwarded to the home network, causing the client to fall back to a DHCP discover. The user would then get an IP address on the foreign network and current connections would be lost Signal and Noise information is now displayed in controlled mode, for local mesh nodes and wireless clients When a VSC uses the Rate Limit feature and a user leaves the network before terminating their authentication, some rules are left in the access controller blocking the user from logging in again When WPA2 Opportunistic Key Caching (previously called L2 Fast Authentication) is enabled in a VSC and the service controller is used for RADIUS local authentication, APs will consistently fail to synchronize. As soon as WPA2 Opportunistic Key Caching is disabled or the service controller is not used for local authentication, the APs can again be synchronized. You can use WPA2 Opportunistic Key Caching with a remote RADIUS server When DHCP is turned off on the service controller, the service controller is unable to route DHCP traffic, even if access lists are configured to permit this Traffic coming in on either an IPSec tunnel, or directly on the Internet port if NAT is turned off, is not allowed to reach the management subnet on the LAN port Initiating a TCP/UDP connection from the Internet port toward a station on the LAN side would fail (Applies only to controlled mode, when a MAP-330 is in the same group as a threeradio product such as the MAP-630.) When a third radio is configured (for the MAP- 630), the MAP-330 can appear to be in license violation if a license has been installed locally on the MAP-330. As a work around, create separate MAP-330 and MAP-630 groups and ensure that sensors are configured only at the group level The System log showed many recurring errors such as: ConnectToPGSQLDatabase: Connection to database failed: could not connect to server: No such file or directory. This affected the access control service and RADIUS server, effectively disabling them The DNAT polling URL only supports port 80 and the polling does not work or go through the DNAT server polling when set to a different port.

15 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers An XML deserialization problem causes an interoperability problem with Microsoft.NET 2.0, and possibly all other versions of.net DNS responses larger than 512 bytes were being dropped. One visible consequence was that the query for getting the LDAP information for Active Directory could fail in large AD domains The codevicewirelessassociationnotification trap of COLUBRIS-DEVICE- WIRELESS-MIB.my is not generated Interim updates are not sent for access-list entries with accounting support The service controller attempts to configure unsupported Colubris APs (controlled mode) instead of reporting them as being unsupported (Applies only to the MSC-5200.) The MSC-5200 may restart if it receives an Ethernet frame larger than 1518 bytes Changing allowed wireless rates causes AP errors when syncing, causing the AP to restart and mapconf errors to appear in the system log Using the web-management tool, it is not possible to replace the X.509 certificate with another certificate that has the same certificate subject or name (DN) IPSec interfaces were not available in the Network Trace tool The MAP-320R and MAP-330R were not displayed in the Autonomous AP list of the Network Tree A local mesh slave node may stop trying to connect to a master node if it had been previously refused The SNMP trap State change is not always issued by the service controller when an AP goes down (Applies only to the MSC-5500 and MSC-5200.) When an SNMP Heartbeat trap is sent, the IP address is presented in reverse order Many consecutive 802.1X RADIUS requests from one user can cause RADIUS requests from other users to be ignored When removing RADIUS Accounting from a non-access-controlled VSC, an entry similar to this may appear in the log: log: Dec 26 19:55:04 crit iprulesmgr assert: radiususer.c SendAccountingRequest 2653 (UpTime()!= user->maccountingeventuptime) The RADIUS proxy can stop accepting RADIUS Authentication or Accounting requests after a large number of such requests go unanswered by the RADIUS server (Applies only to non-access-controlled clients being authenticated through the service controller (external RADIUS server).) In some cases, 802.1x authentications will never time out if the client sends retries The Active Directory domain name maximum length was 24 characters. It has been increased to 240 characters.

16 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers L2 and L3 Mobility fails when more than 32 APs using the same VSC are active on a service controller (Applies only to MSC-5500.) With a very large number of synchronized APs, a configuration change on the service controller can cause all APs to be temporarily lost, requiring a new discovery/configuration cycle. (When testing, this was seen with greater than 188 synchronized APs.) L3 Mobility on the service controller can fail after an AP reboot In access lists, a wildcard character can be used in front of a domain name, for example, * When this syntax is used, the access list will match the resolved IP address dynamically, instead of refreshing it upon every site authentication cycle If the default certificate was replaced by one signed by an intermediate certificate authority (CA), some browsers would complain that the site was not trusted when opening the login page In some rare cases, after login, a user could see a web page indicating "Attribute not found." The group name in the %G placeholder was truncated to 16 characters. The group name can now contain up to 64 characters The HTML NOC Logout function sometimes fails with error: err webauth Cannot get peer certificate- denying access The default NTP time servers have been changed to 0.colubris.pool.ntp.org and 1.colubris.pool.ntp.org Getting sysinfo from the service controller for an AP in controlled mode sometimes fails The service controller could become unstable after a number of AP authentications if Controlled AP authentication was enabled and the Use file authentication list method was selected.

