OmniVista Cirrus Production Notes 10.4.1

This release of OmniVista Cirrus provides a free trial version of the full OmniVista Cirrus Solution. The trial version extends for 6 months and can be used to monitor up to 20 wireless devices (additional time and number of devices can be requested). You can then upgrade from the free trial version to a paid licensed version of OmniVista Cirrus.

OmniVista Cirrus 10.4.1 can be accessed from anywhere, using any approved browser and device (e.g., workstation, tablet). Access to OmniVista Cirrus is supported on the following browsers: Chrome 79+ (on Windows and Redhat/SuSE Linux client PCs), and Firefox 62+ (on Windows and Redhat/SuSE Linux client PCs).

These Production Notes detail features and enhancements, network/device configuration prerequisites, supported devices, and known issues/workarounds in OmniVista Cirrus 10.4.1. Please read the Production Notes in their entirety as they contain important operational information that may impact successful use of the application.

• New in this Release

• Regulatory Compliance

• Third-Party and Open-Source Contributions

• Network and Device Prerequisites

• Supported Devices

• REST API Management

• Known Issues/Workarounds

• Additional Documentation

• Technical Support

New in This Release

The following sections provide an overview of the features and enhancements introduced with this release.

• Devices Supported

• Software Supported

• New Features and Functions

• Application Updates/Enhancements

• Beta Features

Devices Supported

Stellar Access Points

The following OmniAccess Stellar Access Points are now supported:

• OAW-AP1411

• OAW-AP1431

Software Supported

• AWOS 4.0.7.14 - OmniVista Cirrus 10.4.1 now supports AWOS 4.0.7.14 on all previously supported Access Points.

New Features and Functions

This section details new features introduced in this release.

OAW-AP1411 Dual Radio, Tri-Band Options

The OAW-AP1411 is a dual-radio, tri-band (2.4G, 5G, 6G) Access Point with configurable radio options. A Radio Setting” attribute in the RF Profile allows you to select one of the following radio band options for the AP:

• 2.4G, 5G Full (default)

• 2.4G, 6G

• 5G Full, 6G

AP RadSec Client with Local RADIUS Server

An AP can now communicate as a RadSec client with a local RADIUS Server that uses RadSec (RADIUS-over-TLS). To establish a secure connection between an AP RadSec client and the local RADIUS Server:

• Upload a RadSec Certificate to the AP (refer to Uploading a Local RadSec Certificate for more information).

• Enable TLS on the local RADIUS Server.

Note:

• AP supports one, and only one, TLS-enabled RADIUS server. As a consequence, you cannot have one TLS-enabled RADIUS server as Primary and another TLS-enabled RADIUS server as Secondary.

• RadSec communication is not supported for wired clients of the AP.

Stellar AP as an 802.1X Client

A Stellar AP device can now be configured to operate as an 802.1x (supplicant) device. When a Stellar AP is connected to an OmniSwitch UNP port on which the AP Mode and 802.1X authentication is enabled, the switch starts to send EAP frames to the AP device. If the AP device does not respond to the EAP frames, the switch will identify the AP as a non-802.1x (non-supplicant) device and will attempt to authenticate the AP with other methods.

To ensure that the switch will identify the AP device as a supplicant (802.1X client), 802.1X functionality can now be enabled for the OmniVista Provisioning Configuration associated with the AP Group to which the AP belongs.

• All AP client traffic (wired/wireless) is VLAN-tagged on uplink to the OmniSwitch.

  • If the AP secure mode is enabled on the switch UNP port (disabled by default), the VLAN tag of the client traffic is trusted after successful authentication. See note below.

  • A classification policy on the OmniSwitch can be configured to catch any untagged client traffic.

  • Third-party switches with 802.1X authentication functionality are also supported.

Note: The AP Mode is enabled on an OmniSwitch UNP port by default. However, the AP mode is not secured by default. This means that the VLAN-tagged client traffic is trusted and forwarded on the UNP port even if the AP device fails 802.1x authentication. When the AP mode is secured, VLAN-tagged client traffic is not trusted and forwarded until the AP device passes 802.1x authentication. The AP mode is secured by enabling the “Secure” option for the AP Mode in the OmniVista Access Authentication Profile to which an AP device is assigned.

Syslog Remote Servers

Configuring up to four remote Syslog Servers is supported.

