The integration of Cisco Umbrella WLAN and controller provides web classification and security for clients connecting to controller. Key differentiators involve granular web classification and reporting by WLAN, user role, and location. This feature is supported on these controllers: 2504, 5508, 5520, 8510, 8540, and WiSM2.

For more information, see the Cisco Umbrella WLAN section in the configuration guide.

Domain-based ACLs allow administrators to define domain access control list (ACL) to allow or disallow traffic. This additional level of security is added to the Cisco Wireless solution to allow you to put a specific set of domains in a blocked list or an allowed list.

Domain-based ACL extends the ACL from Layer 3 IP to domain-based ACL. This feature is supported on Cisco 5520 WLCs and Cisco 8540 WLCs, can have up to 64 ACLs, with each ACL supporting 100 rules.

For more information, see the Domain-based Filtering section in the configuration guide.

This is an option that is provided to apply the default Cisco ISE configuration for controller so that you do not have to explicitly configure some of the settings required to use Cisco ISE.

You can apply the default Cisco ISE configuration in the following scenarios:

• When you configure a RADIUS authentication server, and in the process enable the default Cisco ISE settings, the following configurations are applied:

  • CoA is enabled by default.

  • The authentication server details (IP and shared-secret) are also applied to the accounting server.

• When you configure the AAA server to override the use of default servers on a WLAN, and in the process enable the default Cisco ISE settings, the following configurations are applied:

  • When you add the authentication server for a WLAN, the authentication server details are also applied to the accounting server for the WLAN.

    Note	Change on Authentication server back to None is not applied on the accounting server.

  • AAA override is enabled by default.

  • The NAC state is set to ISE NAC by default.

  • DHCP profiling and HTTP profiling are enabled by default, for RADIUS client profiling.

  • Captive bypass mode is enabled by default.

• When you configure the Employee Network as part of the initial setup using the Cisco WLAN Express Setup method, and in the process enable the default Cisco ISE settings, the following configurations are applied:

  • CoA is enabled by default.

  • The authentication server details (IP and shared-secret) are also applied to the accounting server.

  • When you add the authentication server for a WLAN, the authentication server details are also applied to the accounting server for the WLAN.

  • AAA override is enabled by default.

  • The NAC state is set to ISE NAC by default.

  • DHCP profiling and HTTP profiling are enabled by default, for RADIUS client profiling.

  • Captive bypass mode is enabled by default.

Cisco TrustSec enables organizations to secure their networks and services through identity-based access control to anyone, anywhere, anytime. The solution also offers data integrity and confidentiality services, policy-based governance, and centralized monitoring, troubleshooting, and reporting services. You can combine Cisco TrustSec with personalized, professional service offerings to simplify the solution deployment and management, and is a foundational security component to Cisco Borderless Networks.

• SXP—From Release 8.4, SXPv4 is supported in FlexConnect mode APs.

• PAC Provisioning and Device Enrollment—Any device that participates in a Cisco TrustSec network must be authenticated as a trusted device. To facilitate the authentication process, new devices connected to a Cisco TrustSec network undergo an enrollment process, wherein a device receives the credentials that are specifically needed for the device's authentication along with general Cisco TrustSec environment information.

  Controller device enrollment is initiated by controller as part of Protected Access Credential (PAC) provisioning with the Cisco ISE server. Controller initiates EAP-FAST and gets a PAC. This is accomplished by using the infrastructure of LOCAL-EAP EAP-FAST PAC provisioning. The PAC that is obtained uniquely maps to the device ID. If the device ID changes, the PAC data associated with the previous device ID is removed from the PAC store. PAC provisioning is triggered when a RADIUS server instance is enabled to provision the PAC.

• Environment Data—Cisco TrustSec environment data is a set of information or attributes that helps controller to perform Cisco TrustSec-related functions.

• Inline Tagging—Inline tagging is a transport mechanism using which a controller or a Cisco AP understands the source SGT.

• SGACL—You can control the operations that users can perform based on the security group assignments of users and destination resources, using the Security Group Access Control Lists (SGACLs). Policy enforcement in a Cisco TrustSec domain is represented by a permission matrix, with the source security group on one axis and destination security group numbers on the other axis. Each cell in the matrix body contains an ordered list of SGACLs, which specifies the permissions that must be applied to packets originating from the source security group and destined for the destination security group. When a wireless client is authenticated, it downloads all the SGACLs in the matrix cells.

