The releases 8.3.130.0 (deferred release) and 8.3.132.0 are affected by the caveat: CSCvf87731. This could cause the Cisco WLC to unexpectedly reload, triggered by a timing issue during the processing of multiple join requests from the same AP. This issue could be more prevalent in scenarios of networks with packet drops or reordering.

Therefore, we recommend that you do not upgrade to Release 8.3.132.0, but instead upgrade to a newer release to be made available by October 30, 2017.

In this release, the Multi-user MIMO (MU-MIMO) feature on the Cisco 2800 and 3800 APs is enhanced to provide improved stability and higher performance gain. It enables concurrent transmission in the downstream direction to multiple clients, however, the client device must support this feature.

There are no new features in this release. This release addresses critical issues with the controller software. For more information, see the "Caveats" section.

• We recommend that you install Release 1.9.0.0 of Cisco Wireless LAN Controller Field Upgrade Software (FUS), which is a special AES package that contains several system-related component upgrades. These include the bootloader, field recovery image, and FPGA/MCU firmware. Installing the FUS image requires special attention because it installs some critical firmware. The FUS image is independent of the runtime image. For more information, see https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/fus_rn_OL-31390-01.html.

  Note	If you are using a Cisco 2500 Series controller, you must install Release 1.9.0.0 or higher of Cisco Wireless LAN Controller FUS. This is not required if you are using other controller hardware models.

  Note	The FUS image installation process reboots the Cisco WLC several times and reboots the runtime image. The entire process takes approximately 30 minutes. We recommend that you install the FUS image in a planned outage window.

• Release 8.3 supports additional configuration options for 802.11r FT enable and disable. The additional configuration option is not valid for older releases. If you downgrade from Release 8.3.x to Release 8.2 or an earlier release, the additional configuration option is invalidated and defaulted to FT disable. When you reboot Cisco WLC with the downgraded image, invalid configurations are printed on the console. We recommend that you ignore this because there is no functional impact, and the configuration defaults to FT disable.

• If you downgrade from Release 8.3.13x.0 to a 7.x release, the trap configuration is lost and must be reconfigured.

• If you downgrade from Release 8.3.13x.0 to Release 8.1, the Cisco Aironet 1850 Series AP, whose mode prior to the downgrade was Sensor is shown to be in unknown mode after the downgrade. This is because the Sensor mode is not supported in Release 8.1.

• If you have an IPv6-only network and are upgrading to Release 8.3.133.0 or a later release, ensure that the following is done:

  • Enable IPv4 and DHCPv4 on the network—Load a new Cisco WLC software image on all Cisco WLCs plus Supplementary AP Bundle images on the Cisco 2504 WLC, 5508 WLC, and WiSM2 or perform a predownload of AP images on the required Cisco WLCs.

  • Reboot Cisco WLC immediately or at the preset time.

  • Ensure that all Cisco APs are associated with Cisco WLC.

  • Disable IPv4 and DHCPv4 on the network.

• After downloading new software to the Cisco APs, it is possible that a Cisco AP may get stuck in an “upgrading image” state. In such a case of a stranded Cisco AP, it may be necessary to forcefully reboot the Cisco WLC to download a new image or to reboot the Cisco WLC after the download of the new image. You can forcefully reboot the Cisco WLC by entering the reset system forced command.

• It is not possible to download some of the older configurations from the Cisco WLC because of the Multicast and IP address validations. See the Restrictions on Configuring Multicast Mode section in the configuration guide for detailed information about platform support for Global Multicast and Multicast Mode.

• If you upgrade from Release 8.0.110.0 to a later release, the config redundancy mobilitymac, mac-addr command's setting is removed. You must manually reconfigure the mobility MAC address after the upgrade.

• If you are upgrading from Release 8.0.140.0 or 8.0.15x.0 to a later release and also have the multiple country code feature configured, the feature configuration is corrupted after the upgrade. For more information, see CSCve41740.