17 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 17 Release Contents New features and enhancements Fixes New features and enhancements Software version contains new features and enhancements as described here. For information on major new features and enhancements, see the New in this release section of the MSC-5000 Series Admin Guide. Here is a brief sampling: Embedded RADIUS server Local termination of 802.1X users Local termination of MAC users Active Directory integration Enhanced local-user accounts Subscription plans Local mesh in controlled mode Enhanced autonomous AP support These other new features and enhancements also apply to this release: Access lists processing has been enhanced allowing for more rules to exist without compromising performance A controlled AP can now be provisioned locally using its management tool The DHCP server is now configurable on a per-vsc basis, making it possible to serve different DHCP ranges or subnets for each VSC The ability to discover controlled APs on the LAN port is now configurable by selecting Service controller >> Management > Device discovery. Previously discovery was always enabled on the LAN port It is now possible to configure a different RADIUS server for authentication and for accounting, when using 802.1X or MAC based authentication ACCEPT rules have been added to the firewall. When a packet is accepted by the firewall, it must go through the access controller rules, if applicable A new option enables automatic logout of users upon receiving a DHCP Discover request. This is applicable only to HTML-based authentication. One possible use for this feature is to automatically logout a remote terminal or thin client user when the terminal session is closed. By default, this parameter is disabled. To enable it, select Network > Address allocation > DHCP server > Settings The public access interface Login page can now optionally be presented via HTTP instead of HTTPS, avoiding the client browser warning when using the default product certificate. For security purposes, HTTPS remains the default setting. To configure this option, select Public access > Access control > Service controller.

18 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers The NOC authentication mechanism has been enhanced to allow simultaneous use of HTML authentication and NOC authentication, provided that the [USER-SPACE].HMTL.noc-client-validation configuration setting is set to DISABLED Two new options have been added to the Network > DNS page: Logout host name and Logout IP address. These two options enable easy logout from the public access network. Users can logout by pointing their browsers to a host name or IP address. If a user that is logged in via HTML sends an HTTP request to the specified host name or IP address, the service controller will log the user out The access list DNAT feature has been enhanced to optionally allow all traffic to bypass the DNAT rule if the DNAT server is down, or to switch to an optional secondary DNAT server if the case the primary is down. This allows for building redundancy in the DNAT (proxy) service, with a failover mechanism or a bypass in case of a problem with the DNAT server(s) Additional authentication types have been added to the SOAP/XML interface. In addition to HTTPS X.509 certificate authentication, it is now possible to use HTTP authentication, with or without SSL The NOC HTTP API is now available under SOAP/XML as well The SMTP proxy has been enhanced to proceed without authentication with the SMTP server if it doesn't answer as expected to the initial EHLO request In an access controlled VSC, it is now possible to configure an egress VLAN on the LAN port. Such an egress used to be limited to the Internet port only Added a User Tracking feature, which allows for logging user activity, such as user name, real and public (NAT) IP addresses, MAC address, protocol. This information is sent in real time to an outside syslog server. Fixes The following issues have been fixed since the previous release: 6212 With IPSec security, the Phase 1 IKE SA is deleted too quickly when the peer initiates a negotiation for a new IKE SA, confusing certain IPSec gateways, which then keep more than one tunnel (SAs) active between the peers When DHCP relay is configured on a VSC, wired users who are not assigned to a VLAN use the global DHCP relay setting and not the VSC settings. However, these users are assigned the circuit, remote, and subnet options configured in the VSC On the page Service Controller > VSCs >> Overview > User sessions, the number of users in the list and the stated number of users did not match Switching between html and 802.1x failed with some third-party APs.

19 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers The RADIUS called-station-id attribute was still set to the LAN port MAC address, even if the configuration file token [ACCESS-CONTROLLER]/radius-called- station-id-port was set to Internet An error message may be displayed when using drag and drop to move an AP between two groups in the Network tree while the menu is being refreshed. If this occurs, try again The AP is unable to correctly report a priority conflict between two or more service controllers Customer Data Rate (receive) is not enforced when all authentication methods (including HTML) are is turned off in a VSC When the new Auto-Refresh feature is enabled, administrators are no longer automatically logged out when their session is idle for more than 10 minutes. They remain connected indefinitely Firmware distribution feature waited indefinitely for the license agreement to be accepted on the APs. Now, firmware distribution can be used without having to accept the license agreement on the APs When an AP operating in controlled mode is connected to a service controller using L3 connectivity or has the centralized access control option activated (Service Controller > Controlled APs >> Configuration > Access Control page), then access to the service controller s management tool (or via CLI or SOAP) from client stations connected to the AP is not possible (Applies only to L3 Mobility in controlled mode.) If a subnet was reachable both locally (through locally controlled APs) and through another service controller, there was a race condition where the VLAN associated with the subnet was being cleared. As a result, the service controller did not perform a VLAN check as part of the shortest path capability check, and the shortest path roaming case was being executed even though the service controller did not have VLAN connectivity to the home subnet In a VSC definition if you disable the Wireless MAC filter feature, remove all MAC addresses from the list, and then click Save, the AP will have to reassociate with the service controller and do a full configuration update when it is synchronized. To avoid this delay, do the change in two steps: 1. Disable the MAC filter feature, click Save and then synchronize the AP. 2. Delete all MAC filter addresses, click Save and then synchronize the AP. This same issue also affects the Wireless IP filters feature Moving an AP into a new group always produces an error. This is seen when moving an AP from one group to another, and when the country is changed on the service controller Removing an IP filter can sometimes result in an error message (in log: "Could not retrieve VSC index for < >") and AP reboot The date returned by Time Protocol-based time servers was not rejected if suspicious (year earlier than 2007). As a result, AP configuration synchronization and certificate problems could occur.