Stellar BLE (Asset Tracking) Data Sharing with Third-Party Applications

The Stellar BLE data reporting channel to any Asset Tracking application uses Kafka. However, the built-in common device certificate on the AP allows communication only with Stellar AP Asset Tracking solutions. You can now upload a custom device certificate to the AP that will support sending BLE data to third-party Asset Tracking applications.

Note: Refer to Uploading a Stellar BLE Certificate for information about the data format used to send BLE messages to third-party Asset Tracking applications.

Stellar WiFi RTLS Data Sharing with Third-Party Applications

The Stellar WiFi RTLS data reporting channel uses Kafka. However, the built-in common device certificate on the AP allows communication only with the OmniVista Cirrus 10 Stellar WiFi engine. You can now upload a custom device certificate to the AP that will support sending WiFi RTLS data to third-party RTLS applications.

Note: Refer to Uploading a Stellar WiFi RTLS Certificate for information about the data format used to send RTLS messages to third-party RTLS applications.

Private Group PSK

When a PSK-enabled SSID network is created, you can either create a static PSK or enforce Device Specific PSK. This provides a common Passphrase key, which is suitable for networks requiring network wide common PSK. Enabling the Private Group PSK (PPSK) allows you to create private groups of client devices on the same SSID network based on a PPSK Entry. Each client device specifies a Passphrase when connecting to an SSID. If the passphrase matches any of the PPSK Entry, the client is placed in the specified Access Role Profile.

Configuring the Private Group PSK option for an SSID network is only available when the Device Specific PSK option is disabled or set to “Prefer Device Specific PSK”. However, if the Device Specific PSK option is set to “Force Device Specific PSK”, OmniVista will not display the Private Group PSK option because the Passphrase specified in Company Property is used instead.

A Private Group PSK Entry that is used to define a group of devices, consists of the following configurable parameters:

• Name - Enter a unique name to identify the PPSK Entry. No two Entries can have the same Name.

• Passphrase - Enter a unique PSK Passphrase for authentication. No two Entries can have the same Passphrase.

• Access Role Profile - Select the name of an Access Role Profile.

Note: Each SSID can have up to 16 PPSK Entries. The total number of entries across all SSIDs that exist on an AP cannot exceed 64 on any AP.

Application Updates/Enhancements

Network Monitoring and Analytics Enhancements

• Network Analytics Summary - A live network summary at the top of Network Analytics dashboards displays the following statistics:

  • Total number of Access Points

  • Number of Access Points up/down.

  • Number of wireless/wired clients

• AP Device List - A Device List table is now available on the Network Analytics screen to help monitor and evaluate specific device performance metrics, such as Access Point uptime, wireless/wired clients connected to the AP, and device health statistics (CPU/memory/flash usage). You can explore device level analytics for a specific device by clicking on the ‘Friendly Name’ of the AP in the Device List Table to view the detailed analytics for that AP.

• Client Analytics - Single point-of-view for analyzing and troubleshooting client activity. Drill down from one screen to view analytics for a specific client.

  • Health Summary

  • Distribution of Clients by SSID

RF Profile Updates

• DRM Scheduling - The DRM auto-channel selection algorithm defaults to an interval of every six hours starting when the device boots up. The following DRM scheduling options are now configurable to allow changing the time interval and/or start time of channel selection:

  • DRM Time Control – When enabled, allows you to specify a DRM start time.

  • DRM Start Time – Applies when DRM Time Control is enabled. You can specify any hour of the day between 0 and 23 hours.

  • DRM Interval – When DRM Time Control is disabled, you can adjust the time interval up or down (0.5 hour to 12 hours). By default, the interval time is set to every six hours.

• Channel Switch Announcement (CSA) – 6G Band now supported.

• Support for Israel and Palestine Country Code - The country code for Israel (IL) and Palestine (PL) is now supported when configuring an RF Profile.

Certificates

The following additional Certificates are now available to upload to APs:

• Local RadSec Certificate – Used for AP RadSec client communication.

• Syslog Over TLS Certificate – Used for AP remote logging over TLS.

• Stellar BLE Certificate – Custom device certificate used for sending BLE data to third-party Asset Tracking applications.

• Stellar WiFi RTLS Certificate – Custom device certificate used for sending WiFi RTLS data to third-party RTLS applications.

Access Role Profile VLAN-Mapping Enhancement

We have expanded the ability to bind up to 256 VLANs to a WLAN/SSID on the AP13xx/AP14xx models. However, not every AP model can accommodate 256 VLANs for all the configured SSIDs. The limitations are outlined below:

• AP1301H can support 256 VLANs on a maximum of 2 SSIDs, with a total of 512.