• If you have ACL configurations in a Cisco WLC, and downgrade from a 7.4 or later release to a 7.3 or earlier release, you might experience XML errors on rebooting the Cisco WLC. However, these errors do not have any impact on any of the functionalities or configurations.

• If you are upgrading from a 7.4.x or an earlier release to a release later than 7.4, the Called Station ID type information is mapped to the RADIUS Accounting Called Station ID type; which, by default, is set to apradio-mac-ssid. You can configure the RADIUS Authentication Called Station ID type information by using the config radius auth callStationIdType command.

• When FlexConnect APs (known as H-REAP APs in the 7.0.x releases) that are associated with a Cisco WLC that has all the 7.0.x software releases prior to Release 7.0.240.0, upgrade to Release 8.3.13x.0, the APs lose the enabled VLAN support configuration. The VLAN mappings revert to the default values of the VLAN of the associated interface. The workaround is to upgrade from Release 7.0.240.0 and later 7.0.x releases to Release 8.3.13x.0.

  Note	In case of FlexConnect VLAN mapping deployment, we recommend that the deployment be done using FlexConnect groups. This allows you to recover VLAN mapping after an AP rejoins the Cisco WLC without having to manually reassign the VLAN mappings.

• When a client sends an HTTP request, the Cisco WLC intercepts it for redirection to the login page. If the HTTP GET request that is intercepted by the Cisco WLC is longer than 2000 bytes, the Cisco WLC drops the packet. Track CSCuy81133 for a possible enhancement to address this restriction.

• After you upgrade to Release 7.4, networks that were not affected by the existing preauthentication access control lists might not work because the rules are now enforced. That is, networks with clients configured with static DNS servers might not work unless the static server is defined in the preauthentication ACL.

• On the Cisco Flex 7500 Series WLCs, if FIPS is enabled, the reduced boot options are displayed only after a bootloader upgrade.

  Note	Bootloader upgrade is not required if FIPS is disabled.

• If you have to downgrade from one release to another, you might lose the configuration from your current release. The workaround is to reload the previous Cisco WLC configuration files saved on the backup server, or to reconfigure the Cisco WLC.

• It is not possible to directly upgrade to Release 8.3.133.0 release from a release that is earlier than Release 7.0.98.0.

• You can upgrade or downgrade the Cisco WLC software only between certain releases. In some instances, you must first install an intermediate release prior to upgrading to Release 8.3.133.0. The following table shows the upgrade path that you must follow before downloading Release 8.3.133.0.

  Note

  If you upgrade directly to 7.6.x or a later release from a release that is earlier than 7.5, the predownload functionality on Cisco Aironet 2600 and 3600 APs fails. The predownload functionality failure is only a one-time failure. After the upgrade to 7.6.x or a later release, the new image is loaded on the said Cisco APs, and the predownload functionality works as expected.

For detailed release recommendations, see the Guidelines for Cisco Wireless Software Release Migration Bulletin at:

• When you upgrade the Cisco WLC to an intermediate software release, you must wait until all of the access points that are associated with the Cisco WLC are upgraded to the intermediate release before you install the latest Cisco WLC software. In large networks, it can take some time to download the software on each access point.

• You can upgrade to a new release of the Cisco WLC software or downgrade to an earlier release even if Federal Information Processing Standard (FIPS) is enabled.

• When you upgrade to the latest software release, the software on the access points associated with the Cisco WLC is also automatically upgraded. When an access point is loading software, each of its LEDs blinks in succession.

• We recommend that you access the Cisco WLC GUI using Microsoft Internet Explorer 10 or a later version or Mozilla Firefox 32 or a later version.

  Note	Microsoft Internet Explorer 8 might fail to connect over HTTPS because of compatibility issues. In such cases, you can explicitly enable SSLv3 by entering the config network secureweb sslv3 enable command.

• Cisco WLCs support standard SNMP MIB files. MIBs can be downloaded from the Software Center on Cisco.com.

