OmniVista Cirrus Production Notes 4.8.1

OmniVista® Cirrus is a cloud-based Network Management System (NMS). This cloud-based approach eliminates the need for purchasing and maintaining a physical server and installing the NMS onsite, since everything resides in the cloud. Network Operators can access OmniVista Cirrus from anywhere, using any approved browser and device (e.g., workstation, tablet).

Access to OmniVista Cirrus is supported on the following browsers: Chrome 68+ (on Windows and Redhat/SuSE Linux client PCs), and Firefox 62+ (on Windows and Redhat/SuSE Linux client PCs).

These Production Notes detail new features and functions, network/device configuration prerequisites, supported devices, and known issues/workarounds in OmniVista Cirrus. Please read the Production Notes in their entirety as they contain important operational information that may impact successful use of the application.

• New Features and Functions
• Network and Device Prerequisites
• Supported Devices
• Countries of Service and Hosting
• Rest API Management
• Issues/Workarounds
• Issues Fixed
• Additional Documentation

New Features and Functions

An overview of new features and functions is provided below.

Devices

OmniVista Cirrus now supports the following devices:

• AOS Switches
  • OS6570M-12
  • OS6570M-12D
  • OS6570M-U28
  • OS6570M-U28D
  • OS2360-P24M
• Stellar APs
  • OAW-AP1411
  • OAW-AP1431

Software

OmniVista Cirrus now supports the following OS Software Versions:

• AOS 5.2R3 – OmniVista Cirrus now supports AOS 5.2R3 for the OS2260 and OS2360 Series Switches.
• AOS 8.9R2 – OmniVista 2500 NMS now supports AOS 8.9R2 on all previously supported AOS Switches.
• AWOS 4.0.7 – OmniVista 2500 NMS now supports AWOS 4.0.7 on all supported Stellar APs.

New Features

The following section details new applications introduced in this release.

OAW-AP1411 Dual Radio, Tri-Band Options

The OAW-AP1411 is a dual-radio, tri-band (2.4G, 5G, 6G) Access Point with configurable radio options. A “Radio Setting” attribute in the RF Profile allows you to select one of the following radio band options for the AP:

• 2.4G, 5G Full (default)
• 2.4G, 6G
• 5G Full, 6G

NaaS 3.1 - OmniVista Cirrus NaaS

NaaS 3.1 introduces NaaS OmniVista Cirrus (NaaS OVC) services as an optional, licensed addition to the NaaS Connectivity Right-To-Use (RTU). NaaS OVC services can now be billed with the same frequency over the same duration as the NaaS Connectivity RTU: Upfront costs are reduced; Subscription management has been simplified.
This release of OmniVista Cirrus can operate in one of the following licensing modes:

• OmniVista Cirrus Standard Subscription (OVC Subscription Mode)
• OmniVista Cirrus NaaS (OVC NaaS Mode)

The licensing mode is selected when a customer upgrades from a Trial Account to a Paid Account.

No Co-Termination Licensing Mode

Co-Termination is the default licensing mode for OmniVista Cirrus. With this release, a No Co-Termination licensing mode is now available as an alternative licensing mode for add-ons. The option to use the No Co-Termination licensing mode is selected through the Alcatel-Lucent Enterprise Subscription Manager when you add licenses to the subscription. Note that once you select the No Co-Termination licensing mode, you cannot revert back to the Co-Termination licensing mode. The OmniVista Cirrus License Management screen reflects the new licensing mode.

AP RadSec Client with Local RADIUS Server

An AP can now communicate as a RadSec client with a local RADIUS Server that uses RadSec (RADIUS-over-TLS).
To establish a secure connection between an AP RadSec client and the local RADIUS Server:

• Upload a RadSec Certificate to the AP.
• Enable TLS on the local RADIUS Server.

Note:

• AP RadSec Client is not supported on AP1201H, AP1201L, AP1201HL, and AP1261-RW-B models.
• AP supports one, and only one, TLS-enabled RADIUS server. As a consequence, you cannot have one TLS-enabled RADIUS server as Primary and another TLS-enabled RADIUS server as Secondary.
• RadSec communication is not supported for wired clients of the AP.

Stellar AP Syslog Over TLS

An option to enable the use of the TLS encryption method for logging of AP events to a remote Syslog server is now available. When this option is enabled, a Syslog Over TLS Certificate is selected to upload to the AP. Configuring up to four remote Syslog Servers is supported.

