Cisco Wave 2 APs with FIPS in enabled state add an additional 10-minute delay to complete the FIPS checks on the APs before they can join the controller. Follow the software guidance for FIPS customers at:

Support is added for Cisco Catalyst 9105 APs in this release.

• C9105AXI and C9105AXW: VID 03 and earlier

The Cisco Catalyst 9130 Series Access Point is designed keeping high-density deployment in mind. Hence, this AP includes three radios which support the dual radio mode and the radio role assignment functionality. The AP supports radio roles—monitor and client serving roles under Auto and manual modes. You can manage the modes dynamically by using the Flexible Radio Assignment(FRA) feature for 2.4-GHz radio and Dynamic Channel Assignment (DCA) feature for the two 5-GHz radios or manually.

This feature enhances the existing Cisco Catalyst 9130 Series Access Points Tri-Radio feature by supporting the radio role.

Note	For this release, the Tri-radio function for the Cisco Catalyst 9130AXE External AP is enabled only when using the DART adapter cables AIR-CAB-002-D8-R= (RP-TNC antennas) or AIR-CAB-003-D8-N= (“N” style antennas) with the AP.

For more information about configuring a tri-radio AP, see https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/managing_aps.html#info_tri_radio

Uplink Multi-user multiple-input and multiple-output (UL MU MIMO) feature is supported in Cisco Catalyst 9130 APs in this release.

• Conceptually similar to Downlink MU-MIMO, which is already supported in Cisco Catalyst 9130 APs.

• Allows multiple clients to send traffic simultaneously, thus saving air time.

• Controller by AP through triggers sent to clients.

• Supported in 20-MHz, 40-MHz, and 80-MHz bandwidths, but not supported in the 160-MHz bandwidth.

• Supported only in the 5-GHz band.

• Currently limited to support three users. When more than three users are connected, UL MU-MIMO scheduling does not occur, and the AP falls back to single-user (SU) transmission.

This feature enhances access point's security over SSH connections. The weak cipher suites are no longer supported. Any attempt to establish connection using legacy ciphers displays Unable to negotiate a key exchange method error message.

The feature is enabled by default.

In this feature, wIPS scanning is prioritized in Cisco Aironet 4800 APs. The Cisco Hyperlocation feature is disabled when the AP sub-mode is set to WIPS.

This feature implements stronger user names and passwords requirements for Controller and AP users.

If you are using Cisco Catalyst 9117 APs, then to upgrade to Release 8.10.130.0, you must download an additional image bundle, ap1g6, which is specific to the Cisco Catalyst 9117 APs. Following are the high-level steps in upgrading to this release:

1. Download the controller.aes file from the Cisco software download page and upgrade the controller software with this image.

2. Reboot the controller to load the new image.

3. Download the apimage.aes (ap1g6) file from the Cisco software download page and upgrade the controller software with this AP image bundle.

4. Reboot the controller to load the new AP image bundle.

For more information, see Upgrading Cisco Wireless Release section of this document.

• Support reliable WGB downstream broadcast for multiple VLANs.

  Support to convert downstream broadcast packets to unicast packets in the 4-address format with retransmission to WGB and its wired clients.

  Supported AP platforms

  • Cisco Industrial Wireless 3700 Series Access Points

  • Cisco Aironet 1570 Series Access Points

  Supported WGB platform

  • Cisco Industrial Wireless 3700 Series Access Points

  For more information about the feature, see Reliable WGB Downstream Broadcast for Multiple VLANs section in the Cisco Wireless Controller Configuration Guide, Release 8.10 at

  https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/workgroup_bridges.html.

• Support faster detection of missing M1 or M3 message during 4-way handshake

  Support to configure M1 and M3 timeout value on IOS WGB (IW3700 Series Access Points) to achieve faster detection of missing M1 or M3 message. This enhancement fulfills the requirement for quick roaming to avoid longer outages due to roam. For more information about the feature, see WGB M1 and M3 Timeout Enhancement section in the Cisco Wireless Controller Configuration Guide, Release 8.10

  https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/workgroup_bridges.html.

The following features are in Early Field Trial state:

Note	These features are not yet officially supported and there is no assistance from Cisco's Technical Assistance Center.

• Cisco DNA Center Assurance Wi-Fi 6 Dashboard

  The Cisco DNA Center Assurance Wi-Fi 6 Dashboard provides a visual representation of your wireless network. The dashboard contains various widgets which show you the efficiency of Wi-Fi 6 networks compared to non-Wi-Fi 6 networks.

  Note	We recommend that you manage this Cisco DNA Center Assurance feature using the Cisco DNA Center UI.

  For more information about Cisco DNA Center Assurance feature, see https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/m_wifi6_assurance_dashboard.html and chapter Monitor Wi-Fi 6 Readiness in Cisco DNA Assurance User Guide.