For more information, see the Cisco TrustSec section in the configuration guide.

Support is added for High Availability (HA) with N+1 in Cisco Virtual Wireless Controller (vWLC).

Support is added for Cisco vWLC in Hyper-V hypervisor. Cisco vWLC is now supported in any x86 server with VMware Hypervisor ESXi4.x, 5.x, and 6.x as well as KVM and Hyper-V.

• Wave 1 APs (AP1600, AP1700, AP2600, AP2700, AP3600, and AP3700)—Added EoGREv6 tunnel support from FlexConnect+Local switching AP to gateway.

• Wave 2 APs (AP1560, AP1810, AP1815, AP1830, AP1850, AP2800, and AP3800)—Added EoGREv4 and EoGREv6 tunnel support from FlexConnect+Local switching AP to gateway.

• Path MTU discovery is supported in FlexConnect APs.

For more information, see the Ethernet over GRE Tunnels section in the configuration guide.

Cisco Aironet 1815i and 1815w Access Points are supported. For more information, see

Support is added for infrastructure and native IPv6 functionality in Cisco 802.11ac Wave 2 Access Points.

Support is added for FlexConnect functionality in Wave 2 APs for these features:

• Proxy ARP—AP acts as an ARP proxy to respond to ARP requests on behalf of wireless clients.

• NAT/PAT—AP supports NAT and PAT for central DHCP.

• AAA QoS Override per Client—Clients can assign QoS profile based on AAA.

• Mesh mode and Mesh Ethernet Bridging is now supported in Cisco Aironet 1560 Series Access Points. For more information, see

  http://www.cisco.com/c/en/us/support/wireless/aironet-1560-series/tsd-products-support-series-home.html.

• Air Time Fairness (ATF) in 802.11ac Wave 1 APs in mesh mode allows you to regulate radio resources for mesh networks.

Support is introduced for remote LAN in wired ports of Cisco Aironet 702W APs.

For more information, see the RLAN Support for Wired Ports on Cisco Aironet 702w APs section in the configuration guide.

Support is introduced for non-native VLAN in CAPWAP tunneled and non-tunneled mode in Cisco Aironet 2700 APs.

Cisco Hyperlocation is supported in a High-Availability environment. The global and per AP group hyperlocation configuration is mirrored from the active controller to the standby controller. The standby controller updates only the internal state and does not forward any configuration information to the Cisco APs.

For Cisco MSE message encryption, the controller generates an encryption key and sends it to the Cisco APs and to the Cisco MSE, which uses it for encryption and decryption as end clients. The standby controller does not generate an encryption key and the Cisco APs and the Cisco MSE use the actual key shared by the active controller.

This feature prevents unauthorized access of the network. Using this feature, users with read and write or lobby administrator privileges can control which clients can access the network. The administrators can filter the clients based on the client MAC address and group them to provide access to the network.

For more information, see the Client Whitelisting section in the configuration guide.

Added support for the WeChat application for easy Wi-Fi connectivity, using QR-code scanning for redirection or captive portal redirection.

For more information, see the FlexConnect AP Easy Admin and WeChat Authentication-Based Internet Access sections in the configuration guide.

A controller that supports link aggregation (LAG) can go into a LAG-in-Transition (LAT) mode during transition between LAG to non-LAG mode or vice versa. The transition is complete only when controller is rebooted. In LAT mode, you can make configuration or interface changes and also revert to the previous LAG mode. After controller is rebooted, your configuration might get lost or you might encounter a system failure. However, from Release 8.4, it is possible to prevent such incidents by restricting interface-related configuration changes when controller is in LAT state.

Cisco Wireless Release 8.4 provides the Parallel Redundancy Protocol (PRP) enhancement to improve wireless network availability for wired clients behind Workgroup Bridge (WGB), and improve the roaming performance by allowing wired clients to have dual wireless connections.

For more information, see the Parallel Redundancy Protocol Enhancement on AP and WGB section in the configuration guide.

NBAR2 Protocol Pack 19.1.0 is the default protocol pack for Release 8.4. Optionally, you can upgrade to NBAR2 Protocol Pack 24.0.0, which is also supported in Release 8.4.

