OmniVista Cirrus Production Notes (10.3)

This release of OmniVista Cirrus provides a free trial version of the full OmniVista Cirrus Solution. The trial version extends for 6 months and can be used to monitor up to 20 wireless devices (additional time and number of devices can be requested). You can then upgrade from the free trial version to a paid licensed version of OmniVista Cirrus.

OmniVista Cirrus 10.3 can be accessed from anywhere, using any approved browser and device (e.g., workstation, tablet). Access to OmniVista Cirrus is supported on the following browsers: Chrome 79+ (on Windows and Redhat/SuSE Linux client PCs), and Firefox 62+ (on Windows and Redhat/SuSE Linux client PCs).

These Production Notes detail features and enhancements, network/device configuration prerequisites, supported devices, and known issues/workarounds in OmniVista Cirrus 10.3. Please read the Production Notes in their entirety as they contain important operational information that may impact successful use of the application.

• Features

• Network and Device Prerequisites

• Supported Devices

• REST API Management

• Known Issues/Workarounds

• Additional Documentation

• Technical Support

Features

This section provides an overview of the features and enhancements introduced with this release.

• WLAN Management

• AP Management

• UPAM

• Troubleshooting Enhancements

• User Interface Improvements

• Regulatory Compliance

• Beta Features

WLAN Management

• Wi-Fi 6/6E Support on OAW-AP1451
  Options for a new 6GhZ band are configurable for SSIDs and RF Profiles. In addition, Network Analytics displays information and processes events for 6GHZ band and channel.

• Country Codes Supported on Stellar Wi-Fi 6 -RW Models
  Click here for a list of supported country codes.

• Channel Switch Announcement (CSA – 802.11h)
  CSA functionality enables the AP to announce to clients that it is going to switch to a new channel. This allows clients that support CSA to move to the new channel and limit downtime. CSA is a configurable option in an RF Profile and enabled by default. The number of announcements the AP sends before switching to a new channel can also be specified in the RF Profile.

• Wi-Fi Enhanced Open^TM for Open SSID

  • Wi-Fi Enhanced Open™ is a new security standard based on Opportunistic Wireless Encryption (OWE). OWE ensures that the communication between each pair of endpoints is protected from other endpoints. Unlike conventional Wi-Fi, it provides "Individualized Data Protection" such that data traffic between a client and access point is "individualized". Wi-Fi Enhanced Open™ offers improved data privacy while maintaining convenience and ease-of-use.

  • Administrators can now provision an open SSID that is secure. This functionality is particularly useful in public spaces, where open, non-protected network access (particularly to guests) is provided. The administrator can enable Wi-Fi Enhanced Open™ on the open SSID to provide encryption and privacy using OmniAccess Stellar.

• SSID Management

  • SSID schedule availability is now configurable. You can specify the days and times during which the SSID is broadcast.

  • An SSID can now be mapped to a default VLAN/network through an Access Role Profile.

• Wireless Intrusion Protection System (WIPS) Enhancements

  • Summary screen provides an overview of network threats and intrusions for Stellar APs, which includes rogue APs/clients and blocklist clients as well as network attacks over the selected monitoring time period.

  • Intrusive Access Points screen displays information about Intrusive APs on the network, such as interfering APs/clients and rogue APs/clients. You can add interfering and rogue APs to the Friendly APs list and add clients to the Client Blocklist.

  • Wireless Attacks screen displays information about wireless attacks on the network, such as AP and client attacks. You can add APs to the Friendly APs list and add clients to the Client Blocklist.

AP Management

• AP Mesh/Bridge Support
  OmniVista Cirrus now provides the ability to configure an AP as a Mesh or Bridge AP.

  • Mesh APs provide network access for wireless clients and establishes a Mesh path to the Mesh root, which uses its wired interface to connect to LAN network.

  • A Bridge AP is used to create a wireless bridge across two sites (P2P only). It does not provide any network access directly for wireless clients.

  • Using the Device Catalog List screen, you can configure the Mesh/Bridge mode for an AP device, display the Mesh topology, and configure common parameters (SSID, band, passphrase) and do bulk upgrades for all APs participating in an exiting Mesh.