• AP1311/AP1301/AP1431/AP1411 can support 256 VLANs on a maximum of 4 WLANs/SSIDs, with a total of 1024.

• AP1320/AP1331/AP1351/AP1451 can accommodate 256 VLANs on a maximum of 7 WLANs/SSIDs, with a total of 1792.

SSID Enhancements

• Extended SSID Scale - The number of SSIDs that can be assigned to the AP Group has been extended to 14. A new option “Extended SSID Scale” is now available when configuring an SSID. Note that when this attribute is enabled, only AP models that support up to 14 SSIDs can join the AP Group. When this attribute is disabled, any AP model can join the group, but the limit is 7 SSIDs per AP Group.
  Note: The status of the Extended SSID Scale attribute does not apply to 6GHz networks, which have a limit of 4 SSIDs per AP Group.

• Automatic WPA/WPA2 Encryption - The Automatic WPA/WPA2, or mixed mode Encryption with dynamic keys support, option is now available while creating a new SSID for the following user networks:

  • Enterprise Network Employees using the 802.1X Authentication method.

  • Protected Network for Guest Users using pre-shared key and an optional Captive Portal Authentication method.

  • Protected Network for Enterprise Employees using pre-shared key and the BYOD Registration Portal Authentication method.

Enhanced “Search” Functions

• SSID Screen Search Box - You can now search on any SSID attribute value. Only the SSID profiles that contain the matching search attribute will display. For example, if you search on “BYOD”, only SSIDs with BYOD will display in the search result.

• OmniVista Cirrus Menu Search Box - The Search box at the top left-hand side of the menu list provides a quick way to find applications. For example, you can enter terms such as “Clients” or “Guest” to search for applications containing those terms.

• Events and Alerts Search Box - You can now view the Events containing a specific Access Point or Client MAC. Usually, the Client MAC doesn’t appear in the Event List Table, but the search result will display all such Events containing a specific Client MAC.

Export Function for Events (Traps/QoE Analytics) and Alerts

• You can export up to 1,000,000 of the latest Events/Alerts for a specific scope and timeframe.

• If there are more than 5000 entries to be exported, then the data will be split into multiple files, each containing 5000 entries.

Beta Features

Note: The following Beta features are available in OmniVista Cirrus 10.4 and can be configured. However, they have not gone through the complete validation cycle and are therefore not officially supported.

• Wi-Fi location service features (Wi-fi Heatmap, Current Client Density, Client Density History)

• QoE Analytics

Regulatory Compliance

OmniVista Cirrus 10.4 compliance in US, EU, and abroad:

• General Data Protection Regulation (GDPR)

• California Consumer Privacy Act (CCPA)

Third-Party and Open-Source Contributions

• Free and Open-Source Software (FOSS) Used in OmniVista Cirrus - A list of copyright and license or notices of individual license information is provided for all Open Source Application level components and libraries that OmniVista Cirrus R10 depends upon. To access the list, click on the Free Open Source Software link located at the bottom of every UI screen.

• A JSON report documenting the usage of third-party FOSS used for OmniVista Cirrus R10 deployment is available.

Network and Device Prerequisites

To ensure the necessary communication between Access Point devices and OmniVista Cirrus 10.4.1, verify/configure the following prerequisites on your local network:

• Network Prerequisites - Network deployment, bandwidth, proxy, firewall, and NTP server requirements.

• Device Prerequisites - Supported Access Point software and models.

  • If your fully managed Access Points are running AWOS 4.0.6, please upgrade to AWOS 4.0.7.14 by setting the Desired Software Version first before accessing OmniVista Cirrus 10.4.1.

• OmniVista Legacy for Analytics Only Mode - Configure an OmniVista 2500 NMS or OmniVista Cirrus 4 to support communication between Analytics Only Access Point devices and OmniVista Cirrus 10.4.1.

Supported Devices

This release of OmniVista Cirrus 10.4.1 supports monitoring and reporting of advanced analytics for Stellar Access Points, except for the following models:

• OAW-AP1101

• OAW-AP1201L

• OAW-AP1201H

• OAW-AP1201HL

• OAW-AP1201BG

• OAW-AP1261

REST API Management

You can use REST APIs for scripting or integration with any third-party systems in your management network. The complete API reference can be found at the following link based on your region (no login is required):
EU: https://eu.manage.ovcirrus.com/apidoc/apidoc.html
Americas: https://us.manage.ovcirrus.com/apidoc/apidoc.html

For more information, see Automation with APIs.