• The Cisco WLC software is factory installed on your Cisco WLC and is automatically downloaded to the access points after a release upgrade and whenever an access point joins a Cisco WLC. We recommend that you install the latest software version available for maximum operational benefit.

• Ensure that you have a TFTP, FTP, or SFTP server available for the software upgrade. Follow these guidelines when setting up a server:

  • Ensure that your TFTP server supports files that are larger than the size of Cisco WLC software Release 8.3.133.0. Some TFTP servers that support files of this size are tftpd32 and the TFTP server within the Prime Infrastructure. If you attempt to download the 8.3.133.0 Cisco WLC software and your TFTP server does not support files of this size, the following error message appears: TFTP failure while storing in flash.

  • If you are upgrading through the distribution system network port, the TFTP or FTP server can be on the same subnet or a different subnet because the distribution system port is routable.

• When you plug a Cisco WLC into an AC power source, the bootup script and power-on self test is run to initialize the system. During this time, press Esc to display the bootloader Boot Options menu. The menu options for the Cisco 5500 Series WLC differ from the menu options for the other Cisco WLC platforms.

  Bootloader menu for Cisco 5500 Series WLC:

  Boot Options
  Please choose an option from below:
  1. Run primary image
  2. Run backup image
  3. Change active boot image
  4. Clear Configuration
  5. Format FLASH Drive
  6. Manually update images
  Please enter your choice:

  Bootloader menu for other Cisco WLC platforms:

  Boot Options
  Please choose an option from below:
  1. Run primary image
  2. Run backup image
  3. Manually update images
  4. Change active boot image
  5. Clear Configuration
  Please enter your choice:

  Enter 1 to run the current software, enter 2 to run the previous software, enter 4 (on Cisco 5508 WLC), or enter 5 (on Cisco WLC platforms other than 5508 WLC) to run the current software and set the Cisco WLC configuration to factory defaults. Do not choose the other options unless directed to do so.

  Note	See the Installation Guide or the Quick Start Guide pertaining to your Cisco WLC platform for more details on running the bootup script and power-on self test.

• The Cisco WLC bootloader stores a copy of the active primary image and the backup image. If the primary image becomes corrupted, you can use the bootloader to boot with the backup image.

  With the backup image stored before rebooting, choose Option 2: Run Backup Image from the boot menu to boot from the backup image. Then, upgrade with a known working image and reboot the Cisco WLC.

• You can control the addresses that are sent in the Control and Provisioning of Wireless Access Points (CAPWAP) discovery responses when NAT is enabled on the Management Interface using the following command:

  config network ap-discovery nat-ip-only {enable | disable}

  Here:

  enable—Enables use of NAT IP only in a discovery response. This is the default. Use this command if all the APs are outside the NAT gateway.

  disable—Enables use of both NAT IP and non-NAT IP in a discovery response. Use this command if APs are on the inside and outside the NAT gateway, for example, Local Mode and OfficeExtend APs are on the same Cisco WLC.

  Note	To avoid stranding of APs, you must disable AP link latency (if enabled) before you use the disable option for the config network ap-discovery nat-ip-only command. To disable AP link latency, use the config ap link-latency disable all command.

• You can configure 802.1p tagging by using the config qos dot1p-tag {bronze | silver | gold | platinum} command. For Release 7.2.103.0 and later releases, if you tag 802.1p packets, the tagging has an impact on only wired packets. Wireless packets are impacted only by the maximum priority level set for QoS.

• You can reduce the network downtime using the following options:

  • You can predownload the AP image.

  • For FlexConnect access points, use the FlexConnect AP upgrade feature to reduce traffic between the Cisco WLC and the AP (main site and the branch). For more information about the FlexConnect AP upgrade feature, see the Cisco Wireless Controller Configuration Guide.

• Do not power down the Cisco WLC or any access point during the upgrade process; otherwise, you might corrupt the software image. Upgrading a Cisco WLC with a large number of access points can take as long as 30 minutes, depending on the size of your network. However, with the increased number of concurrent access point upgrades supported, the upgrade time should be significantly reduced. The access points must remain powered, and the Cisco WLC must not be reset during this time.