In this release, the Cisco Catalyst 9130 APs support both the Uplink and the Downlink Orthogonal frequency-division multiple access (UL OFDMA and DL OFDMA) features.

Currently, the feature is enhanced to support 37 users in a DL OFDMA or UL OFDMA transmission.

In this release, there are regulatory domain changes implemented for Bahrain, Egypt, India, Indonesia, Japan, Russia, and Taiwan. For more information about these regulatory domain changes, see https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/reg-domain/reg-domain-rule-changes-in-810MR3-and-17-3.html

From this release, Spectrum Intelligence feature is supported on Cisco Catalyst 9115 Access Points.

From this release, hardware DTLS encryption is supported on Cisco Catalyst 9115 and 9120 Access Points.

In this feature enhancement, when a web browser is used to access the controller webUI via the HTTPS protocol, the controller sends the full certificate chain to the browser for TLS authentication.

This feature is enhanced to support SNMP for AP group NTP server configuration.

From this release, the Link Aggregation Group (LAG) feature is supported on Cisco Aironet 1850 APs in Cisco FlexConnect mode.

• An existing WLAN with ? in its name continues to be supported with this upgrade. However, you cannot include ? in the name when creating a new WLAN.

• If an AP locks out the console due to default management user credentials, you must configure the controller AP global credential with non-default username and password to get access to the AP console.

• WPA3 upgrade and downgrade guidelines:

  • If you want to upgrade from Release 8.5 to 8.10 and have WPA1 configured with none of the WPA1 AKM valid for Release 8.10, the WPA1 configuration is disabled after the upgrade.

  • If you downgrade from Release 8.10 to Release 8.5, if any AKM for SAE is configured, the AKM validation fails after the downgrade. The security is set to WPA2 and AKM to 802.1X. However, PMF configuration is retained, which results in an error.

  • FT set to enabled state and PMF set to Required state is allowed in Release 8.10 because PMF and FT configurations are decoupled. However, in Release 8.5, this configuration invalid. Therefore, upon downgrading to Release 8.5, the WLAN might be disabled.

• Software downgrade guidelines for Release 8.10:

  • If you plan to downgrade the Cisco controller from Release 8.10 software, we recommend you to downgrade to Release 8.5.151.0 or later release to prevent the controller configuration files from being corrupted.

  • If you have configured new country codes in Release 8.10 and if you plan to downgrade to an earlier release, then we recommend that you remove the new country code configurations prior to the downgrade. For more information, see CSCvq91895.

• Before downgrading or upgrading the Cisco Controller to another release check for APs or AP modes support. Ensure that only supported APs are connected and also the APs are moved to supported modes on the release that the controller is upgraded or downgraded to.

• Legacy clients that require RC4 or 3DES encryption type are not supported in Local EAP authentication.

• If you downgrade to Release 8.0.140.0 or 8.0.15x.0, and later upgrade to a later release and and also have the multiple country code feature configured, then the configuration file could get corrupted. When you try to upgrade to a later release, special characters are added in the country list causing issues when loading the configuation. For more information, see CSCve41740.

  Note	Upgrade and downgrade between other releases does not result in this issue.

• After downloading the new software to the Cisco APs, it is possible that a Cisco AP may get stuck in an upgrading image state. In such a scenario, it might be necessary to forcefully reboot the controller to download a new controller software image or to reboot the controller after the download of the new controller software image. You can forcefully reboot the controller by entering the reset system forced command.

• It is not possible to download some of the older configurations from the controller because of the Multicast and IP address validations. See the "Restrictions on Configuring Multicast Mode" section in the Cisco Wireless Controller Configuration Guide for detailed information about platform support for global multicast and multicast mode.

• When a client sends an HTTP request, the controller intercepts it for redirection to the login page. If the HTTP GET request that is intercepted by the controller is longer than 2000 bytes, the controller drops the packet. Track the Caveat ID CSCuy81133 for a possible enhancement to address this restriction.

• When downgrading from one release to an earlier release, you might lose the configuration from your current release. The workaround is to reload the previous controller configuration files that are saved in the backup server, or to reconfigure the controller.

• When you upgrade a controller to an intermediate release, wait until all the APs that are associated with the controller are upgraded to the intermediate release before you install the latest controller software. In large networks, it can take some time to download the software on each AP.

• You can upgrade to a new release of the controller software or downgrade to an earlier release even if FIPS is enabled.

• When you upgrade to the latest software release, the software on the APs associated with the controller is also automatically upgraded. When an AP is loading software, each of its LEDs blinks in succession.

• Controllers support standard SNMP MIB files. MIBs can be downloaded from the software download page on Cisco.com.