Known Issues/Workarounds

Inventory

Schedule Upgrade Using Set Desired Software Version (OVNG-10325)
Summary: When an AP already follows a group schedule and the software version is changed using the “Set Desired Software Version” option from the Edit Device drop-down menu, note the following:

• If the AP Group of the AP device is not part of a schedule upgrade, then the Desired Software Version is set to “Do Not Upgrade”.

• If the AP Group of the AP device is part of a schedule upgrade, the AP device will be upgraded to the Desired Software Version based on the schedule upgrade for the group.

Workaround: Use the “Information” or “Schedule Software Upgrade” options from the Edit Device drop-down menu to have an AP already following a group schedule upgraded to the specified software version on the next call home.

Editing the AP Device Location Disrupts Connectivity With the AP (OVNG-12252)
Summary: When you change the Device Location for an AP, the AP can lose its configuration disrupting connectivity with the AP.
Workaround: Connectivity is restored within approximately 1 to 2 minutes.

NaaS Device Licenses

Collect Support Info Feature Does Not Work on NaaS APs that have an expired Management License (OVNG-5850)
Summary: If the NaaS management license expires for an AP in NaaS mode, the Collect Support Info operation will fail.
Workaround: Make sure the NaaS Management License is active when the AP is functioning in the NaaS mode.

Network Monitoring

Current Client Density Screen Displays Incorrect Session Start Time for AP Clients (OVNG-11243)
Summary: When you click on an AP on the Current Client Density screen to display a list of clients connected to the AP, the “Session Start Time” field displays the wrong start time.
Workaround: Check the client “Session Start Time” in the Online Wireless Clients Table for the correct date and time.

Mismatch Between Time Filters on the Client Analytics Screen and the Clients Screen (OVNG-12257)
Summary: When you click on a Pie Chart on the Client Analytics screen to view Client Data, the Clients screen opens, but shows data for a time filter that does not match the time filter on the Client Analytics screen. For example, the time filter on the Client Analytics screen shows 10:53 to 11:53, but when you click on a Pie Chart to view client data, the Clients screen time filter show 10:00 to 11:00.
Workaround: There is no workaround at this time.

AP Location is Empty in Live Wireless Client Additional Information (OVNG-12164)
Summary: AP location is sometimes not populated for Wireless clients.
Workaround: There is no workaround at this time.

UPAM

Errors Occur When the Client Continuously Connects and Reconnects to SSID Portal (OVNG-9735)
Summary: When a user logs into the network, then logs out, and then logs in again, the user may see error messages on the login portal and won’t be able to access the network.
Workaround: User should try to avoid continuously logging in and logging out of the network.

After Upgrading to Android 11 or 12, EAP-TLS Protected Wi-Fi No Longer Works (OVNG-9786)
Summary: In 2021, Android (Google) made a change in their OS to enforce "Validate Server Certificate" option for a 802.1X authentication. This means that, Android 11 and 12 will validate the server's device certificate. Hence users need to specify server's device certificate chain (Root And/Or Intermediate CA's) on their Android devices. If not the authentication will fail. Android 10 and below still works. 
Workaround: An alternative is to upgrade the devices to Android 13. Android 13 offers "Trust on First Use" (TOFU) feature. TOFU enables installing the Root CA certificate received from the server during initial connection to a new network. The user must approve installing the Root CA certificate. 

Client Unable to Join 802.1X SSID When All EAP = NO and Allowed Method = EAP-TLS for the Access Policy (OVNG-10155)
Summary: When you create an SSID and select an Access Policy with All EAP set to “No” and Allowed Method set to “EAP-TLS” for the SSID Authentication Strategy, the client is unable to join an 802.1X SSID.
Workaround: There is no workaround at this time.

Delay in Seeing BYOD IPv4 Client in the List of BYOD Device Records (OVNG-10759)
Summary: Once a client connects to a BYOD SSID, there is a delay before seeing the Client IPv4 address in BYOD device records. The AP to which the Client is connected will send the client IPv4 with the second accounting packet.
Workaround: No workaround at this time. Problem will be fixed in the next release.