• To downgrade from Release 8.3.133.0 to Release 6.0 or an earlier release, perform either of these tasks:

  • Delete all the WLANs that are mapped to interface groups, and create new ones.

  • Ensure that all the WLANs are mapped to interfaces rather than interface groups.

• After you perform the following functions on the Cisco WLC, reboot the Cisco WLC for the changes to take effect:

  • Enable or disable link aggregation (LAG)

  • Enable a feature that is dependent on certificates (such as HTTPS and web authentication)

  • Add a new license or modify an existing license

  • Increase the priority of a license

  • Enable HA

  • Install the SSL certificate

  • Configure the database size

  • Install the vendor-device certificate

  • Download the CA certificate

  • Upload the configuration file

  • Install the Web Authentication certificate

  • Make changes to the management interface or the virtual interface

  • Make changes to TCP MSS settings

Due to an increase in the size of the Release 8.3.133.0 Cisco WLC software image, the Cisco 2504 WLC, Cisco 5508 WLC, and Cisco WiSM2 software images are split into the following two images:

• Base Install image, which includes the Cisco WLC image and a subset of AP images (excluding some mesh AP images and AP80x images) that are packaged in the Supplementary AP Bundle image

• Supplementary AP Bundle image, which includes AP images that are excluded from the Base Install image. The APs that feature in the Supplementary AP Bundle image are:

  • AP802

  • Cisco Aironet 1530 Series AP

  • Cisco Aironet 1550 Series AP (with 64-MB memory)

  • Cisco Aironet 1550 Series AP (with 128-MB memory)

  • Cisco Aironet 1570 Series APs

Note	There is no change with respect to the rest of the Cisco WLC platforms.

• Autoinstall

• Cisco WLC integration with Lync SDN API

• Application Visibility and Control (AVC) for FlexConnect local switched access points

• Application Visibility and Control (AVC) for FlexConnect centrally switched access points

  Note

  However, AVC for local mode APs is supported. If you are using a Cisco 2500 Series controller and you intend to use the Application Visibility and Control (AVC) and NetFlow protocol features, you must install Release 1.9.0.0 of Cisco Wireless LAN Controller FUS. This is not required if you are using other controller hardware models.

• URL ACL

• Bandwidth Contract

• Service Port

• AppleTalk Bridging

• Right-to-Use Licensing

• PMIPv6

• EoGRE

• AP Stateful Switchover (SSO) and client SSO

• Multicast-to-Unicast

• Cisco Smart Software Licensing

Note	The features that are not supported on Cisco WiSM2 and Cisco 5508 WLC are not supported on Cisco 2504 WLCs too.

Note	Directly connected APs are supported only in the local mode.

• Spanning Tree Protocol (STP)

• Port Mirroring

• VPN Termination (such as IPsec and L2TP)

• VPN Passthrough Option

  Note	You can replicate this functionality on a Cisco 5500 Series WLC by creating an open WLAN using an ACL.

• Configuration of 802.3 bridging, AppleTalk, and Point-to-Point Protocol over Ethernet (PPPoE)

• Fragmented pings on any interface

• Right-to-Use Licensing

• Cisco 5508 WLC cannot function as mobility controller (MC). However, Cisco 5508 WLC can function as guest anchor in a New Mobility environment.

• Cisco Smart Software Licensing

• Static AP-manager interface

  Note	For Cisco Flex 7500 Series WLCs, it is not necessary to configure an AP-manager interface. The management interface acts as an AP-manager interface by default, and the access points can join on this interface.

• IPv6 and Dual Stack client visibility

  Note	IPv6 client bridging and Router Advertisement Guard are supported.