• Remote Access Points
  OmniVista Cirrus 10.3 now supports Remote Access Points. You can configure an offsite, remote AP as a Remote Access Point (RAP) that can be managed by a local OmniVista 2500 NMS installation through a Management VPN Tunnel. OmniVista Cirrus 10.3 is used to declare the APs that will be managed remotely by the OmniVista 2500 NMS installation and assign the remote APs to a Management VPN Tunnel.

When the AP(s) is connected to the network, it automatically contacts the OmniVista Cirrus Activation Server, which downloads the necessary IP and VPN configurations so the AP can be added to your Device Catalog and managed by your local OmniVista 2500 NMS installation.

• AP Wired Downlink Port Client Authentication and Analytics
  Stellar AP models AP1301H and AP1311 support wired ports and wired clients, which are now supported in OmniVista Cirrus 10.3.

  • The Device Catalog includes a list of AP wired ports from which you can analyze wired port information and enable/disable the port administrative status.

  • Access Authentication Profiles and AAA Server Profiles can now be configured to define the authentication process for client traffic received on Stellar AP downlink ports. This also includes actions taken if a client fails authentication (such as trust the client VLAN tag, classify traffic based on Access Classification rules, bypass VLAN options, etc.).

  • Analytics include a list of online wired clients and wired client sessions.

• SNMPv3 Support for Stellar APs
  Provisioning Configuration now includes an SNMPv3 option for the SNMP Settings (SNMP Service and Trap Service).

UPAM

• Access Policy Option to Limit Access to EAP-TLS, EAP-PEAP
  By default, the option to Allow All EAPs is enabled for the Authentication Method of an Access Policy. However, you can now disable this option and select to only allow EAP-TLS and/or EAP-PEAP protocols.

• Role Mapping for On-Line Premises LDAP
  On-Premises LDAP option for Authentication Source in BYOD Access Strategy. When selected, you can enable Role Mapping to limit access to defined LDAP roles through an Access Policy.

• Guest Management

  • Social media login for Guest users (Rainbow, Facebook, Microsoft Azure).

  • Authentication through an external Captive Portal server.

  • Configurable time and data quotas for Guest user access.

  • Configurable exhaustion handling options for when a Guest user exceeds time or data quota.

  • Custom Attributes now supported for Terms and Conditions Guest login.

  • Guest self-registration improvements:

    • Attributes of a Self-registration request (as listed in the Guest Access Strategy, including Custom Attributes) are shown in Guest Accounts after the Self-registration requests are approved.

    • Customizable Email and SMS content templates. Content is used in Email or SMS messages sent during all OmniVista Cirrus operations.

    • Customizable Print Ticket page for Guest user login information.

• Guest/Employee Account Password Policy

  • Configurable username and password policy for Guest and Employee user login.

  • Forgot password option provided for Guest user on Captive Portal login page. Guest user can change their login password without an Administrator.

• Device Specific PSK
  Device Specific PSK provides more security than traditional PSK. You can now enable Device Specific PSK on a wireless network and on a device. When the AAA Server sends the RADIUS Access-Accept for MAC Authentication for the device, it will also send the specific pre-shared key for that device, differentiated by the device's MAC Address. This means that each device will have a different key.

  • Device Specific PSK will only work with a UPAM RADIUS Server and must be enabled on the SSID wireless network as well as the device.

  • Devices are configured for Device Specific PSK on the Company Property Screen.

  • Devices are also configured for Device Specific PSK from the Authentication Records List.

  • You can print or Email the Device Specific PSK QR Code information to provide to the user.

• Configurable Data Persistency
  You can now configure how long OmniVista Cirrus retains data even after the application or system that created or used it has been closed or shut down. The data retention period for various applications (such as Event traps, Authentication records, user login attempts, etc.) is configurable through the Basic Settings of an Organization.

• RADIUS/LDAP Server Management

  • RADIUS Server Certificate - Used to establish a secure connection with a network device for 802.1X or TLS authentication.