For more information about NBAR2 Protocol Packs for controllers, see

http://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/products-technical-reference-list.html

If you are using a Cisco 2500 Series WLC and want to upgrade to Release 8.3.121.0, you must install Cisco Wireless LAN Controller Field Upgrade Software, Release 1.9.0.0 or a later release. For more information, see http://www.cisco.com/c/en/us/support/wireless/2500-series-wireless-controllers/products-release-notes-list.html#anchor512.

Download the Cisco Wireless LAN Controller Field Upgrade Software for Cisco 2500 Series WLC from the Download Software page.

For other controller platforms, see the respective Cisco Wireless LAN Controller Field Upgrade Software release notes for recommended FUS images.

The following access points are not supported from this release:

• Cisco Aironet 600 Series OfficeExtend Access Points

• Cisco Aironet 1550 Series Access Points with 64-MB memory

• Cisco Aironet 1040 Series Access Points

• Cisco Aironet 1140 Series Access Points

• Cisco Aironet 1260 Series Access Points

The GLC-TE 1000BASE-T SFP module is supported in Cisco 5508 WLCs. The Cisco 5508 WLCs that have the GLC-TE SFP module must run Release 8.3 or a later release. The GLC-TE SFP module is a replacement of GLC-T, which has reached its end-of-sale date as of June 1, 2017. For more information about end-of-sale and end-of-life announcement for select Cisco 1000BASE-T SFP modules, see http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/transceiver-modules/eos-eol-notice-c51-737325.html.

• The AAA database size is increased from 2048 entries to 12000 entries for some Cisco WLC platforms (Cisco Flex 7510, 8510, 5520, and 8540 WLCs). Therefore, if you downgrade from Release 8.4 to an earlier release that does not include this enhancement, you might lose most of the AAA database configuration, including management user information. To retain at least 2048 entries, including management user information, we recommend that you follow these downgrade instructions and back up the configuration file before proceeding with downgrade:

  1. From Release 8.4, downgrade to one of the following releases, which support 2048 database size and include the enhancement.

     • Release 8.3.102.0 or a later 8.3 release

     • Release 8.2.130.0 or a later 8.2 release

     • Release 8.0.140.0 or a later 8.0 release

  2. Downgrade to a release of your choice.

• If you are using Release 8.4 and want to upgrade to a later release, it is necessary that you upgrade to Release 8.5.105.0 and then move to a later release.

  Note	This restriction is applicable only to Release 8.4 and not any other release.

• Release 8.4 supports additional configuration options for 802.11r FT enable and disable. The additional configuration option is not valid for releases earlier than Release 8.4. If you downgrade from this release to Release 8.2 or an earlier release, the additional configuration option is invalidated and defaulted to FT disable. When you reboot Cisco WLC with the downgraded image, invalid configurations are printed on the console. We recommend that you ignore this because there is no functional impact, and the configuration defaults to FT disable.

• If you downgrade from Release 8.4 to a 7.x release, the trap configuration is lost and must be reconfigured.

• If you downgrade from Release 8.4 to Release 8.1, the Cisco Aironet 1850 Series AP whose mode was Sensor prior to the downgrade is shown to be in unknown mode after the downgrade. This is because the Sensor mode is not supported in Release 8.1.

• If you have an IPv6-only network and are upgrading to Release 8.4.100.0 or a later release, ensure that you perform the following activities:

  • Enable IPv4 and DHCPv4 on the network—Load a new Cisco WLC software image on all Cisco WLCs along with the Supplementary AP Bundle images on Cisco 2504 WLC, Cisco 5508 WLC, and Cisco WiSM2 or perform a predownload of AP images on the required Cisco WLCs.

  • Reboot Cisco WLC immediately or at the preset time.

  • Ensure that all Cisco APs are associated with Cisco WLC.

  • Disable IPv4 and DHCPv4 on the network.

• After downloading new software to the Cisco APs, it is possible that a Cisco AP may get stuck in an upgrading image state. In such a scenario, it might be necessary to forcefully reboot Cisco WLC to download a new image or to reboot Cisco WLC after the download of the new image. You can forcefully reboot Cisco WLC by entering the reset system forced command.

• It is not possible to download some of the older configurations from Cisco WLC because of the Multicast and IP address validations. See the Restrictions on Configuring Multicast Mode section in the configuration guide for detailed information about platform support for Global Multicast and Multicast Mode.

• If you upgrade from Release 8.0.110.0 to a later release, the config redundancy mobilitymac mac-addr command's setting is removed. You must manually reconfigure the mobility MAC address after the upgrade.