Private Group PSK

When a PSK-enabled SSID network is created, you can either create a static PSK or enforce Device Specific PSK. This provides a common Passphrase key, which is suitable for networks requiring network wide common PSK. Enabling the Private Group PSK (PPSK) allows you to create private groups of client devices on the same SSID network based on a PPSK Entry. Each client device specifies a Passphrase when connecting to an SSID. If the passphrase matches any of the PPSK Entry, the client is placed in the specified Access Role Profile.

Configuring the Private Group PSK option for an SSID network is only available when the Device Specific PSK option is disabled or set to “Prefer Device Specific PSK”. However, if the Device Specific PSK option is set to “Force Device Specific PSK”, OmniVista will not display the Private Group PSK option because the Passphrase specified in Company Property is used instead.

A Private Group PSK Entry that is used to define a group of devices, consists of the following configurable parameters:

• Name - Enter a unique name to identify the PPSK Entry. No two Entries can have the same Name.
• Passphrase - Enter a unique PSK Passphrase for authentication. No two Entries can have the same Passphrase.
• Access Role Profile - Select the name of an Access Role Profile.

Note: Each SSID can have up to 16 PPSK Entries. The total number of entries across all SSIDs that exist on an AP cannot exceed 64 on any AP.

UPAM

• Company Property Check – An add-on Network Enforcement Policy is now a configurable Authentication Strategy option. When enabled, OmniVista will check to see if the device MAC address is listed in the Company Property database. You can also specify an Access Role Profile, Policy List, or other attributes to apply to the device if the MAC address check is successful (found in Company Property) or unsuccessful (not found in Company Property).
• Create Guest Device – A new Guest Account function allows you to manually add a Guest device to the Remembered Device List. This is particularly useful for Guest devices that are not able to manage portal redirection. The Guest Account Administrator can manually add up to five devices (or whatever the configured limit is) to the Remembered Device List.

Application Updates/Enhancements

The following section details updates and enhancements to existing OmniVista Cirrus applications.

AP Mesh Configuration Enhancements

• 6G Band option is now available on OAW-AP1451, OAW-AP1431, and OAW-AP1411 in a specific number of countries.
• Configurable Multicast rate control option (default is 24 Mbit/s). The Multicast rate is applied to "Multicast Video Stream" to help reduce jitters in a Mesh environment.

RF Profile Enhancements

• DRM Scheduling -The DRM auto-channel selection algorithm defaults to an interval of every six hours starting when the device boots up. The following DRM scheduling options are now configurable to allow changing the time interval and/or start time of channel selection:

  • DRM Time Control – When enabled, allows you to specify a DRM start time.
  • DRM Start Time – Applies when DRM Time Control is enabled. You can specify any hour of the day between 0 and 23 hours.
  • DRM Interval – When DRM Time Control is disabled, you can adjust the time interval up or down (0.5 hour to 12 hours). By default, the interval time is set to every six hours.
• Channel Switch Announcement (CSA) – 6G Band now supported.

GRE Tunnel Profile TCP Maximum Segment Size (TCP MSS) Setting

• Configuring a TCP MSS value for a GRE tunnel is now available. The value used can vary across different network segments, which helps to simplify tunnel provisioning.
• The MTU tunnel setting is applicable to both UDP and TCP packets. The TCPMSS setting applies only to TCP packets and defaults to a 1250 value. The MTU value should be greater than the TCPMSS value, considering the difference of the IP header length as well as TCP header length.

Certificates

The following additional Certificates are now available to upload to APs:

• Local RadSec Certificate – Used for AP RadSec client communication.
• Syslog Over TLS Certificate – Used for AP remote logging over TLS.
• Stellar BLE Certificate – Custom device certificate used for sending BLE data to third-party Asset Tracking applications.
• Stellar WiFi RTLS Certificate – Custom device certificate used for sending WiFi RTLS data to third-party RTLS applications.

Access Role Profile VLAN-Mapping Enhancement

We have expanded the ability to bind up to 256 VLANs to a WLAN/SSID on the AP13xx/AP14xx models. However, not every AP model can accommodate 256 VLANs for all the configured SSIDs. The limitations are outlined below:

• AP1301H can support 256 VLANs on a maximum of 2 SSIDs, with a total of 512.
• AP1311/AP1301/AP1431/AP1411 can support 256 VLANs on a maximum of 4 WLANs/SSIDs, with a total of 1024.
• AP1320/AP1331/AP1351/AP1451 can accommodate 256 VLANs on a maximum of 7 WLANs/SSIDs, with a total of 1792.