  • RadSec Certificate - Used to establish a secure connection between UPAM and an external RADIUS server that uses RadSec (RADIUS-over-TLS). UPAM acts as a RadSec client when communicating with the RadSec server.

  • Additional Trust CA - Used to add a trusted certificate authority to the UPAM RADIUS server trust store for client authentication.

  • External RADIUS Server - You can now configure a connection with an external RADIUS server that UPAM will use for authentication.

    • If the external RADIUS server is a RadSec server, UPAM can act as a RadSec client.

    • The external RADIUS server can be designated in various authentication strategies. UPAM will serve as a proxy to communicate with the external server.

    • You can enable pre-emption to specify that after a failover to a backup external server, UPAM will return to the primary external server at the end of a configurable time period.

  • Local RADIUS/LDAP Server Pre-Emption - You can now enable pre-emption to specify that after a failover to a backup server, the AP will return to the primary server at the end of a configurable time period.

Troubleshooting Enhancements

• Diagnostics Tools under “Actions” in the Device Catalog provide troubleshooting for a device when Management Connectivity is “On” for the device (the device is connected to the OmniVista Cirrus VPN).

  • In addition to Ping, Reboot, and Reset, the following Diagnostics Tools are now available:

    • Ping from the device

    • Traceroute from the device

    • Collect Support Info

• A new Device Troubleshooting screen allows you to send troubleshooting commands to the AP device. This new function provides additional troubleshooting when Management Connectivity is off for the device (the device is not connected to the OmniVista Cirrus VPN). If the AP device is connected to the Internet and is calling home, the troubleshooting commands are sent to the device on the next call home.

User Interface Improvements

• Can view a list of assigned devices/AP Groups associated with a profile or template.

  • New “Assigned Devices” section added to the Additional Information display to show a list of assigned devices/AP Groups associated with a profile or template.

  • Use the "Search" function in the table list display to filter based on any Site name or any AP Group name. Only the profiles/templates that are associated with the Site or AP Group will display.

• Improved Clients Analytics screen display. Connected Clients Over Time bar chart at top of the Client Analytics screen. You clan click on the chart to display Client Analytics charts (such as Client Distribution, Categorization of Clients, Client Throughput Consumption, Connected Duration) for the selected date and time.

• Additional options to change the RF Profile at the device level are now available through the Device Catalog Edit Device menu. Note that when you change the profile at the device level, it takes precedence over the RF Profile assigned to the device through the Provisioning Configuration.

• Option available in the Provisioning Configuration to specify Events that you want devices associated with the Provisioning Configuration to send.

• Optimized design to improve Device Catalog load time.

• Fields categorized into separate sections on the Device Catalog Additional Information display.

• Can now pin a table column to the left side of the table display. The pinned column remains visible at all times as you scroll horizontally to view table contents.

Regulatory Compliance

OmniVista Cirrus 10.3 compliance in US, EU, and abroad:

• General Data Protection Regulation (GDPR)

• California Consumer Privacy Act (CCPA)

Beta Features

Note: The following Beta features are available in OmniVista Cirrus 10.3 and can be configured. However, they have not gone through the complete validation cycle and are therefore not officially supported.

• Wi-Fi location service features (Wi-fi Heatmap, Current Client Density, Client Density History)

• QoE Analytics

Network and Device Prerequisites

To ensure the necessary communication between Access Point devices and OmniVista Cirrus 10.3, verify/configure the following prerequisites on your local network:

• Network Prerequisites - Network deployment, bandwidth, proxy, firewall, and NTP server requirements.

• Device Prerequisites - Supported Access Point software and models.

  • If your fully managed Access Points are running AWOS 4.0.5, please upgrade to AWOS 4.0.6 first before accessing OmniVista Cirrus 10.3.

  • AWOS 4.0.6 is supported only by OmniVista Cirrus 10.3.

• OmniVista Legacy for Analytics Only Mode - Configure an OmniVista 2500 NMS or OmniVista Cirrus 4 to support communication between Analytics Only Access Point devices and OmniVista Cirrus 10.3.

