In this release, support is introduced for the following new access points:

• Cisco Catalyst 9130 Access Points (C9130AXI-x)

  • C9130AXI: VID 02 or earlier

• Cisco Catalyst 9120AXE Access Points (C9120AXE-x) and Cisco Catalyst 9120AXP Access Points (C9120AXP-x)

  • C9120AXE: VID 06 or earlier

  • C9120AXP: All VIDs

• Cisco Aironet 1840 Series Access Points

• Cisco Catalyst IW6300 Heavy Duty Series Access Points

• Cisco 6300 Series Embedded Services Access Points

OFDMA Download and Upload: Indroduced support in Cisco Catalyst 9130 APs.

MU-MIMO Download: Indroduced support in Cisco Catalyst 9130 APs.

High Efficiency (HE) Rates: Indroduced support in Cisco Catalyst 9130 APs.

Note	For more information about feature support in 802.11ax APs, see Feature Matrix for Cisco Wave 2 Access Points and Wi-Fi 6 (802.11ax) Access Points.

Mesh mode is supported in the following Cisco Wave 2 APs in this release:

• Cisco Aironet 1815 Series Access Points

• Cisco Aironet 2800 Series Access Points

• Cisco Aironet 3800 Series Access Points

• Cisco Aironet 4800 Series Access Points

• Cisco Catalyst IW6300 Heavy Duty Series Access Points

• Cisco 6300 Series Embedded Services Access Points

Note

Mesh mode works only on those Cisco Aironet 2800 and 3800 Series APs that have been manufactured in the year 2017 or a later date. To know the manufacturing date of your AP, enter the show version command on the AP console. The output of the command shows the Top Assembly Serial Number. A sample output is shown below: Top Assembly Serial Number : xxx2234xxxx In the above example, the year code is 22, which is comprised of Base 10 numeric characters and is defined as last two digits of the year + 4. Therefore, if the manufacturing year is 2017, the year code is 21; if the manufacturing year is 2018, the year code is 22; and so on. The next two digits represent the calendar week of that year. In this example, the manufacturing date is the year 2018 and week number 34. This restriction is not applicable to Cisco Aironet 1815 and 4800 Series Access Points.

Note

Mesh mode was already supported in Cisco Aironet 1540 and 1560 Series APs prior to this release. For more information about the features supported on various Cisco Wave2 APs, see the Feature Matrix for Cisco Wave 2 Access Points and Wi-Fi 6 (802.11ax) Access Points at: https://www.cisco.com/c/en/us/td/docs/wireless/access_point/wave2-ap/feature-matrix/b-wave2-ap-feature-matrix.html

Air Time Fairness (ATF) is supported in the following Cisco Wave 2 APs:

• Cisco Aironet 2800 Series Access Points

• Cisco Aironet 3800 Series Access Points

• Cisco Aironet 4800 Series Access Points

• Cisco Aironet 1560 Series Outdoor Access Points

• Cisco Catalyst IW6300 Heavy Duty Series Access Points

• Cisco 6300 Series Embedded Services Access Points

ATF is also supported in APs operating in mesh and Mobility Express modes.

For more information, see the Feature Matrix for Cisco Wave 2 Access Points and Wi-Fi 6 (802.11ax) Access Points at:

https://www.cisco.com/c/en/us/td/docs/wireless/access_point/wave2-ap/feature-matrix/b-wave2-ap-feature-matrix.html

Support for the Intelligent Capture feature is added in the following APs:

• Cisco Aironet 1800 Series Access Points

• Cisco Catalyst 9115 Access Points

• Cisco Catalyst 9117 Access Points

• Cisco Catalyst 9120 Access Points

• Cisco Catalyst IW6300 Heavy Duty Series Access Points

• Cisco 6300 Series Embedded Services Access Points

The Intelligent Capture feature provides support to have a direct communication link between Cisco DNA Center and APs, so that each of the APs can communicate with Cisco DNA Center directly. Using this channel, Cisco DNA Center can receive packet capture data, AP and client statistics, and spectrum data.

For more information about configuring the Intelligent Capture feature, see the applicable Cisco DNA Center Assurance User Guide at

Starting with Release 8.10, we recommend that you do not configure Cisco APs in sensor mode.