SSID Enhancements

• Extended SSID Scale - The number of SSIDs that can be assigned to the AP Group has been extended to 14. A new option “Extended SSID Scale” is now available when configuring an SSID. Note that when this attribute is enabled, only AP models that support up to 14 SSIDs can join the AP Group. When this attribute is disabled, any AP model can join the group, but the limit is 7 SSIDs per AP Group.
  Note: The status of the Extended SSID Scale attribute does not apply to 6GHz networks, which have a limit of 4 SSIDs per AP Group.
• Automatic WPA/WPA2 Encryption - The Automatic WPA/WPA2, or mixed mode Encryption with dynamic keys support, option is now available while creating a new SSID for the following user networks:
• Enterprise Network Employees using the 802.1X Authentication method,
• Protected Network for Guest Users using pre-shared key and an optional Captive Portal Authentication method.
• Protected Network for Enterprise Employees using pre-shared key and the BYOD Registration Portal Authentication method.

Password Security

Password Strength Enforcement - The System Settings screen provides a new Enforce Strong Password option that is enabled/disabled at the Administrator level to enforce password rules. When Enforce Strong Password is enabled (the default), the following guidelines apply when configuring or editing the password for an OmniVista user profile:

• Password length: 12 – 30 characters
• Min number of upper-case letters: 1
• Min number of lower-case letters: 1
• Min number of digits: 1
• Min number of special characters: 1 in the list of ~ ! @ # $ % ^ & * ( ) _ . +
• Password should not contain username
• Password is treated as case-sensitive

In addition, a visual evaluation of password strength and a random password generator is provided for the “Password” field on the Create User screen.
Note that strong password restrictions are not applied to existing users unless they attempt to change their user profile when password enforcement is enabled.

Guest Account and BYOD License Increase

• Default Guest Account licenses per AP device increased to 100.
• Default BYOD licenses per AP device increased to 100.

G Suite Rebranded to Google Workspace

Google Workspace is an evolved version of G Suite designed for seamless integration between Google applications for productivity, team collaboration, and communication. The OmniVista IoT Inventory screen (Network - IoT) under the Chrome Devices option provides integration with Google Workspace. The OmniVista UI and error messages now reflect “Google Workspace”.

APAC Cluster Removed from IoT/Location/Advanced Analytics Server Options

The Asia Pacific (APAC) cluster option is no longer offered on the “Server IP/Host” drop-down menu when configuring an OmniVista Cirrus Advances Analytics engine type. Note that you can delete old engine profiles containing the APAC cluster only if the profile was not configured for an AP Group. If the profile is configured for an AP Group, edit the AP Group configuration to select a different engine profile.

OmniVista Cirrus Framework Improvements

Remote Acces Point (RAP) Enhancements

• RAP VPN VA updated to 4.8.1 running Oracle Linux 8.7.
• The default Hard Disk size is now 8G for RAP VPN VA 4.8.1.

Framework Enhancements

• Ubuntu updated to 20.04
• Docker updated to 23.0.4
• OpenSSL updated from 1.0.2g to 1.1.1f
• OpenVPN updated from 2.3.10 to 2.5.9
• Activation Server log usage re-designed to improve performance when viewing the Activation log for a device from the Device Catalog.

Network and Device Prerequisites

The following prerequisites must be verified/configured before using OmniVista Cirrus.

Customer Network Prerequisites

The following Network Deployment, Bandwidth, Proxy, Firewall, and NTP Server configurations must be verified/configured on your local network before using OmniVista Cirrus.

Network Deployment

The following sections detail DHCP Network and Static Network deployment prerequisites.

DHCP Deployment Requirements

Standard Requirements

• IP Address - DHCP Server IP address.
• Option 1 - Subnet Mask.
• Option 2 - Gateway.
• Option 6 - Domain Name Servers - Required for FQDN resolution of OmniVista Cirrus connection points.
• Option 28 - Broadcast Address. This option is only recommended, not required.
• Option 42 - NTP Server(s) - Required for Certificate validation (start date and duration), and all related encryption functions. This option is not required on devices running AOS 6.7.2 R04 / AOS 8.5R2 / AWOS 3.0.4.1036 or higher. It is however, recommended.

ALE Specific Requirements

• Option 43
• Sub-Option 1 - Vendor ID. Validate the DHCP response (must be set with the value alenterprise). This sub-option is only required if you specify any of the sub-options listed below, or any devices on your network are running AOS 6.7.2 R03.