Note: The APAC Broker URL supports Advanced Analytics Only mode. To continue to use Advanced Analytics Only mode on OmniVista Cirrus 10.3:

• Restart a new OmniVista Cirrus 10 subscription on either the EU or Americas Broker URL:

  • EU region: broker.eu.analytics.ovng.myovcloud.com Port: 9093

  • Americas region: broker.us.analytics.ovng.myovcloud.com Port: 9093

• Configure the Analytics Server configuration to point to the OmniVista Cirrus 10 Broker URL that you selected.

Supported Devices

This release of OmniVista Cirrus 10.3 supports monitoring and reporting of advanced analytics for Stellar Access Points, except for the following models:

• OAW-AP1101

• OAW-AP1201L

• OAW-AP1201H

• OAW-AP1201HL

• OAW-AP1261

REST API Management

You can use REST APIs for scripting or integration with any third-party systems in your management network. The complete API reference can be found at the following link based on your region (no login is required):
EU: https://eu.manage.ovcirrus.com/apidoc/apidoc.html
Americas: https://us.manage.ovcirrus.com/apidoc/apidoc.html

For more information, see Automation with APIs.

Known Issues/Workarounds

Certificates

PKSC8 private key is not supported for LDAP cert and AP Web Cert (OVNG-7726)
Summary: PKSC8 private key will NOT be supported in OmniVista Cirrus 10.2
Workaround: Use RSA private key for AP Web certificate and Local LDAP certificate.

Inventory

Schedule Upgrade Using Set Desired Software Version (OVNG-10470)
Summary: When an AP already follows a group schedule and the software version is changed using the “Set Desired Software Version” option from the Edit Device drop-down menu, note the following:

• If the AP Group of the AP device is not part of a schedule upgrade, then the Desired Software Version is set to “Do Not Upgrade”.

• If the AP Group of the AP device is part of a schedule upgrade, the AP device will be upgraded to the Desired Software Version based on the schedule upgrade for the group.

Workaround: Use the “Information” or “Schedule Software Upgrade” options from the Edit Device drop-down menu to have an AP already following a group schedule upgraded to the specified software version on the next call home.

NaaS Device Licenses

Collect Support Info Feature Does Not Work on NaaS APs that have an expired Management License (OVNG-6271)
Summary: If the NaaS management license expires for an AP in NaaS mode, the Collect Support Info operation will fail.
Workaround: Make sure the NaaS Management License is active when the AP is functioning in the NaaS mode.

Network Monitoring

Current Client Density Screen Displays Incorrect Session Start Time for AP Clients (OVNG-11243)
Summary: When you click on an AP on the Current Client Density screen to display a list of clients connected to the AP, the “Session Start Time” field displays the wrong start time.
Workaround: Check the client “Session Start Time” in the Online Wireless Clients Table for the correct date and time.

False Portal Authentication Failure Alert Messages Received (OVNG-11239)
Summary: Portal Authentication Failure alerts received even when there are no authentication attempts by users.
Workaround: Check Authentication Records and Captive Portal Records to verify successful authentication attempts.

UPAM

Errors Occur When the Client Continuously Connects and Reconnects to SSID Portal (OVNG-9735)
Summary: When a user logs into the network, then logs out, and then logs in again, the user may see error messages on the login portal and won’t be able to access the network.
Workaround: User should try avoid continuously logging in and logging out of the network.

After Upgrading to Android 11 or 12, EAP-TLS Protected Wi-Fi No Longer Works (OVNG-9786)
Summary: In 2021, Android (Google) made a change in their OS to enforce "Validate Server Certificate" option for a 802.1X authentication. This means that, Android 11 and 12 will validate the server's device certificate. Hence users need to specify server's device certificate chain (Root And/Or Intermediate CA's) on their Android devices. If not the authentication will fail. Android 10 and below still works. 
Workaround: An alternative is to upgrade the devices to Android 13. Android 13 offers "Trust on First Use" (TOFU) feature. TOFU enables installing the Root CA certificate received from the server during initial connection to a new network. The user must approve installing the Root CA certificate. 