• If you downgrade to Release 8.0.140.0 or 8.0.15x.0, and later upgrade to a later release and and also have the multiple country code feature configured, then the configuration file could get corrupted. When you try to upgrade to a later release, special characters are added in the country list causing issues when loading the configuation. For more information, see CSCve41740.

  Note	Upgrade and downgrade between other releases does not result in this issue.

• If you have ACL configurations in a Cisco WLC, and downgrade from a 7.4 or later release to a 7.3 or earlier release, you might experience XML errors on rebooting Cisco WLC. However, these errors do not have any impact on any of the functionalities or configurations.

• If you are upgrading from a 7.4.x or an earlier release to a release later than 7.4, the Called Station ID type information is mapped to the RADIUS Accounting Called Station ID type, which, by default, is set to apradio-mac-ssid. You can configure the RADIUS Authentication Called Station ID type information by using the config radius auth callStationIdType command.

• When FlexConnect APs (known as H-REAP APs in the 7.0.x releases) that are associated with a Cisco WLC that has all the 7.0.x software releases prior to Release 7.0.240.0, upgrade to this release, the APs lose the enabled VLAN support configuration. The VLAN mappings revert to the default values of the VLAN of the associated interface. The workaround is to upgrade from Release 7.0.240.0 and later 7.0.x releases to this release.

  Note	In case of FlexConnect VLAN mapping deployment, we recommend that the deployment be carried out using FlexConnect groups. This allows you to recover VLAN mapping after an AP rejoins the Cisco WLC without having to manually reassign the VLAN mappings.

• When a client sends an HTTP request, the Cisco WLC intercepts it for redirection to the login page. If the HTTP GET request that is intercepted by the Cisco WLC is longer than 2000 bytes, the Cisco WLC drops the packet. Track CSCuy81133 for a possible enhancement to address this restriction.

• We recommend that you install Cisco Wireless Controller Field Upgrade Software (FUS), which is a special AES package that contains several system-related component upgrades. These include the bootloader, field recovery image, and FPGA or MCU firmware. Installing the FUS image requires special attention because it installs some critical firmware. The FUS image is independent of the runtime image. For more information about FUS and the applicable Cisco WLC platforms, see the Field Upgrade Software release notes listing.

• If FIPS is enabled in Cisco Flex 7510 WLC, the reduced boot options are displayed only after a bootloader upgrade.

  Note	Bootloader upgrade is not required if FIPS is disabled.

• If you have to downgrade from one release to another, you might lose the configuration from your current release. The workaround is to reload the previous Cisco WLC configuration files that are saved in the backup server, or to reconfigure Cisco WLC.

• It is not possible to directly upgrade to this release from a release that is earlier than Release 7.0.98.0.

• When you upgrade Cisco WLC to any intermediate release, you must wait until all the APs that are associated with Cisco WLC are upgraded to the intermediate release before you install the latest Cisco WLC software. In large networks, it can take some time to download the software on each AP.

• You can upgrade to a new release of the Cisco WLC software or downgrade to an earlier release even if FIPS is enabled.

• When you upgrade to the latest software release, the software on the access points associated with the Cisco WLC is also automatically upgraded. When an access point is loading software, each of its LEDs blinks in succession.

• We recommend that you access the Cisco WLC GUI using Microsoft Internet Explorer 11 or a later version, or Mozilla Firefox 32 or a later version.

• Cisco WLCs support standard SNMP MIB files. MIBs can be downloaded from the Software Center on Cisco.com.

• The Cisco WLC software is factory installed on your Cisco WLC and is automatically downloaded to the APs after a release upgrade and whenever an AP joins a Cisco WLC. We recommend that you install the latest software version available for maximum operational benefit.

• Ensure that you have a TFTP, FTP, or SFTP server available for the software upgrade. Follow these guidelines when setting up a server:

  • Ensure that your TFTP server supports files that are larger than the size of Cisco WLC software image. Some TFTP servers that support files of this size are tftpd32 and the TFTP server within the Prime Infrastructure. If you attempt to download the Cisco WLC software image and your TFTP server does not support files of this size, the following error message appears: TFTP failure while storing in flash.

  • If you are upgrading through the distribution system network port, the TFTP or FTP server can be on the same subnet or a different subnet because the distribution system port is routable.