The following Sub-Options are only required if you are using a Proxy to connect to the Internet.

• Sub-Option 129 - Proxy URL. It can be either an IP address or a URL (e.g., "IP-address=4.4.4.4", "URL=http://server.name").
• Sub-Option 130 - Proxy Port.
• Sub-Option 131 - Proxy User Name. If the customer proxy access requires authentication, both 131 and 132 can be supplied via these sub-options.
• Sub-Option 132 - Proxy Password.
• Sub-Option 133 - Network ID.
• Option 138 - Remove any existing configuration (required for all ALE Devices).

Static Deployment Requirements

The following switch configuration prerequisites must be met for a Static Network Deployment.

1. Execute the following CLI commands on each switch. The commands can be contained in a CLI Script and pushed to network switches. See the CLI Scripting online help for more information.

ip name-server <dns_ip>
ip domain-lookup
ntp server <ntp_ip>
ntp client enable

2. (If you are using a Proxy), modify the <running directory>/cloudagent.cfg file on each switch as follows:

• Activation Server URL: Enter the Activation Server FQDN.
• HTTP Proxy Server: Enter the Proxy IP address.
• HTTP Proxy Port: Enter the Proxy IP port.
• HTTP Proxy User Name: Enter the Proxy username.
• HTTP Proxy Password: Enter the Proxy password.

3. Enable the Cloud Agent on each switch with the following CLI Command:

cloud-agent admin-state enable

Bandwidth Requirements

Onboarding
For basic onboarding of devices and connection to the OmniVista Cirrus Server, a minimum of 10 kbps end-to-end network throughput is required between the device and OmniVista Cirrus.

Advanced Management
To enable statistics data transfer, status queries, configuration commands, and other requests/responses between devices and OmniVista Cirrus, a minimum of 2Mbps without latency end-to-end network throughput is required between the device and OmniVista Cirrus. APs must be running the latest AWOS software version.

Proxy Requirements

If a device is accessing the Internet via an HTTP/HTTPs proxy, the proxy server must be specified in DHCP Option 43, Sub-option 129 (Server) and Sub-Option 130 (Port). The server may be specified in 1 of 2 formats: 1) “URL=http://server.domain”, or 2) “IP-address=x.x.x.x”. The port is specified as a number (8080).

Firewall Requirements

The following ports must be configured to allow outbound traffic from your local network:

• 443 - If you are not using a Proxy to connect to the Internet, your firewall must allow outbound access to this port; if you are using a Proxy, you need to be able to access this port via your local proxy. The following FQDNs should be allowed on this port:
  • images.myovcloud.com
  • images.prod.myovcloud.com
  • activation.prod.myovcloud.com
  • activation.myovcloud.com
  • registration.prod.ovcirrus.com
  • registration.ovcirrus.com
  • multi.prod.ovcirrus.com
  • multi.ovcirrus.com
  • {tenant-friendly-name}.ov.ovcirrus.com (e.g., acme.ov.ovcirrus.com)
  • {tenant-friendly-name}.upam.ovcirrus.com (e.g., acmeorg.upam.com)
  • {tenant-ID}.tenant.vpn.myovcloud.com (please contact Alcatel-Lucent Enterprise Technical Support to obtain your tenant ID)
  • {tenant-ID}.tenant.ovd.myovcloud.com (please contact Alcatel-Lucent Enterprise Technical Support to obtain your tenant ID)
  • debug.prod.myovcloud.com
• 80 - Relevant only if you are accessing UPAM Guest/BYOD Captive portal via insecure HTTP.  If you are not using a Proxy to connect to the Internet, your firewall must allow outbound access to this port; if you are using a proxy, you need to be able to access this port via your local proxy.
• 123 - Relevant if you are using an NTP Server that is outside of your network. You must ensure that your firewall allows outbound access to port 123 UDP. This access cannot be mediated by a proxy, it must be direct (NAT is allowed). The following FQDNs should be allowed on this port:
  • clock1.ovcirrus.com
  • clock2.ovcirrus.com
  • clock0.ovcirrus.com
  • clock3.ovcirrus.com.
• 53 - Relevant if you are using a DNS Server that is outside of your network. You must ensure that your firewall allows outbound access to both port 53 tcp and port 53 UDP. This access cannot be mediated by a proxy, it must be direct (NAT is allowed).

