Release Notes for RFS7000 v4.1.0.0-040gr Contents 1. Introduction to New Features 2. Features Added for FIPS Compliance 3. Features Disabled or Modified for FIPS Compliance 4. Firmware Versions & Compatibility Matrix 5. Installation Guidelines 6. Firmware Upgrade Procedure 7. Known Issues & Recommendations 1 Introduction to New Features Features Description Benefit AP-7131N support Adaptive AP Support for the AP7131N-GR and AP7131N- GRN Enhancements to Management SNMP v3 support Security Enhancements IP Filtering on Adaptive AP Wireless Firewall Enhancements v4.1 brings to market the Adaptive Support for the 802.11n Access Point. V4.1 brings Applet GUI support and Element Management System (EMS) support through SNMP v3 Support for configuring IP Filtering at AP7131N-GR and AP7131N-GRN via the wireless switches. Supported on independent WLAN only. Extended WLANs have the L2-L7 stateful firewall functionality ( Wi-NG v4.0) Following have been added to enhance the wireless firewall: Enforce DHCP on WLAN when enabled, mobile units Ability to configure Access, mesh and sensor capability centrally from the Wireless Switch. Ability to monitor all configure all but security relevant features via the GIU and/or AirDefense Services Platform (ADSP) Remote management of IP filtering on Adaptive APs for ease of management provides security enforcement at the edge, with central policy management. Simplifies configuration of the wireless firewall and enhances operation for Secure Guest Access. 1
Applications & Usability Enhancements RTLS on AP7131N-GR and AP7131N-GRN HTTP URL Logging User Audit Trail Mesh Enhancement with static IP will not be allowed to enter the network. Configure rules by port name rather than port number Allow the operator to select protocol in extended ACLs (previously only TCP, UDP and ICMP were allowed). Also lists protocols by name (rather than by number) Provides support for Wireless switch-based locationing of Wi-Fi devices and active tags on Adaptive AP7131N-GR and AP7131N-GRN. Logs http URLs visited to a syslog server. Audit trail for an SNMP/GUI/CLI changes made to the configuration The wireless switch allows the user to set the maximum number of client bridge associations 1 to 3. Default is maximum 3 associations Can now locate Wi-Fi devices and active tags in AP7131N-GR and AP7131N-GRN adaptive deployments. Network administrator can determine the list of web sites being visited. Visibility into configuration changes made allow for better tracking mechanisms for change control/requests. Allows better control in mesh deployments 2
2 Features Added for FIPS Compliance The following features were added to the standard RFS7000 feature set in order to comply with FIPS 140-2 1. NTP over Ipsec 2. TLS 1.0 3. Syslogs Server over IPSec 4. External Authentication, Accounting and LDAP server over IPSec 5. SFTP server for image upgrade purpose 6. AAP over IPSec 3 Features Disabled or Modified for FIPS Compliance The following features from the standard RFS7000 feature set were disabled or modified in order to comply with FIPS 140-2 Disabled Features 1. Telnet 2. HTTP 3. TFTP Client 4. Authentication Kerberos, Open System 5. Transport Encryption - KeyGuard, WEP 40/128 (RC4), WPA-TKIP, WPA2-TKIP 6. SNMP v1 & v2 7. AP300 sensor support Modified Features SNMP v3 All security relevant OIDs and attributes removed from MIBs, this leaves the SNMP interface with non-secure monitoring and management capabilities 4 Firmware Versions & Compatibility Matrix RFS7000 firmware version 4.1.0.0-040GR Access Point/Access Port Firmware Version AP300 (WISP) 00.02-31 00.02-31 Layer 3 AP300 (WISPe) 01.00-2266r 01.00-2290r Adaptive AP-7131N-44040-FGR apn_04000000035gr.bin Adaptive AP-7131N-44040-FWW apn_04000000035gr.bin Adaptive AP-7131N-44040-FIL apn_04000000035gr.bin Adaptive AP-7131N-66040-FGR apn_04000000035grn.bin Adaptive AP-7131N-66040-FWW apn_04000000035grn.bin Adaptive AP-7131N-66040-FIL apn_04000000035grn.bin 3
5 Installation Guidelines For accessing the Graphical User Interface (GUI) of the RFS7000 switches, the following browsers (and Java versions) are supported: Internet Explorer 7.0 and 8.0 on Windows 2003, XP (JRE 1.6) Firefox 2.0 and 3.x on Windows 2003, XP (JRE 1.6) Firefox 3.0.3 on Ubuntu 8.10 and JRE 6 6 Firmware Upgrade Procedure This section outlines the upgrade procedure to v4.1 applicable if the RF switch had a beta release installed. The method described in this section uses the Command Line Interface (CLI) and GUI To log into the CLI, SSH, can be used Upgrade the RFS7000 Switch Note: We only support only SFTP server and no FTP server 1. Copy the RFS7000-4.1.0.0-040GR.img to your sftp server. Use the upgrade sftp://<ip address of server>/<name of file> command from CLI or Switch- Note: There is no provision to configure SFTP server password from GUI >Firmware->Update Firmware option from the GUI. You may need to specify the SFTP server user name, IP address, Image Path and image name 2. User need to execute following transfer key command from CLI before starting image upgrade from GUI RFS7000#keytransfer host <SFTP server IP address.> user <SFTP user> 3. Restart the switch. From CLI the command is reload. 7 Known Issues & Recommendations A review of the following Known Issues is highly recommended: 1. WiNG_FIPS00060437: Panic dump detected during the image flash from the CF card 4
2. WiNG_FIPS00060650: GUI and Hot Spot functionality does not work with Microsoft Internet Explorer (confirmed with version 6) 3. WiNG_FIPS00062015 : Auto install is supported only from CLI. GUI page & SNMP used for only for monitoring or display purpose w.r.to auto install 4. WiNG_FIPS00062593: SSHv2 session lockup is not getting released even after EraseStartup/defaultFactorySettings/keyzeroization 5. WiNG_FIPS00062631: configuring one radio of AAP(7131N) for on-channelscan is forcing other radio also for on-channel-scan 6. WiNG_FIPS00062699 : CLI/SSHv2 session hangs while aborting import/export of trustpoint/rsakeypair 7. WiNG_FIPS00064023: upgrade-abort command shall not kill the ssh session that started upgrade process 8. WiNG_FIPS00061720: "Delete all Keys" option not working from GUI screen "Security > Server Cert > Keys" 9. WiNG_FIPS00064025: First attempt of sftp upgrade fails even with valid credentials 10. WiNG_FIPS00062058: SSHv2 option missing in GUI screen "Management Access > Users > local users" 11. WiNG_FIPS00062753 : Executing "no wlan x hotspot allow-eap" for hotspot authentication makes encryption as "none" instead of CCMP. 12. WiNG_FIPS00060623: SSHv2 session got terminated while adding cryptomap to an interface 13. WiNG_FIPS00060623: SSHv2 session got terminated while adding cryptomap to an interface 5