WPA3 is a replacement to WPA2, as announced by the Wi-Fi Alliance. The new standard has two modes:

• WPA3-Personal with 128-bit encryption: The WPA3 standard provides a replacement to WPA2's preshared key (PSK) with Simultaneous Authentication of Equals (SAE), as defined in the IEEE 802.11-2016 standard. With SAE, the user experience is the same (choose a passphrase to connect), but SAE automatically adds a step to the handshake, which makes brute force attacks ineffective. With SAE, the passphrase is not exposed, making it impossible for attackers to find the passphrase through brute force dictionary attacks.

  The Protected Management Frames (PMF) should be used for all WPA3-Personal connections. Previously, PMF was an optional capability, which you could configure. With WPA3, PMF must be negotiated for all WPA3 connections that provide an additional layer of protection from deauthentication and dissociation attacks.

• WPA3-Enterprise with 192-bit encryption: This WPA3 standards is aligned with the recommendations from the Commercial National Security Algorithm (CNSA) Suite, which is commonly in place in high-security Wi-Fi networks in verticals such as government, defense, finance, and so on.

For more information about WPA3, see the Wi-Fi Alliance's website.

This feature is a Wi-Fi standard technology which manages the available Wi-Fi network resources optimally. The Wi-Fi Alliance Agile Multiband (MBO) feature supporting devices share information among each other to take better roaming decisions, provide better overall performance and experience to the user.

The Cisco Wireless LAN Solution supports –P domain for Japan.

For the current approvals and regulatory domain information see https://www.cisco.com/c/dam/assets/prod/wireless/wireless-compliance-tool/index.html

SNMPv3 for trap messages is now supported on controllers. For more information about configuring SNMPv3 for trap messages, see

Prior to this release, there was no mechanism for RADIUS servers to monitor a network (apart from clients), specifically with respect to access points. If there were any network issues and APs repeatedly join and disjoin from the controller, there was no mechanism to monitor these events.

In this release, you can enable AP events to be forwarded to those RADIUS servers that are configured for management accounting. This ensures monitoring of these events to help you detect any network issues.

For more information, see

Controllers encrypt most of the passwords that are stored in the configuration file, using Advanced Encryption Standard-128 (AES-128). The encryption is hardcoded. To choose between the encrypted or the plain text method of storing passwords, use this command:

config switchconfig secret-obfuscation {enable | disable}

With secret obfuscation in enabled state, all the secrets from plain text are converted to encrypted values by using the hard-coded encryption key. This type of encryption is called type-7 encryption. If you disable secret obfuscation, all the secrets are converted from encrypted values to plain text passwords by using hard-coded encryption key. This type of encryption is called type-0 encryption. Secret obfuscation is enabled by default.

A disadvantage with type-7 encryption is that the passwords can be recovered from the hard-coded key value. There is a need for a stronger encryption method in which the key value can be configured. After you configure secret obfuscation, you can provide an extra level of encryption method that is called type-6. The type-6 method of encryption takes the configurable key along with AES-128 and stores the passwords. This stores all the secrets along with the configurable master key. You can change the key value from time to time to avoid decryption of passwords.

By default, type-6 encryption and password encryption are disabled.

The master key is encrypted with a device certificate private key. The master key length should be between 16 to 127 alphanumeric characters. We recommend that you use at least three of the following four classes in the password:

• Lowercase letters

• Uppercase letters

• Digits

• Special characters

The following applications use the type-6 encryption method:

• Local Net user

• RADIUS (Authentication, Accounting, and DNS)

• TACACS+ (Authentication, Accounting, Authorization, and DNS)

• IPSec secrets

• LDAP

• Local EAP

• SXP

• WPA2 PSK

• Local management user

This section contains the following subsections:

Features such as Hyperlocation require precise time across APs within an AP group to achieve location accuracy. Before Release 8.10, a controller synchronized with a global NTP server. By default, an AP synchronizes with the controller’s time through periodic CAPWAP messages. If the DHCP server supplies an NTP server address via DHCP Option 42, the AP synchronizes with that server. The per AP group NTP server configuration takes precedence over the DHCP-configured NTP server. The DHCP server cannot override the AP group NTP server.

As controllers and controller global NTP server are configured on the WAN, they might have large synchronization delays from the AP, and this might compromise location accuracy.

The primary NTP server requirement is that all APs in an AP group synchronize with the same server.

For Hyperlocation and BLE AoA features, all APs in an AP group are required to synchronize with the same NTP server, such that the collected data can be used to calculate the location accurately.