NTP Server Requirements

An NTP Server(s) is required for Certificate validation (start date and duration), and all related encryption functions. Devices must have access to at least one NTP Server, whether local or external. Note that if a device's System Time is not correct, it may take several attempts to synchronize with the NTP Server before the device connects to the OmniVista Cirrus Server.

Device Prerequisites

The minimum device software versions for onboarding and management can be found here.

When licensed devices call home, OmniVista Cirrus checks the software versions the devices are running and, if necessary, triggers an update of the device to the software required to support OmniVista Cirrus 4.7.1. In addition, a software update for a device can be manually triggered from the device list.

Supported Devices

A full list of ALE supported devices/AOS releases can be found here.

Countries of Service and Hosting

A list of countries where Alcatel-Lucent complies with local regulations and hosts OmniVista Cirrus cloud-based service can be found here.

REST API Management

You can use REST APIs for scripting or integration with any third-party systems in your management network. Available OmniVista REST APIs can be found here https://ovc4x.ovcirrus.com/api

Issues/Workarounds

AP Registration

Cannot Re-Upload a New Upload Key File When Creating an 802.1X Certificate (OVE-12732)
Summary: When you re-load an “Upload Key File” with the same name as the existing key file, the “Import” button is disabled. Files with the same name cannot be uploaded again.
Workaround: Upload a file with a different name.

SNMPv3 Username/Password Must Not Contain Certain Special Characters (OVE-12152)
Summary: If the SNMPv3 username/password contains the following special characters, communication with the SNMPv3 agent will fail:

• Password includes a dollar sign (for example, 123$).
• Password includes quotation marks (for example, “123”).
• Password includes () (for example, (123)).
• Username starts with a dollar sign (for example, $123)

Workaround: Do not include any of the above special characters in the SNMPv3 Username/Password.
PR# OVE-12152

Syslog Over TLS Certificate Name Must Not Contain a Space (OVE-12702)
Summary: When creating a Syslog Over TLS Certificate, make sure there are no spaces in the certificate name. For example, “SyslogTLS” is correct, but “Syslog TLS” is not correct and will not be accepted.
Workaround: Specify a certificate name that does not contain any spaces.

Device Catalog

OV Managed Device Automatically Deleted and License Unassigned (OVC-4683)
Summary: A currently managed device can be automatically deleted, its license unassigned, and the device moved to “Registered” if the IP address assignments of devices are changed.

For example, suppose there are two devices discovered and managed by OmniVista: Device1 with IP address "IP1", and Device2 with IP address "IP2". At some point, the IP Address assignment for these devices are changed as follows: Device1 IP address is changed from "IP1" to "IP2"; and Device2 IP address is changed from "IP2" to something else. This scenario could happen, for example, if the DHCP Server is restarted and does not attempt to give the same IP address as before to the DHCP clients.

If Device1 is then rediscovered (as part of periodic polling or by a manual user action), Device2 will be deleted from OmniVista when OmniVista discovers that Device1 now has the "IP2" IP address to avoid the situation where two devices have the same IP address in OmniVista.
Workaround: NA - Informational.

Upgrades Are Triggered Differently for 6x and 8x Switches (OVC-435)
Summary: The Activation Server checks the "current software version" from the switches to determine whether a switch should upgrade or not. Because of the different behaviors of 6x and 8x Switches, there may be some inconsistencies about when a switch will be triggered to upgrade.

• AOS 8x switches send current software version of the current running directory.
• AOS 6x switches send current software version of WORKING directory when in sync.

Example AOS 6x:
Assume switch comes up in the Certified Directory.
Assume /flash/working has the same image version as "desired software version" set in Device Catalog, whereas /flash/certified has a lower version. Since AOS 6x sends current software version of /flash/working, upgrade will NOT be triggered on the switch.

Example AOS 8x:
Assume switch comes up in the Certified Directory.
Assume /flash/cloud has the same image version as "desired software version" set in Device Catalog, whereas /flash/certified has a lower version. Since AOS 8x sends current software version of current running directory which is /flash/certified. there will be an upgrade. The switch will download the desired software version to /flash/cloud and reboots from /flash/cloud.

Workaround: NA - Informational.

Auto-Upgrade for Switches Running Lower Than AOS 6.7.2.R7 (OVC-8103)
Summary: Switches running an AOS version lower than 6.7.2.R7 will be automatically upgraded to AOS 6.7.2.R7 even if you select the "Do Not Upgrade" option when adding the device to the Device Catalog.
Workaround: N/A - Informational.