Client Unable to Join 802.1X SSID When All EAP = NO and Allowed Method = EAP-TLS for the Access Policy (OVNG-10155)
Summary: When you create an SSID and select an Access Policy with All EAP set to “No” and Allowed Method set to “EAP-TLS” for the SSID Authentication Strategy, the client is unable to join an 802.1X SSID.
Workaround: There is no workaround at this time.

Delay in Seeing BYOD IPv4 Client in the List of BYOD Device Records (OVNG-10759)
Summary: Once a client connects to a BYOD SSID, there is a delay before seeing the Client IPv4 address in BYOD device records. The AP to which the Client is connected will send the client IPv4 with the second accounting packet.
Workaround: No workaround at this time. Problem will be fixed in the next release.

Service Temporarily Unavailable Message With External RadSec Server (OVNG-11564)
Summary: When attempting to authenticate with an External RADIUS Server that is using RadSec ((RADIUS-over-TLS), you may receive a “Service Temporarily Unavailable” message from OmniVista Cirrus.
Workaround: Configure a new External RadSec Server to replace the old one.

Unified Access

Limitation When Selecting an Existing Group for a Unified Policy Condition (OVNG-10669)
Summary: When using the “Choose Existing Group” option for an L2 MAC or L3 IP Policy Condition, if you modify the Group after the Policy is saved and applied to APs, your changes to the Group will not be applied to the APs. This limitation does not occur when using the “Create a New Group” option.
Workaround: After you modify the Group on the Group screen, go to the Unified Policy and select the “Not defined” option (or make any other change to the Policy) and save it. Then edit the Unified Policy again and select the “Choose Existing Group” option.

SSID

Each AP Group Can Only Support Up to Seven SSIDs (OVNG-10474)
Summary: When you try to assign a new SSID into an existing AP Group that already has seven SSIDs, that AP group will not be included into the new SSID.
Workaround: No workaround at this time.

Other

AP does not Send “portal.report” Event when Wrong Username/Password Entered (OVNG-2811)
Summary: When a user logs in to UPAM Captive Portal with an incorrect username/password, the login will fail but the failure is not immediately indicated on the QoE Analytics UI. Only after 15 minutes will QoE report the failure and the failure is reported as a “Timeout”. Two consequences of this are: Users won’t find out about the failures to login to UPAM Captive Portal until after 15 minutes, and the user will not be able to differentiate between a true “Timeout” with UPAM Captive Portal versus wrong credentials entered at UPAM Captive Portal login.
Workaround: No workaround at this time.

"HostName" Information Lost in “user.report” After the Client Roams to Another AP (OVNG-7792)
Summary: The Client Name (aka “HostName”) information in WLAN Client List is lost after the client roams to another AP.
Workaround: No workaround at this time.

Additional Documentation

Online help is available in OmniVista Cirrus and can be accessed by clicking on the Help Link (?) in the upper-right corner of any screen. You can also search through the online help on the OmniVista Cirrus Documentation home page and/or use the following links to familiarize yourself with OmniVista Cirrus 10.3 features and functionality:

• Introducing OmniVista® Cirrus R10

• Getting Started – What you need to know to get up and running.

• Configure Organizations for Network Management - How to create and manage Organizations, including creating/modifying sites, adding devices, and adding users.

• Configure and Manage Device Inventory - Add, edit, or remove Access Point devices from the device inventory. The Device Inventory is also where devices obtain their provisioning configuration when they are added to the inventory.

• Configure WLAN Network Management- Configure wireless networks, policies to prevent attacks on Stellar AP Series Wireless Devices, and Radio Frequency (RF) profiles for devices. It is also used to configure External Engines and UPAM server certificates.

• Configure Network Access Control - Configure security functions (authentication, classification) to provide network access controls that are applied to devices attempting to access the network.

• Monitoring Network Device Activity – Monitor, evaluate, and troubleshoot network components and device activity.

• Automation with APIs – Develop applications to integrate with OmniVista Cirrus 10.3.

• Troubleshooting

Technical Support

For technical support, contact your sales representative or go to the ALE MyPortal:

• https://myportal.al-enterprise.com