20 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers When the DNS relay feature is enabled, client stations that are running Windows Vista may cause the service controller to become inoperative Values for Signal, Noise, and SNR are not shown in the tables on the Overview > Neighborhood pages When using a service controller to provision the discovery settings on an AP operating in controlled mode (on the Device Provisioning > Discovery page), the DNS name option is limited to 63-characters Two IP addresses are reserved for wireless client stations, instead of one, when the service controller is configured as follows: Public access > Access control page: "Allow any IP address" and "to use Dynamic IP" options are enabled. Network > Address allocation > DHCP relay page "Allow per VSC" is enabled When a client station uses 802.1x or MAC authentication, its browser must not be configured with an HTTP proxy. The HTTP proxy feature of the service controller works only for client stations authenticating using the HTML login page When the Internet port IP address is changed and NAT is enabled, current UDP and TCP connections still use the old IP address On the Maintenance menu, firmware file URLs and configuration file URLs are shown as valid even when wrong Attempting to configure an AP which is in the "Waiting for acceptance" or "Not authorized" state fails When configuring AP names, avoid using any of these three characters because they will not display correctly (less than, greater than, ampersand): < > & Access control: The wispr-logoff-url was not being taken into account when specified in the local site configuration The MSC-5500 sometimes freezes during configuration upload (Applies only to Japan.) For APs in controlled mode, some Japan channel- selection lists are wrong If a device is configured with REDIRECT/DNAT/WARN rules and use-access-list is in the site profile, an HTTP proxy user is not be able to access the affected sites properly MAC address authentication, using the access control attribute mac- address, would not always work when traffic would come in through a VLAN that is part of a predefined VLAN range User performance degrades when rate limit is turned on When using rate limit, the service controller may store and retrieve IP addresses inefficiently with certain customer IP address distributions In the HTTP proxy, when both the client & the server are set to keep- alive, the connection will fail if a "100 Continue" reply is being used.

21 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers An error occurs when clearing the "Retrieved attributes override configured attributes" option When GRE routes are defined, the management tool crashes when attempting to navigate to the IP routes page With a large number of users, performance issues related to login time and throughput could occur. With the fix, the improvement is most apparent when the rate limit and bandwidth control options are enabled Proxied SMTP does not count the bytes uploaded against the users (SNMP MIB.) A walk of MIB codeviceinfotable stops at the first AP that has codevdisstate not running (Applies only to the L3 Mobility option.) DHCP renew requests coming from a traveler were not always forwarded to the home network, causing the client to fall back to a DHCP discover. The user would then get an IP address on the foreign network and current connections would be lost The HTTP proxy crashes and restarts after receiving certain HTTP packets The management tool authentication process (WEBAUTH) may crash in some situations When a user is logged out because of a duplicate IP address on the network, the cause in the system log is "Unknown cause". It has been fixed to PORT_ERROR (Applies to SNMP MIB.) A walk of MIB COLUBRIS-VIRTUAL-AP-MIB may fail when there was more than one VSC configured The AP sometimes cannot be synchronized if there is an ongoing and simultaneous configuration event happening, for example with the SOAP interface In some cases, the service controller floods the network with traffic from an L3 roaming user The Management IP address of the LAN port is being lost DNS replies of type AAAA without an answer record are not handled properly The NAT port range limit is not respected for proxy user traffic. A fixed limit of 50 is always used (Access controlled users.) At the end of a user access list, there is no implicit DENY all rule, causing the default action to redirect the user to the login page The 802.1x authentication fails in some cases When an IPSec tunnel is built over a PPPoE connection, the default route, in some cases, can start pointing to the IPsec tunnel interface, making the Internet port interface unusable for non-ipsec related traffic In the Bandwidth Control, if a level is set with a value lower than 80Kbits/sec, the traffic mapped to that level would instead get the full bandwidth available When the service controller is not reachable, the AP does not turn off all accesscontrolled VSCs.

22 5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers The page Status > IP connections does not display correctly with some Windows Vista installations In some rare cases, the AP may send an invalid certificate request, which is then correctly refused by the service controller. But following this event, the service controller is unable to process new requests and must be restarted before new APs can come online. This has been seen only after a firmware upgrade of the service controller Lack of additional information in the log for sessions logged out as Port-Preempted Multiple sessions can be seen on RADIUS server even when the "Reauthenticate on location change" option is disabled. The RADIUS request is sent on a re-association, and this is sometimes undesirable. Enabling the "Reauthenticate on location change" option makes it possible for a RADIUS server to deny access based on user location With IPSec security, once a NAT gateway has been detected between the peers, the MSC no longer accepts a IKE negotiation from its peer.