Inventory

Upgrade Workflow Should Be Changed When Device Is Loaded From Certified Directory (OVC-435)
Summary: When an AOS 6.x Switch with "Set to Software Version" set to "Latest Version" contacts the OmniVista Server, the server checks the Working Directory to see if it is running the latest AOS software. If the Working Directory contains the latest software version, an upgrade will not be triggered, even if the Certified Directory is running on an older software version. To upgrade the Certified Directory to the latest software, reboot the switch from the Working Directory.
Workaround: NA - Informational.

Can't Display Running Directory Information for NaaS Device in Degraded Mode (OVE-11416)
Summary: When you launch an SSH session to a NaaS device in the Degraded License Mode and send the show running-directory command, an error message is displayed. For example:

-> show running-directory
ERROR: CLI commands are blocked in Naas license degraded mode.

Workaround: No workaround at this time.

OmniVista does not Indicate Failure Reason when NaaS Device is in Degraded Mode (OVE-11475)
Summary: OmniVista does not indicate the reason for a failure when a configuration or software upgrade through Managed Devices fails because the NaaS license has expired on the device.
Workaround: No workaround at this time.

mDNS

mDNS Server and Client Policy: UI Offers Policy Lists in "Access Role Profile" Drop-Down (OVE-10559)
Summary: When creating or editing an mDNS Server or Client Policy, the Access Role Profile drop-down is populated with Unified Policy Lists, not Access Role Profiles.
Workaround: Do not use the drop-down list suggestions. Manually enter the Access Role Profile Name in the field and click on the Add icon (+) to configure an Access Role Profile for the policy.

Notifications

The alaNaasLicenseInstalledAlert Trap Shows the Wrong Value (OVE-11374)
Summary: When a Naas license (Management, Upgrade, Essential, Advanced) is installed on a switch, the alaNaasLicenseInstalledAlert trap is sent. However, when the trap is viewed on the Notifications Home Screen (Network – Notifications) the trap displays incorrect values.
Workaround: No workaround at this time.

The NaaS VC Device Sends the alaNaasInconsistentModeAlert Trap Multiple Times (OVE-11414)
Summary: When a device in a VC configuration changes mode (for example, CAPEX to NaaS), the alaNaasInconsistentModeAlert Trap is sent multiple times and absorbed into the trapAbsorptionTrap. The alaNaasInconsistenModeAlert Trap should only be sent once when an inconsistent mode is detected.
Workaround: No workaround at this time.

The NaaS License Expiry Time is Reported in the Number of Whole Days Remaining until the License Expires (OVE-11415)
Summary: On a NaaS device, the show naas license CLI command displays the Expiry Time. This reflects the number of whole days (24 hours/day) until the license expires. For example, If the time remaining until expiration is 30 days and 21 hours, the Expiry Time is reported as 30 days not 31 days.

A NaaS device sends the alaNaasExpirtyDayAlert trap at 30 days, 7 days, and 0 days. If the remaining time before the license expires is 10 hours, this trap is not sent until those 10 hours have elapsed. However, the Expiry Time will show “0 days”.

Workaround: No workaround at this time.

The Days Left for Expiry is Incorrect for an AP NaaS License (OVC-9151)
Summary: The “Days Left for Expiry” field on the NaaS License Information on Device screen does not display the correct number of days until the license expires for an AP device.
Workaround: Refer to the "Expiry Date" field instead.

UPAM

HTTPs Traffic is Not redirected to Portal Page for an HSTS Website (OVC-1777)
Summary: The first time a user opens an HSTS website, they are redirected to the portal page, as expected. The second time a user opens an HSTS website, the redirection will not work. If the user clears browser cache and retries connecting to the HSTS website, it will work. The behavior depends on the browser used. Chrome is very strict, so the problem is always seen, Firefox is not as strict; the problem will still happen but not as frequently.
Workaround: There is no workaround at this time.

No IPv4 or IPv6 Value Displayed in UPAM Authentication Record (OVC-6061)
Summary: Client IP address is not displayed in UPAM Authentication Record.
Workaround: No workaround at this time.

Delay in UPAM Interactions After Subscriber Gets a Paid Account (OVC-6806)
Summary: After a subscriber gets a paid account, UPAM related interactions will not work until free radius server is restarted (at 00:00 AM the subsequent day).
Workaround: There will be a delay in realizing any expected changes in UPAM function when any of the following occurs:

• Creation of a new tenant
• Activation of a different RADIUS Server Certificate
• Synchronization of RADIUS Attribute Dictionary at OmniVista with RADIUS Server
• Edit of NAS Client details.

