• If you are using Release 8.4 and want to upgrade to a later release, it is necessary that you upgrade to Release 8.5.105.0 and then move to a later release.

  Note	This restriction is applicable only to Release 8.4 and not any other release.

• The image format of Cisco Aironet 1700, 2700, 3700, and IW3702 APs has been changed from ap3g2 to c3700. Therefore, if you are upgrading to Release 8.5 or a later release from Release 8.3 or an earlier release, these APs will download the image twice and reboot twice.

• Support for Dynamic WEP is reintroduced in Cisco Wave1 APs in this release.

• The AAA database size is increased from 2048 entries to 12000 entries for these Cisco WLCs: Cisco Flex 7510, 8510, 5520, and 8540. Therefore, if you downgrade from Release 8.5 to an earlier release that does not include this enhancement, you might lose most of the AAA database configuration, including management user information. To retain at least 2048 entries, including management user information, we recommend that you follow these downgrade instructions and back up the configuration file before proceeding with the downgrade:

  1. From Release 8.5, downgrade to one of the following releases, which support 2048 database size and include the enhancement.

     • Release 8.4.100.0 or a later 8.4 release

     • Release 8.3.102.0 or a later 8.3 release

     • Release 8.2.130.0 or a later 8.2 release

     • Release 8.0.140.0 or a later 8.0 release

  2. Downgrade to a release of your choice.

• In Release 8.5, the search functionality in the Cisco WLC Online Help for all WLCs is disabled due to memory issues encountered in these WLCs: Cisco 2504, 5508, and WiSM2.

• Release 8.4 and later releases support additional configuration options for 802.11r FT enable and disable. The additional configuration option is not valid for releases earlier than Release 8.4. If you downgrade from Release 8.5 to Release 8.2 or an earlier release, the additional configuration option is invalidated and defaulted to FT disable. When you reboot Cisco WLC with the downgraded image, invalid configurations are printed on the console. We recommend that you ignore this because there is no functional impact, and the configuration defaults to FT disable.

• If you downgrade from Release 8.5 to a 7.x release, the trap configuration is lost and must be reconfigured.

• If you downgrade from Release 8.5 to Release 8.1, the Cisco Aironet 1850 Series AP whose mode was Sensor prior to the downgrade is shown to be in unknown mode after the downgrade. This is because the Sensor mode is not supported in Release 8.1.

• If you have an IPv6-only network and are upgrading to Release 8.4 or a later release, ensure that you perform the following activities:

  • Enable IPv4 and DHCPv4 on the network—Load a new Cisco WLC software image on all the Cisco WLCs along with the supplementary AP bundle images on Cisco 2504 WLC, Cisco 5508 WLC, and Cisco WiSM2, or perform a predownload of AP images on the corresponding Cisco WLCs.

  • Reboot Cisco WLC immediately or at a preset time.

  • Ensure that all Cisco APs are associated with Cisco WLC.

  • Disable IPv4 and DHCPv4 on the network.

• After downloading the new software to the Cisco APs, it is possible that a Cisco AP may get stuck in an upgrading image state. In such a scenario, it might be necessary to forcefully reboot Cisco WLC to download a new image or to reboot Cisco WLC after the download of the new image. You can forcefully reboot Cisco WLC by entering the reset system forced command.

• It is not possible to download some of the older configurations from Cisco WLC because of the Multicast and IP address validations. See the "Restrictions on Configuring Multicast Mode" section in the Cisco Wireless Controller Configuration Guide for detailed information about platform support for global multicast and multicast mode.

• If you upgrade from Release 8.0.110.0 to a later release, the config redundancy mobilitymac mac-addr command's setting is removed. You must manually reconfigure the mobility MAC address after the upgrade.

• If you downgrade to Release 8.0.140.0 or 8.0.15x.0, and later upgrade to a later release and and also have the multiple country code feature configured, then the configuration file could get corrupted. When you try to upgrade to a later release, special characters are added in the country list causing issues when loading the configuation. For more information, see CSCve41740.