Service Temporarily Unavailable Message With External RadSec Server (OVNG-11277)
Summary: When attempting to authenticate with an External RADIUS Server that is using RadSec ((RADIUS-over-TLS), you may receive a “Service Temporarily Unavailable” message from OmniVista Cirrus.
Workaround: Configure a new External RadSec Server to replace the old one.

Unified Access

Limitation When Selecting an Existing Group for a Unified Policy Condition (OVNG-10669)
Summary: When using the “Choose Existing Group” option for an L2 MAC or L3 IP Policy Condition, if you modify the Group after the Policy is saved and applied to APs, your changes to the Group will not be applied to the APs. This limitation does not occur when using the “Create a New Group” option.
Workaround: After you modify the Group on the Group screen, go to the Unified Policy and select the “Not defined” option (or make any other change to the Policy) and save it. Then edit the Unified Policy again and select the “Choose Existing Group” option.

SSID

Each AP Group Can Only Support Up to Seven SSIDs (OVNG-9610)
Summary: When you try to assign a new SSID into an existing AP Group that already has seven SSIDs, that AP group will not be included into the new SSID.
Workaround: Enable the Extended SSID Scale attribute for the AP Group. When enabled, only AP models that support up to 14 SSIDs can join the AP Group. When disabled, any AP model can join the group, but the limit is 7 SSIDs per AP Group. Note that 6GHz networks do not support the Extended SSID Scale attribute and support only 4 SSIDs per AP Group.

Other

AP does not Send “portal.report” Event when Wrong Username/Password Entered (OVNG-2811)
Summary: When a user logs in to UPAM Captive Portal with an incorrect username/password, the login will fail but the failure is not immediately indicated on the QoE Analytics UI. Only after 15 minutes will QoE report the failure and the failure is reported as a “Timeout”. Two consequences of this are: Users won’t find out about the failures to login to UPAM Captive Portal until after 15 minutes, and the user will not be able to differentiate between a true “Timeout” with UPAM Captive Portal versus wrong credentials entered at UPAM Captive Portal login.
Workaround: No workaround at this time.

"HostName" Information Lost in “user.report” After the Client Roams to Another AP (OVNG-7792)
Summary: The Client Name (aka “HostName”) information in WLAN Client List is lost after the client roams to another AP.
Workaround: No workaround at this time.

AP Client is Assigned to Untagged VLAN Instead of Tunnel ID Configured in Access Role Profile (OVNG-11683)
Summary: When an Access Role Profile (ARP) with Tunnel only mapping is applied to an AP client, the client is assigned an IP Address in the Untagged VLAN network, not an IP address in the Tunnel network.
Workaround: No workaround at this time.

Issues Fixed

Issues Fixed Since Release 10.3

• PKSC8 private key is not supported for LDAP cert and AP Web Cert (OVNG-7726)

• False Portal Authentication Failure Alert Messages Received (OVNG-11239)

Additional Documentation

Online help is available in OmniVista Cirrus and can be accessed by clicking on the Help Link (?) in the upper-right corner of any screen. You can also search through the online help on the OmniVista Cirrus Documentation home page and/or use the following links to familiarize yourself with OmniVista Cirrus 10.4.1 features and functionality:

• Introducing OmniVista® Cirrus R10

• Getting Started – What you need to know to get up and running.

• Configure Organizations for Network Management - How to create and manage Organizations, including creating/modifying sites, adding devices, and adding users.

• Configure and Manage Device Inventory - Add, edit, or remove Access Point devices from the device inventory. The Device Inventory is also where devices obtain their provisioning configuration when they are added to the inventory.

• Configure WLAN Network Management- Configure wireless networks, policies to prevent attacks on Stellar AP Series Wireless Devices, and Radio Frequency (RF) profiles for devices. It is also used to configure External Engines and UPAM server certificates.

• Configure Network Access Control - Configure security functions (authentication, classification) to provide network access controls that are applied to devices attempting to access the network.

• Monitoring Network Device Activity – Monitor, evaluate, and troubleshoot network components and device activity.

• Automation with APIs – Develop applications to integrate with OmniVista Cirrus 10.4.1.

• Troubleshooting - Review general troubleshooting questions and actions for using OmniVista Cirrus. You can also find links to troubleshooting information for specific features.

Technical Support

For technical support, contact your sales representative or go to the ALE MyPortal:

• https://myportal.al-enterprise.com

Alcatel-Lucent Enterprise, Part No. 033729-00