• Internal DHCP server

• Access points in local mode

  Note	An AP associated with the Cisco WLC in the local mode should be converted to the FlexConnect mode or monitor mode, either manually or by enabling the autoconvert feature. On the Cisco Flex 7500 WLC CLI, enable the autoconvert feature by entering the config ap autoconvert enable command.

• Mesh (use Flex + Bridge mode for mesh-enabled FlexConnect deployments)

• Spanning Tree Protocol (STP)

• Cisco Flex 7500 Series WLC cannot be configured as a guest anchor Cisco WLC. However, it can be configured as a foreign Cisco WLC to tunnel guest traffic to a guest anchor Cisco WLC in a DMZ.

• Multicast

  Note	FlexConnect local-switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect access points do not limit traffic based on Internet Group Management Protocol (IGMP) or MLD snooping.

• PMIPv6

• Cisco Smart Software Licensing

• EoGRE

• Internal DHCP Server

• Mobility controller functionality in converged access mode

  Note	Cisco Smart Software Licensing is not supported on Cisco 8510 WLC.

• Spanning Tree Protocol (STP)

• Port Mirroring

• VPN Termination (such as IPsec and L2TP)

• VPN Passthrough Option

  Note	You can replicate this functionality by creating an open WLAN using an ACL.

• Configuration of 802.3 bridging, AppleTalk, and Point-to-Point Protocol over Ethernet (PPPoE)

• Fragmented pings on any interface

• Cisco 5520, 8510, and 8540 WLCs cannot function as mobility controller (MC). However, they can function as guest anchor in a New Mobility environment.

• Internal DHCP server

• TrustSec SXP

• Access points in local mode

• Mobility/Guest Anchor

• Wired Guest

• Multicast

  Note	FlexConnect local-switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect access points do not limit traffic based on IGMP or MLD snooping.

• FlexConnect central switching in large-scale deployments

  Note	FlexConnect central switching is supported in only small-scale deployments, wherein the total traffic on Cisco WLC ports is not more than 500 Mbps. FlexConnect local switching is supported.

• AP and Client SSO in High Availability

• PMIPv6

• Datagram Transport Layer Security (DTLS)

• EoGRE (Supported in only local switching mode)

• Workgroup Bridges

• Client downstream rate limiting for central switching

• SHA2 certificates

• Cisco WLC integration with Lync SDN API

• Cisco OfficeExtend Access Points

• PPPoE

• PMIPv6

• EoGRE

See the amount of memory in a Cisco Aironet 1550 AP by entering this command in Cisco WLC CLI:

show mesh ap summary

• Load-based call admission control (CAC). Mesh networks support only bandwidth-based CAC or static CAC

• High availability (fast heartbeat and primary discovery join timer)

• AP acting as supplicant with EAP-FASTv1 and 802.1X authentication

• Access point join priority (mesh access points have a fixed priority)

• Location-based services

Note	The Cisco Mobility Express wireless network solution is available starting from Cisco Wireless Release 8.3.133.0.

The Cisco Mobility Express wireless network solution provides a wireless controller functionality bundled into the Cisco Aironet 1560, 1815, 1830, 1850, 2800, and 3800 Series access points.

In the Cisco Mobility Express wireless network solution, one AP, which runs the Cisco Mobility Express wireless controller, is designated as the primary AP. Other access points, referred to as Subordinate APs, associate to this primary AP.

The primary AP operates as a wireless controller, to manage and control the subordinate APs. It also operates as an AP to serve clients. The subordinate APs behave as normal lightweight APs to serve clients.

For more information about the solution, including the setup and configuration, see the Cisco Mobility Express User Guide for Release 8.3, at http://www.cisco.com/c/en/us/td/docs/wireless/access_point/mob_exp/83/user_guide/b_ME_User_Guide_83.html

Cisco Mobility Express Features

The following new features and functionalities have been introduced in this release:

• Support for the following access points:

  • Cisco Aironet 1560 Series

  • Cisco Aironet 2800 Series

  • Cisco Aironet 3800 Series

• Simple Network Management Protocol (SNMP) Version 3 polling; configurable through the GUI.