  Note	Upgrade and downgrade between other releases does not result in this issue.

• If you are upgrading from a 7.4.x or an earlier release to a release later than 7.4, the Called Station ID type information is mapped to the RADIUS Accounting Called Station ID type, which, by default, is set to apradio-mac-ssid. You can configure the RADIUS Authentication Called Station ID type information by using the config radius auth callStationIdType command.

• When a client sends an HTTP request, the Cisco WLC intercepts it for redirection to the login page. If the HTTP GET request that is intercepted by the Cisco WLC is longer than 2000 bytes, the Cisco WLC drops the packet. Track CSCuy81133 for a possible enhancement to address this restriction.

• We recommend that you install Cisco Wireless Controller Field Upgrade Software (FUS), which is a special AES package that contains several system-related component upgrades. These include the bootloader, field recovery image, and FPGA or MCU firmware. Installing the FUS image requires special attention because it installs some critical firmware. The FUS image is independent of the runtime image. For more information about FUS and the applicable Cisco WLC platforms, see the Field Upgrade Software release notes listing.

  Note	For Cisco 2504 WLC, we recommend that you upgrade to FUS 1.9.0 release or a later release.

• If FIPS is enabled in Cisco Flex 7510 WLC, the reduced boot options are displayed only after a bootloader upgrade.

  Note	Bootloader upgrade is not required if FIPS is disabled.

• When downgrading from one release to another, you might lose the configuration from your current release. The workaround is to reload the previous Cisco WLC configuration files that are saved in the backup server, or to reconfigure Cisco WLC.

• It is not possible to directly upgrade to this release from a release that is earlier than Release 7.0.98.0.

• When you upgrade Cisco WLC to an intermediate release, wait until all the APs that are associated with Cisco WLC are upgraded to the intermediate release before you install the latest Cisco WLC software. In large networks, it can take some time to download the software on each AP.

• You can upgrade to a new release of the Cisco WLC software or downgrade to an earlier release even if FIPS is enabled.

• When you upgrade to the latest software release, the software on the APs associated with the Cisco WLC is also automatically upgraded. When an AP is loading software, each of its LEDs blinks in succession.

• We recommend that you access the Cisco WLC GUI using Microsoft Internet Explorer 11 or a later version, or Mozilla Firefox 32 or a later version.

• Cisco WLCs support standard SNMP MIB files. MIBs can be downloaded from the software download page on Cisco.com.

• The Cisco WLC software is factory installed on your Cisco WLC and is automatically downloaded to the APs after a release upgrade and whenever an AP joins a Cisco WLC. We recommend that you install the latest software version available for maximum operational benefit.

• Ensure that you have a TFTP, HTTP, FTP, or SFTP server available for the software upgrade. Follow these guidelines when setting up a server:

  • Ensure that your TFTP server supports files that are larger than the size of Cisco WLC software image. Some TFTP servers that support files of this size are tftpd32 and the TFTP server within Cisco Prime Infrastructure. If you attempt to download the Cisco WLC software image and your TFTP server does not support files of this size, the following error message appears:

    TFTP failure while storing in flash

  • If you are upgrading through the distribution system network port, the TFTP or FTP server can be on the same subnet or a different subnet because the distribution system port is routable.

• When you plug a Cisco WLC into an AC power source, the bootup script and power-on self test is run to initialize the system. During this time, press Esc to display the bootloader Boot Options menu. The menu options for the Cisco 5508 WLC differ from the menu options for the other Cisco WLC platforms.

  The following is the Bootloader menu for Cisco 5508 WLC:

  Boot Options
  Please choose an option from below:
  1. Run primary image
  2. Run backup image
  3. Change active boot image
  4. Clear Configuration
  5. Format FLASH Drive
  6. Manually update images
  Please enter your choice:

  The following is the Bootloader menu for other Cisco WLC platforms:

  Boot Options
  Please choose an option from below:
  1. Run primary image
  2. Run backup image
  3. Manually update images
  4. Change active boot image
  5. Clear Configuration
  Please enter your choice:
  
  Enter 1 to run the current software, enter 2 to run the previous software, enter 4 (on Cisco 5508 WLC), 
  or enter 5 (on Cisco WLC platforms other than 5508 WLC) to run the current software and set 
  the Cisco WLC configuration to factory defaults. Do not choose the other options unless directed to do so.