• When you plug a Cisco WLC into an AC power source, the bootup script and power-on self test is run to initialize the system. During this time, press Esc to display the bootloader Boot Options menu. The menu options for the Cisco 5508 WLC differ from the menu options for the other Cisco WLC platforms.

  The following is the Bootloader menu for Cisco 5508 WLC:

  Boot Options
  Please choose an option from below:
  1. Run primary image
  2. Run backup image
  3. Change active boot image
  4. Clear Configuration
  5. Format FLASH Drive
  6. Manually update images
  Please enter your choice:

  The following is the Bootloader menu for other Cisco WLC platforms:

  Boot Options
  Please choose an option from below:
  1. Run primary image
  2. Run backup image
  3. Manually update images
  4. Change active boot image
  5. Clear Configuration
  Please enter your choice:
  
  Enter 1 to run the current software, enter 2 to run the previous software, enter 4 (on Cisco 5508 WLC), 
  or enter 5 (on Cisco WLC platforms other than 5508 WLC) to run the current software and set 
  the Cisco WLC configuration to factory defaults. Do not choose the other options unless directed to do so.

  Note	See the Installation Guide or the Quick Start Guide of the respective Cisco WLC platform for more details on running the bootup script and the power-on self test.

• The Cisco WLC bootloader stores a copy of the active primary image and the backup image. If the primary image becomes corrupted, you can use the bootloader to boot with the backup image.

  With the backup image stored before rebooting, choose Option 2: Run Backup Image from the Boot Options menu to boot from the backup image. Then, upgrade with a known working image and reboot Cisco WLC.

• You can control the addresses that are sent in the Control and Provisioning of Wireless Access Points (CAPWAP) discovery responses when NAT is enabled on the Management Interface using the following command:

  config network ap-discovery nat-ip-only {enable | disable}

  The following are the details of the command:

  enable —Enables use of NAT IP only in a discovery response. This is the default. Use this command if all the APs are outside the NAT gateway.

  disable —Enables use of both NAT IP and non-NAT IP in a discovery response. Use this command if APs are on the inside and outside the NAT gateway, for example, Local Mode and OfficeExtend APs are on the same Cisco WLC.

  Note	To avoid stranding of APs, you must disable AP link latency (if enabled) before you use the disable option for the config network ap-discovery nat-ip-only command. To disable AP link latency, use the config ap link-latency disable all command.

• Do not power down Cisco WLC or any AP during the upgrade process. If you do this, the software image might get corrupted. Upgrading Cisco WLC with a large number of APs can take as long as 30 minutes, depending on the size of your network. However, with the increased number of concurrent AP upgrades supported, the upgrade time should be significantly reduced. The APs must remain powered, and Cisco WLC must not be reset during this time.

• To downgrade from this release to Release 6.0 or an earlier release, perform either of these tasks:

  • Delete all the WLANs that are mapped to interface groups, and create new ones.

  • Ensure that all the WLANs are mapped to interfaces rather than interface groups.

• After you perform the following functions on Cisco WLC, reboot it for the changes to take effect:

  • Enable or disable LAG

  • Enable a feature that is dependent on certificates (such as HTTPS and web authentication)

  • Add a new license or modify an existing license

  • Increase the priority of a license

  • Enable HA

  • Install the SSL certificate

  • Configure the database size

  • Install the vendor-device certificate

  • Download the CA certificate

  • Upload the configuration file

  • Install the Web Authentication certificate

  • Make changes to the management interface or the virtual interface

  • Make changes to TCP MSS settings

• From Release 8.3 or a later release, ensure that the configuration file that you back up does not contain the < or > special characters. If either of the special characters is present, the download of the backed up configuration file fails.

Due to an increase in the size of the Cisco WLC software image, the Cisco 2504 WLC, Cisco 5508 WLC, and Cisco WiSM2 software images are split into the following two images:

• Base Install image, which includes the Cisco WLC image and a subset of AP images (excluding some mesh AP images and AP80x images) that are packaged in the Supplementary AP Bundle image

• Supplementary AP Bundle image, which includes AP images that are excluded from the Base Install image. The APs that feature in the Supplementary AP Bundle image are:

  • AP802

  • Cisco Aironet 1530 Series AP

  • Cisco Aironet 1550 Series AP (with 128-MB memory)

  • Cisco Aironet 1570 Series APs

Note	There is no change with respect to the rest of the Cisco WLC platforms.