Before Release 8.10, a Hyperlocation-specific per-AP group NTP server configuration which allowed for only IPv4 address format without authentication was supported. If you enabled the Hyperlocation feature, the AP used the Hyperlocation-specific NTP server configuration information to synchronize with specified NTP server. In case of failures, the AP fell back to the controller’s time-sync mechanism. However, there are security risks if APs and the controllers access the same NTP server.

To address the requirements for these two sets of NTP server configuration to be independent of each other, you can configure a per-AP group NTP server in the controller.

The Hyperlocation-specific NTP server configuration is no longer available; you must configure the per-AP group NTP server separately.

For more information, see

This section contains the following subsections:

• An existing WLAN with ? in its name continues to be supported with this upgrade. However, you cannot include ? in the name when creating a new WLAN.

• If an AP locks out the console due to default management user credentials, you must configure the controller AP global credential with non-default username and password to get access to the AP console.

• WPA3 upgrade and downgrade guidelines:

  • If you downgrade from Release 8.10 to Release 8.5, if any AKM for SAE is configured, the AKM validation fails after the downgrade. The security is set to WPA2 and AKM to 802.1X. However, PMF configuration is retained, which results in an error.

  • FT set to enabled state and PMF set to Required state is allowed in Release 8.10 because PMF and FT configurations are decoupled. However, in Release 8.5, this configuration invalid. Therefore, upon downgrading to Release 8.5, the WLAN might be disabled.

  • If you want to upgrade from Release 8.5 to 8.10 and have WPA1 configured with none of the WPA1 AKM that are valid for Release 8.10, the WPA1 configuration is disabled after the upgrade because it impacts the status of the WLAN. Valid AKM for WPA1 in Release 8.5 are 802.1X, PSK, and CCKM.

• Software downgrade guidelines for Release 8.10:

  • If you plan to downgrade the Cisco controller from Release 8.10 software, we recommend you to downgrade to Release 8.5.151.0 or later to prevent the controller configuration files from being corrupted.

  • If you have configured new country codes in Release 8.10 and if you plan to downgrade to an earlier release, then we recommend that you remove the new country code configurations prior to the downgrade. For more information, see CSCvq91895.

• Before downgrading or upgrading the Cisco Controller to another release check for APs or AP modes support. Ensure that only supported APs are connected and also the APs are moved to supported modes on the release that the controller is upgraded or downgraded to.

• Legacy clients that require RC4 or 3DES encryption type are not supported in Local EAP authentication.

• If you downgrade to Release 8.0.140.0 or 8.0.15x.0, and later upgrade to a later release and and also have the multiple country code feature configured, then the configuration file could get corrupted. When you try to upgrade to a later release, special characters are added in the country list causing issues when loading the configuation. For more information, see CSCve41740.

  Note	Upgrade and downgrade between other releases does not result in this issue.

• After downloading the new software to the Cisco APs, it is possible that a Cisco AP may get stuck in an upgrading image state. In such a scenario, it might be necessary to forcefully reboot the controller to download a new controller software image or to reboot the controller after the download of the new controller software image. You can forcefully reboot the controller by entering the reset system forced command.

• It is not possible to download some of the older configurations from the controller because of the Multicast and IP address validations. See the "Restrictions on Configuring Multicast Mode" section in the Cisco Wireless Controller Configuration Guide for detailed information about platform support for global multicast and multicast mode.

• When a client sends an HTTP request, the controller intercepts it for redirection to the login page. If the HTTP GET request that is intercepted by the controller is longer than 2000 bytes, the controller drops the packet. Track the Caveat ID CSCuy81133 for a possible enhancement to address this restriction.

• When downgrading from one release to an earlier release, you might lose the configuration from your current release. The workaround is to reload the previous controller configuration files that are saved in the backup server, or to reconfigure the controller.

• When you upgrade a controller to an intermediate release, wait until all the APs that are associated with the controller are upgraded to the intermediate release before you install the latest controller software. In large networks, it can take some time to download the software on each AP.

• You can upgrade to a new release of the controller software or downgrade to an earlier release even if FIPS is enabled.

• When you upgrade to the latest software release, the software on the APs associated with the controller is also automatically upgraded. When an AP is loading software, each of its LEDs blinks in succession.

• Controllers support standard SNMP MIB files. MIBs can be downloaded from the software download page on Cisco.com.

• The controller software that is factory-installed on your controller and is automatically downloaded to the APs after a release upgrade and whenever an AP joins a controller. We recommend that you install the latest software version available for maximum operational benefit.