• Support for the Flexible Radio Assignment (FRA) functionality for the radio in slot 0 on Cisco Aironet 3800 Series access points. FRA automatically detects when a high number of devices are connected to a network, and changes the dual radios in an access point from 2.4GHz/5GHz to 5GHz/5GHz to serve more clients.

• Improvements in software update and access point image management with direct download from Cisco.com.

• Integration with Cisco CMX Cloud for both guest services and presence analytics. This is enabled by the integrated cloud connector on the Cisco Mobility Express controller for seamless integration and easier provisioning.

• Localization to Japanese and Korean for the Cisco Mobility Express controller GUI.

• Setting up and managing an internal DHCP server through the GUI.

• Importing a customized guest login page.

• Forced failover to a specified AP as primary.

The following are existing features, with continued support in the current release:

Note	Even if the Cisco AP is 802.3ad (LACP)-compliant, link aggregation groups (LAG) are not supported on the AP while it has a Cisco Mobility Express software image.

• Scalability:

  • Up to 25 APs

  • Up to 16 WLANs

  • Up to 100 rogue APs

  • Up to 1000 rogue clients

• License—Does not require any licenses (Cisco Right-To-Use License or Swift) for APs.

• Operation— The primary AP can concurrently function as controller (to manage APs) and as an AP (to serve clients).

• GUI and CLI-based initial configuration wizards.

• Up to three Network Time Protocol (NTP) servers, with support for FQDN names.

• Simple Network Management Protocol (SNMP) Version 3 polling, configurable through the CLI.

• IEEE 802.11r with support for Over-the-Air Fast BSS transition method, Over-the-DS Fast BSS transition method, and Fast Transition PSK authentication. Fast BSS transition methods are supported via CLI only.

• CCKM, supported via CLI only.

• Client ping test

• Changing the country code on the controller and APs on the network, via the controller GUI.

• Syslog messaging towards external server.

• Software image download using TFTP and HTTP.

• Priming at distribution site.

• Default Service Set Identifier (SSID), set from factory. Available for initial provisioning only.

• Management through the web interface Monitoring Dashboard.

• Cisco Wireless Controller Best Practices.

• Quality of Service (QoS).

• Multicast with default settings.

• Application Visibility and Control (AVC)—Limited HTTP, with only Application Visibility and not Control. Deep Packet inspection with 1,500+ signatures.

• WLAN access control lists (ACLs).

• Roaming—Layer 2 roaming without mobility groups.

• IPv6—For client bridging only.

• High Density Experience (HDX)—Supported when managing APs that support HDX.

• Radio Resource Management (RRM)—Supported within AP group only.

• WPA2 Security.

• WLAN-VLAN mapping.

• Guest WLAN login with Web Authorization.

• Local EAP Authentication (local RADIUS server).

• Local profile.

• Network Time Protocol (NTP) Server.

• Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP).

• Clean Air.

• Simple Network Management Protocol—SNMPv1, by default, and SNMPv2c.

• Management—SSH, Telnet, Admin users.

• Reset to factory defaults.

• Serviceability—Core file and core options, Logging and syslog.

• Cisco Prime Infrastructure.

• BYOD—Onboarding only.

• UX regulatory domain.

• Authentication, Authorization, Accounting (AAA) Override.

• IEEE 802.11k

• IEEE 802.11r

• Supported—Over-the-Air Fast BSS transition method

• Not Supported—Over-the-DS Fast BSS transition and Fast Transition PSK authentication

• Passive Client

• Voice with Call Admission Control (CAC), with Traffic Specification (TSpec)

• Fast SSID Changing

• Terminal Access Controller Access Control System (TACACS)

• Management over wireless

• High Availability and Redundancy—Built-in redundancy mechanism to self-select a primary AP and to select a new AP as primary in case of a failure. Supported using VRRP.

• Software upgrade with preimage download

• Migration to controller-based deployment.