• Domain-based ACLs

• Autoinstall

• Controller integration with Lync SDN API

• Application Visibility and Control (AVC) for FlexConnect local switched APs

• Application Visibility and Control (AVC) for FlexConnect centrally switched APs

  Note	However, AVC for local mode APs is supported.

• URL ACL

• Bandwidth Contract

• Service Port

• AppleTalk Bridging

• Right-to-Use Licensing

• PMIPv6

• EoGRE

• AP Stateful Switchover (SSO) and client SSO

• Multicast-to-Unicast

• Cisco Smart Software Licensing

Note	The features that are not supported on Cisco WiSM2 and Cisco 5508 WLC are not supported on Cisco 2504 WLCs too. Directly connected APs are supported only in the local mode.

• Domain-based ACLs

• Spanning Tree Protocol (STP)

• Port Mirroring

• VPN Termination (such as IPSec and L2TP)

• VPN Passthrough Option

  Note	You can replicate this functionality on a Cisco 5508 WLC by creating an open WLAN using an ACL.

• Configuration of 802.3 bridging, AppleTalk, and Point-to-Point Protocol over Ethernet (PPPoE)

• Fragmented pings on any interface

• Right-to-Use Licensing

• Cisco 5508 WLC cannot function as mobility controller (MC). However, Cisco 5508 WLC can function as guest anchor in a New Mobility environment.

• Cisco Smart Software Licensing

• Domain-based ACL

• Cisco Umbrella—Not supported in FlexConnect local switched WLANs; however, it is supported in central switched WLANs.

• Static AP-manager interface

  Note	For Cisco Flex 7510 WLCs, it is not necessary to configure an AP-manager interface. The management interface acts as an AP-manager interface by default, and the APs can join on this interface.

• IPv6 and dual-stack client visibility

  Note	IPv6 client bridging and Router Advertisement Guard are supported.

• Internal DHCP server

• APs in local mode

  Note	A Cisco AP associated with a controller in the local mode should be converted to the FlexConnect mode or Monitor mode, either manually or by enabling the autoconvert feature. From the Cisco Flex 7510 WLC CLI, enable the autoconvert feature by entering the config ap autoconvert enable command.

• Mesh (use Flex + Bridge mode for mesh-enabled FlexConnect deployments)

• Spanning Tree Protocol (STP)

• Cisco Flex 7510 WLC cannot be configured as a guest anchor controller. However, it can be configured as a foreign controller to tunnel guest traffic to a guest anchor controller in a DMZ.

• Multicast

  Note	FlexConnect local-switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect APs do not limit traffic based on Internet Group Management Protocol (IGMP) or MLD snooping.

• PMIPv6

• Cisco Smart Software Licensing

• Internal DHCP Server

• Mobility controller functionality in converged access mode

• Spanning Tree Protocol (STP)

• Port Mirroring

• VPN Termination (such as IPsec and L2TP)

• VPN Passthrough Option

• Configuration of 802.3 bridging, AppleTalk, and Point-to-Point Protocol over Ethernet (PPPoE)

• Fragmented pings on any interface

Note	Cisco Smart Software Licensing is not supported on Cisco 8510 WLC.

• Cisco Umbrella

• Domain-based ACLs

• Internal DHCP server

• Cisco TrustSec

• Access points in local mode

• Mobility/Guest Anchor

• Wired Guest

• Multicast

  Note	FlexConnect local-switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect access points do not limit traffic based on IGMP or MLD snooping.

• FlexConnect central switching in large-scale deployments

  Note	FlexConnect central switching is supported in only small-scale deployments, wherein the total traffic on controller ports is not more than 500 Mbps. FlexConnect local switching is supported.

• Central switching on Microsoft Hyper-V deployments

• AP and Client SSO in High Availability

• PMIPv6

• Datagram Transport Layer Security (DTLS)

• EoGRE (Supported in only local switching mode)

• Workgroup Bridges

• Client downstream rate limiting for central switching

• SHA2 certificates

• Controller integration with Lync SDN API

• Cisco OfficeExtend Access Points

• Load-based call admission control (CAC). Mesh networks support only bandwidth-based CAC or static CAC

• High availability (fast heartbeat and primary discovery join timer)

• AP acting as supplicant with EAP-FASTv1 and 802.1X authentication

• AP join priority (mesh APs have a fixed priority)

• Location-based services

• Noise Tolerant Fast Convergence