• Ensure that you have a TFTP, HTTP, FTP, or SFTP server available for the software upgrade. Follow these guidelines when setting up a server:

  • Ensure that your TFTP server supports files that are larger than the size of controller software image. Some TFTP servers that support files of this size are tftpd32 and the TFTP server within Cisco Prime Infrastructure. If you attempt to download the controller software image and your TFTP server does not support files of this size, the following error message appears:

    TFTP failure while storing in flash

  • If you are upgrading through the distribution system network port, the TFTP or FTP server can be on the same subnet or a different subnet because the distribution system port is routable.

• The controller Bootloader stores a copy of the active primary image and the backup image. If the primary image becomes corrupted, you can use the Bootloader to boot with the backup image.

  With the backup image stored before rebooting, from the Boot Options menu, choose Option 2: Run Backup Image to boot from the backup image. Then, upgrade with a known working image and reboot controller.

• You can control the addresses that are sent in the Control and Provisioning of Wireless Access Points (CAPWAP) discovery responses when NAT is enabled on the Management Interface, using the following command:

  config network ap-discovery nat-ip-only {enable | disable}

  The following are the details of the command:

  enable —Enables use of NAT IP only in a discovery response. This is the default. Use this command if all the APs are outside the NAT gateway.

  disable —Enables use of both NAT IP and non-NAT IP in a discovery response. Use this command if APs are on the inside and outside the NAT gateway, for example, Local Mode and OfficeExtend APs are on the same controller.

  Note	To avoid stranding of APs, you must disable the AP link latency (if enabled) before you use the disable option in the config network ap-discovery nat-ip-only command. To disable AP link latency, use the config ap link-latency disable all command.

• Do not power down the controller or any AP during the upgrade process. If you do this, the software image might get corrupted. Upgrading the controller with a large number of APs can take as long as 30 minutes, depending on the size of your network. However, with the increased number of concurrent AP upgrades supported, the upgrade time should be significantly reduced. The APs must remain powered, and controller must not be reset during this time.

• After you perform the following functions on the controller, reboot it for the changes to take effect:

  • Enable or disable LAG.

  • Enable a feature that is dependent on certificates (such as HTTPS and web authentication).

  • Add a new license or modify an existing license.

    Note	Reboot is not required if you are using Right-to-Use licenses.

  • Increase the priority of a license.

  • Enable HA.

  • Install the SSL certificate.

  • Configure the database size.

  • Install the vendor-device certificate.

  • Download the CA certificate.

  • Upload the configuration file.

  • Install the Web Authentication certificate.

  • Make changes to the management interface or the virtual interface.

• Cisco WLAN Express Setup Over-the-Air Provisioning

• Mobility controller functionality in converged access mode

• VPN Termination (such as IPsec and L2TP)

• Internal DHCP Server

• Mobility controller functionality in converged access mode

• VPN termination (such as IPsec and L2TP)

• Fragmented pings on any interface

• Cisco Umbrella

• Software-defined access

• Domain-based ACLs

• Internal DHCP server

• Cisco TrustSec

• Access points in local mode

• Mobility or Guest Anchor role

• Wired Guest

• Multicast

  Note	FlexConnect locally switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect APs do not limit traffic based on IGMP or MLD snooping.

• FlexConnect central switching in large-scale deployments

  Note	FlexConnect central switching is supported in only small-scale deployments, wherein the total traffic on controller ports is not more than 500 Mbps. FlexConnect local switching is supported.

• Central switching on Microsoft Hyper-V deployments

• AP and Client SSO in High Availability

• PMIPv6

• Datagram Transport Layer Security (DTLS)

• EoGRE (Supported only in local switching mode)

• Workgroup bridges

• Client downstream rate limiting for central switching

• SHA2 certificates

• Controller integration with Lync SDN API

• Cisco OfficeExtend Access Points

• Load-based call admission control (CAC). Mesh networks support only bandwidth-based CAC or static CAC

• High availability (Fast heartbeat and primary discovery join timer)

• AP acting as supplicant with EAP-FASTv1 and 802.1X authentication

• AP join priority (Mesh APs have a fixed priority)

• Location-based services

• Dynamic Mesh backhaul data rate.

  Note	We recommend that you keep the Bridge data rate of the AP as auto.

• Background scanning

• Noise-tolerant fast convergence

• MAC Authentication FlexConnect Local Authentication

• Noise-tolerant fast convergence

• Static WEP

• MAC Authentication FlexConnect Local Authentication

• Noise-tolerant fast convergence

• Static WEP