After any of the above actions, expected UPAM changes will take effect after the following midnight (00:01 a.m. PST), as these require a restart of the OmniVista internal RADIUS Server. The OmniVista internal RADIUS Server is restarted periodically at midnight PST. All tenants sharing the same OmniVista VM will experience a brief period of interruption of UPAM RADIUS functionality during this periodic restart.

WiFi4EU not Connected to Captive Portal (OVE-11164)
Summary: The validity period for Captive Portal authentication defaults to 30 days, but WiFi4EU requirement is maximum 24 hours.
Workaround: There is no workaround.

The UI Does Not Offer a TLS Port Field When TLS is Enabled for RADIUS Server (OVE-12747)
Summary: When creating a TLS-enabled Radius server, the Create RADIUS Server screen (Security – Authentication Servers – Radius) does not offer a field to specify the TLS Port value.
Workaround; Specify the TLS Port value in the “Authentication Port” field, which is 2083 by default.

OmniVista ClearPass Integration Fails When Adding APs to AP Group (OVE-12378)
Summary: When a new AP is added to an AP Group, the configuration is not automatically added to the ClearPass Device List or the AP. Automatic synchronization with ClearPass when a new AP device is added to an AP Group is not supported.
Workaround: Use the “override” function to re-apply the ClearPass configuration to the new AP devices.

Web Content Filtering

If an AP Client is using a Mobile Application, WCF does not Work (OVE-10205)
Summary: When client access uses a mobile application (e.g., Facebook, Twitter, YouTube, etc.), there are no restrictions; the application is not blocked and will load properly, as if WCF is disabled on the AP.
Workaround: No workaround at this time.

WCF Limitation when a Client Accesses the Internet through an HTTP/HTTPS Proxy (OVE-11466)
Summary: When a client is behind a proxy, the client doesn’t request the AP to resolve the DNS query but directly requests the proxy server. As a result, the AP does not get the opportunity to perform the WCF function, so the accept/reject of a website does not work as configured/expected by the user on OmniVista.
Workaround: No workaround at this time.

WLAN

Client Name Field Blank for Clients Running iOS 14 (OVC-8287)
Summary: The Client Name field in the “List of All Client on All APs” is not displayed for devices running iOS 14.
Workaround: No workaround at this time. The problem occurs on devices running iOS 14 as they do not send Option 12 in the DHCP message.

RF Profile Not Supported on AP1201BG (OVE-10781)
Summary: Stellar OAW-AP1201BG does not support RF profiles, as it is a BLE gateway.
Workaround: No workaround at this time.

Social Login Fail with Google Account (OVC-8901)
Summary: The default list of URLs shown when selecting Social login vendors (Google, Facebook…) does not include country specific URLs.
Workaround: Manually add/append the required URLs to the list of “Whitelist Domains” when you configure the SSID.

Stellar AP Connectivity to OS22x60 does not Work (OVE-11467)
Summary: The trust VLAN tag option on OS22x60 ports connected to a Stellar AP does not work. As a result, the wireless client VLAN-tagged traffic forwarded by the AP to the switch is blocked.
Workaround: No workaround at this time.

The 6GHz SSID Interface Will Not Function if PMF State Is Not Set to “Required” (OVE-12727)
Summary: When 6GHz is part of the selected band for an SSID, the correct Protected Management Frame (PMF) setting is “Required”. If you change the PMF state to “Optional”, the 6GHz SSID interface will not function.
Workaround: Do not change the PMF state to “Optional” when configuring 6GHz SSID.

After Editing an SSID With PPSK Entries, Access Guardian Service Does Not Respond to Any Requests Until Restarted Manually (OVE-12818)
Summary: You can create an SSID with Private Group PSK entries and assign it to AP Groups. After the SSID is created, you can assign/unassign the SSID to AP Groups. However, if you edit the SSID and then assign/unassign AP Groups or if you delete the SSID, then the Access Guardian service will stop responding to any requests. This impacts the loading of the SSID and other UI pages in the Unified Access application.
Workaround: Currently, there is no solution. This issue will be resolved in the next release. To restore service on OVC and OVE, please contact technical support. The UI will regain responsiveness once the service is restored. It is important to note that the problem will resurface after editing the SSID.