  Note	See the Installation Guide or the Quick Start Guide of the respective Cisco WLC platform for more details on running the bootup script and the power-on self test.

• The Cisco WLC Bootloader stores a copy of the active primary image and the backup image. If the primary image becomes corrupted, you can use the Bootloader to boot with the backup image.

  With the backup image stored before rebooting, choose Option 2: Run Backup Image from the Boot Options menu to boot from the backup image. Then, upgrade with a known working image and reboot Cisco WLC.

• You can control the addresses that are sent in the Control and Provisioning of Wireless Access Points (CAPWAP) discovery responses when NAT is enabled on the Management Interface, using the following command:

  config network ap-discovery nat-ip-only {enable | disable}

  The following are the details of the command:

  enable —Enables use of NAT IP only in a discovery response. This is the default. Use this command if all the APs are outside the NAT gateway.

  disable —Enables use of both NAT IP and non-NAT IP in a discovery response. Use this command if APs are on the inside and outside the NAT gateway, for example, Local Mode and OfficeExtend APs are on the same Cisco WLC.

  Note	To avoid stranding of APs, you must disable AP link latency (if enabled) before you use the disable option in the config network ap-discovery nat-ip-only command. To disable AP link latency, use the config ap link-latency disable all command.

• Do not power down Cisco WLC or any AP during the upgrade process. If you do this, the software image might get corrupted. Upgrading Cisco WLC with a large number of APs can take as long as 30 minutes, depending on the size of your network. However, with the increased number of concurrent AP upgrades supported, the upgrade time should be significantly reduced. The APs must remain powered, and Cisco WLC must not be reset during this time.

• To downgrade from this release to Release 6.0 or an earlier release, perform either of these tasks:

  • Delete all the WLANs that are mapped to interface groups, and create new ones.

  • Ensure that all the WLANs are mapped to interfaces rather than interface groups.

• After you perform the following functions on Cisco WLC, reboot it for the changes to take effect:

  • Enable or disable LAG

  • Enable a feature that is dependent on certificates (such as HTTPS and web authentication)

  • Add a new license or modify an existing license

    Note	Reboot is not required if you are using Right-to-Use licenses.

  • Increase the priority of a license

  • Enable HA

  • Install the SSL certificate

  • Configure the database size

  • Install the vendor-device certificate

  • Download the CA certificate

  • Upload the configuration file

  • Install the Web Authentication certificate

  • Make changes to the management interface or the virtual interface

Due to an increase in the size of the Cisco WLC software image, the Cisco 2504 WLC, Cisco 5508 WLC, and Cisco WiSM2 software images are split into the following two images:

• Base Install image, which includes the Cisco WLC image and a subset of AP images (excluding some mesh AP images and AP80x images) that are packaged in the Supplementary AP Bundle image

• Supplementary AP Bundle image, which includes AP images that are excluded from the Base Install image. The APs that feature in the Supplementary AP Bundle image are:

  • Cisco AP802

  • Cisco AP803

  • Cisco Aironet 1530 Series AP

  • Cisco Aironet 1550 Series AP (with 128-MB memory)

  • Cisco Aironet 1570 Series APs

  • Cisco Aironet 1600 Series APs

Note	There is no change with respect to the rest of the Cisco WLC platforms.

• Domain-based ACLs

• Autoinstall

• Controller integration with Lync SDN API

• Application Visibility and Control (AVC) for FlexConnect locally switched APs

• Application Visibility and Control (AVC) for FlexConnect centrally switched APs

  Note	AVC for local mode APs is supported.