• The controller software that is factory-installed on your controller and is automatically downloaded to the APs after a release upgrade and whenever an AP joins a controller. We recommend that you install the latest software version available for maximum operational benefit.

• Ensure that you have a TFTP, HTTP, FTP, or SFTP server available for the software upgrade. Follow these guidelines when setting up a server:

  • Ensure that your TFTP server supports files that are larger than the size of controller software image. Some TFTP servers that support files of this size are tftpd32 and the TFTP server within Cisco Prime Infrastructure. If you attempt to download the controller software image and your TFTP server does not support files of this size, the following error message appears:

    TFTP failure while storing in flash

  • If you are upgrading through the distribution system network port, the TFTP or FTP server can be on the same subnet or a different subnet because the distribution system port is routable.

• The controller Bootloader stores a copy of the active primary image and the backup image. If the primary image becomes corrupted, you can use the Bootloader to boot with the backup image.

  With the backup image stored before rebooting, from the Boot Options menu, choose Option 2: Run Backup Image to boot from the backup image. Then, upgrade with a known working image and reboot controller.

• You can control the addresses that are sent in the Control and Provisioning of Wireless Access Points (CAPWAP) discovery responses when NAT is enabled on the Management Interface, using the following command:

  config network ap-discovery nat-ip-only {enable | disable}

  The following are the details of the command:

  enable —Enables use of NAT IP only in a discovery response. This is the default. Use this command if all the APs are outside the NAT gateway.

  disable —Enables use of both NAT IP and non-NAT IP in a discovery response. Use this command if APs are on the inside and outside the NAT gateway, for example, Local Mode and OfficeExtend APs are on the same controller.

  Note	To avoid stranding of APs, you must disable the AP link latency (if enabled) before you use the disable option in the config network ap-discovery nat-ip-only command. To disable AP link latency, use the config ap link-latency disable all command.

• Do not power down the controller or any AP during the upgrade process. If you do this, the software image might get corrupted. Upgrading the controller with a large number of APs can take as long as 30 minutes, depending on the size of your network. However, with the increased number of concurrent AP upgrades supported, the upgrade time should be significantly reduced. The APs must remain powered, and controller must not be reset during this time.

• After you perform the following functions on the controller, reboot it for the changes to take effect:

  • Enable or disable LAG.

  • Enable a feature that is dependent on certificates (such as HTTPS and web authentication).

  • Add a new license or modify an existing license.

    Note	Reboot is not required if you are using Right-to-Use licenses.

  • Increase the priority of a license.

  • Enable HA.

  • Install the SSL certificate.

  • Configure the database size.

  • Install the vendor-device certificate.

  • Download the CA certificate.

  • Upload the configuration file.

  • Install the Web Authentication certificate.

  • Make changes to the management interface or the virtual interface.

• Cisco WLAN Express Setup Over-the-Air Provisioning

• Mobility controller functionality in converged access mode

• VPN Termination (such as IPsec and L2TP)

• Internal DHCP Server

• Mobility controller functionality in converged access mode

• VPN termination (such as IPsec and L2TP)

• Fragmented pings on any interface

• Cisco Umbrella

• Software-defined access

• Domain-based ACLs

• Internal DHCP server

• Cisco TrustSec

• Access points in local mode

• Mobility or Guest Anchor role

• Wired Guest

• Multicast

  Note	FlexConnect locally switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect APs do not limit traffic based on IGMP or MLD snooping.

• FlexConnect central switching in large-scale deployments

  Note	FlexConnect central switching is supported in only small-scale deployments, wherein the total traffic on controller ports is not more than 500 Mbps. FlexConnect local switching is supported.

• Central switching on Microsoft Hyper-V deployments

• AP and Client SSO in High Availability

• PMIPv6

• Datagram Transport Layer Security (DTLS)

• EoGRE (Supported only in local switching mode)

• Workgroup bridges

• Client downstream rate limiting for central switching

• SHA2 certificates

• Controller integration with Lync SDN API

• Cisco OfficeExtend Access Points

• Load-based call admission control (CAC). Mesh networks support only bandwidth-based CAC or static CAC

• High availability (Fast heartbeat and primary discovery join timer)

• AP acting as supplicant with EAP-FASTv1 and 802.1X authentication

• AP join priority (Mesh APs have a fixed priority)

• Location-based services

• Dynamic Mesh backhaul data rate.

  Note	We recommend that you keep the Bridge data rate of the AP as auto.

• Background scanning

• Noise-tolerant fast convergence

• MAC Authentication FlexConnect Local Authentication

• Noise-tolerant fast convergence

• Static WEP

• MAC Authentication FlexConnect Local Authentication

• Noise-tolerant fast convergence

• Static WEP