Other

If You Remove a Master from a Virtual Chassis Slave Devices Lose Connectivity
Summary: If You Remove a Master from a Virtual Chassis (VC), Slave devices Lose Connectivity Due to stale certificates. Devices use a certificate to communicate with OmniVista Cirrus. This certificate is given to the devices by the OmniVista Cirrus on their first Activation attempt. In a VC, the Master chassis is issued a certificate for its Serial Number and this certificate is copied over to all the Slaves. If the owner of the certificate (Master) is removed permanently from the VC, the remaining chassis will form a VC and attempt activation using the certificate of the old Master but will be unable to activate using this certificate. Customers should raise a ticket with ALE Customer Support to overcome this issue. After understanding the VC topology, ALE Customer Support might take a decision to remove the certificate from the VC and enable the remaining chassis in the VC to attempt Cloud Activation afresh.
Workaround: Raise a ticket with ALE Customer Support. After investigating the VC topology, ALE Customer Support may decide to remove the certificate from the VC and enable the remaining chassis in the VC to re-attempt activation.

Problem Connecting to Switch with OV Assistant When Multiple Bluetooth Dongles Present (OVC-7240)
Summary: The OmniVista Assistant uses the Bluetooth dongle MAC address to initiate a connection to a switch. If multiple Bluetooth dongles are active at the same time, OmniVista Assistant may initiate a connection to an unexpected dongle.
Workaround: Make sure there are no other active Bluetooth dongles in the area. And make sure the correct model and serial number appear under "Paired Devices" before initiating a connection to a switch.

Issues Fixed

Issues Fixed Since Release 4.7.1

• CSA Limitation on 6GHz (OVC-9306)
• User should not set AP to RAP twice in GOV (OVC-9627)

Issues Fixed Since Release 4.6.2

• "Export VPN Settings" with Shorthand Mask Option does not Show the List Peer IP Address (OVE-11444)
• Editing an AP Group to Add a New Profile Resets the Timezone to the UTC-8 Default Value (OVE-11531)
• Cannot Work Simultaneously on Two SSH Tabs Opened Inside CLI Scripting (OVC-9022)
• OVC Tenant cannot load any data, error “communication failure with OV Cirrus” displayed on the Dashboard. Reason was ActiveMQ Service was reaching the memory limit (OVC-9072)
• OVC Default Radius server was not created because of scheduler service got stuck (OVC-9002)
• OVC SSH Incompatibility with Stellar AP when doing SSH Terminal. Removal of weak SSH algorithms (OVC-9230)
• The OmniVista Topology Map does not Display the LLDP Link Between an AOS 8.8R1 OmniSwitch and an AWOS 4.0.4 AP (CRAOS8X-31942)

Issues Fixed Since Release 4.6.1

• IoT Exception List Does Not Work for iOS Devices (OVC-7843)
• Unable to find the RAP in the OV2500 (OVC-8302)
• Trap Configuration Fails when the Switch Name Contains the “#” Character (OVE-10558)
• HTTPS Captive Portal Redirection with Proxy Reduces Performance (OVE-11482)

Issues Fixed Since Release 4.5.3

• MTS-Managed Tenant Local Users Cannot Use "View SSIDs on an AP Group" Feature (OVC-6321)
• Cannot Onboard a Switch Running AOS 6.7.2.R05 (OVC-6879)
• Device Address Column Sorted Incorrectly in Device Backup/Restore Table (OVE-1861)
• Cannot Download Radius Server Certificates (OVC-8405)
• Must Wait 1 Day Before Using Web Content Filtering (WCF) Feature (OVC-8508)
• User Is Not Notified When User Role Is Configured for Two-Factor Authentication (OVC-8540)
• Client Blacklisting Does Not Work on AP1320/AP1360 (OVE-9544)
• mDNS Server and Client Policy: UI Offers Policy Lists in "Access Role Profile" Drop-Down (OVE-10559)
• Unified Policies Are Lost on Certain Switches After Reboot (CRAOS8X-26272)

Issues Fixed Since Release 4.5.2

• APs Are Displayed as IOT Devices in IoT Inventory (OVE-5542)

Issues Fixed Since Release 4.5.1

• ALE-BYOD Users and ALE-Corp Users Disassociated from SSIDs (OVE-6759)
• Delete Map Cannot Complete in Topology (OVC-7412)

Additional Documentation

Online help is available in OmniVista Cirrus and can be accessed by clicking on the Help Link (?) in the upper-right corner of any screen. You can also search through the online help on the OmniVista Cirrus Home Page. An overview of OV Cirrus as well as Getting Started Guides for Freemium and Paid Accounts is available here.