• URL ACL

• Bandwidth Contract

• Service Port

• AppleTalk Bridging

• Right-to-Use Licensing

• PMIPv6

• EoGRE

• AP Stateful Switchover (SSO) and client SSO

• Multicast-to-Unicast

• Cisco Smart Software Licensing

Note	The features that are not supported on Cisco WiSM2 and Cisco 5508 WLC are not supported on Cisco 2504 WLCs too. Directly connected APs are supported only in local mode.

• Cisco WLAN Express Setup Over-the-Air Provisioning

• Mobility controller functionality in converged access mode

• VPN Termination (such as IPsec and L2TP)

• Domain-based ACLs

• VPN Termination (such as IPSec and L2TP) —IPSec for RADIUS/SNMP is supported; general termination is not supported.

• Fragmented pings on any interface

• Right-to-Use Licensing

• Cisco 5508 WLC and Cisco WiSM2 cannot function as mobility controller (MC). However, it can function as guest anchor in a New Mobility environment.

• Cisco Smart Software Licensing

• Domain-based ACL

• Cisco Umbrella—Not supported in FlexConnect locally switched WLANs; however, it is supported in centrally switched WLANs.

• Static AP-manager interface

  Note	For Cisco Flex 7510 WLCs, it is not necessary to configure an AP-manager interface. The management interface acts as an AP-manager interface by default, and the APs can associate with the controller on this interface.

• IPv6 and dual-stack client visibility

  Note	IPv6 client bridging and Router Advertisement Guard are supported.

• Internal DHCP server

• APs in local mode

  Note	A Cisco AP associated with a controller in local mode should be converted to FlexConnect mode or monitor mode, either manually or by enabling the autoconvert feature. From the Cisco Flex 7510 WLC CLI, enable the autoconvert feature by entering the config ap autoconvert enable command.

• Mesh (Use Flex + Bridge mode for mesh-enabled FlexConnect deployments)

• Cisco Flex 7510 WLC cannot be configured as a guest anchor controller. However, it can be configured as a foreign controller to tunnel the guest traffic to a guest anchor controller in a DMZ.

• Multicast

  Note	FlexConnect locally switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect APs do not limit traffic based on Internet Group Management Protocol (IGMP) or MLD snooping.

• PMIPv6

• Cisco Smart Software Licensing

• Internal DHCP Server

• Mobility controller functionality in converged access mode

• VPN termination (such as IPsec and L2TP)

• Fragmented pings on any interface

Note	Cisco Smart Software Licensing is not supported on Cisco 8510 WLC.

• Cisco Umbrella

• Domain-based ACLs

• Internal DHCP server

• Cisco TrustSec

• Access points in local mode

• Mobility/Guest Anchor

• Wired Guest

• Multicast

  Note	FlexConnect locally switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect APs do not limit traffic based on IGMP or MLD snooping.

• FlexConnect central switching in large-scale deployments

  Note	FlexConnect central switching is supported in only small-scale deployments, wherein the total traffic on controller ports is not more than 500 Mbps. FlexConnect local switching is supported.

• Central switching on Microsoft Hyper-V deployments

• AP and Client SSO in High Availability

• PMIPv6

• Datagram Transport Layer Security (DTLS)

• EoGRE (Supported in only local switching mode)

• Workgroup bridges

• Client downstream rate limiting for central switching

• SHA2 certificates

• Controller integration with Lync SDN API

• Cisco OfficeExtend Access Points

• Load-based call admission control (CAC). Mesh networks support only bandwidth-based CAC or static CAC.

• High availability (Fast heartbeat and primary discovery join timer).

• AP acting as supplicant with EAP-FASTv1 and 802.1X authentication.

• AP join priority (Mesh APs have a fixed priority)

• Location-based services

• Dynamic Mesh backhaul data rate.

  Note	We recommend that you keep the Bridge data rate of the AP as auto.

• Background scanning

• Noise Tolerant Fast Convergence

• Flex+Mesh

• Noise Tolerant Fast Convergence

• Flex+Mesh