OmniVista Cirrus Production Notes 3.1.0
OmniVista® Cirrus is a cloud-based Network Management System (NMS). This cloud-based approach eliminates the need for purchasing and maintaining a physical server and installing the NMS on premise, since everything resides in the cloud. Network Operators can access OmniVista Cirrus from anywhere, using any approved browser and device (e.g., workstation, tablet).
Access to OmniVista Cirrus is supported on the following browsers: Internet Explorer 11+ (on Windows client PCs), Chrome 68+ (on Windows and Redhat/SuSE Linux client PCs), and Firefox 62+ (on Windows and Redhat/SuSE Linux client PCs).
These Production Notes detail new features and functions, network/device configuration prerequisites, supported devices, and known issues/workarounds in OmniVista Cirrus. Please read the Production Notes in their entirety as they contain important operational information that may impact successful use of the application.
- New Features and Functions
- Network and Device Prerequisites
- Supported Devices
- Issues/Workarounds
- Issues Fixed
- Additional Documentation
New Features and Functions
An overview of new features and functions is provided below.
Browser Support
- Internet Explorer has been deprecated and is not recommended. Chrome 68+ and Firefox 62+ are recommended.
Applications
New Applications
The following section details new applications introduced in this release.
- Internet of Things (IoT) - The new IoT application provides a detailed view of all endpoint devices connected to AOS Switches. OmniVista monitors network packets to identify, track, and categorize these devices, and presents detailed information for the devices on the application’s Inventory Screen. When a client/endpoint is connected to an AOS Switch, the switch sends messages to OmniVista in real-time. This information includes the device MAC address, DHCP fingerprint, User-Agent, TCP signatures, network behavior, and more. Once the device is learned, OmniVista connects to a Cloud-Based Device Fingerprinting Service to categorize the device. The IoT application is supported on AOS 8.x Switches (AOS 8.6R1 and higher), and provides information on IPv4 endpoint devices.
- Provisioning - The new Template-Based Provisioning application provides a simplified method for deployment of AOS Switches that are not yet managed in OmniVista. The Provisioning application utilizes user-configured templates to automatically push Management User and Switch Configurations to AOS Switches. Using the application, you create Provisioning Rules containing Management User and Switch Configuration Templates for specific switches/switch models. When a switch contacts the OmniVista Server, the switch is matched to a Provisioning Rule containing the Management User and Switch Configuration Templates for that switch/switch model. The Configuration Templates are then automatically pushed to the switch. Once the configuration is complete, the switch is added to the Managed Devices List and is manageable by OmniVista. The Provisioning application is supported on switches running AOS 6.7.2.R03 GA and higher, and AOS 8.4.1.R03 GA and higher. Switches running a lower version than 6.7.2.R06 GA will be upgraded automatically if they are set up to be onboarded using this application.
Application Updates/Enhancements
The following section details updates and enhancements to existing OmniVista applications.
- MTS
- The MTS Administrator can now configure read-write permissions for a Tenant's local users while the Tenant is being managed from MTS.
- UPAM
- WiFi4EU is now available as an option when configuring a Guest Access Strategy. WiFi4EU is a European Union initiative that provides WiFi access on public sites in different municipalities. To use the WiFi4EU feature, the Redirect Strategy must use the WiFi4EU Captive Portal template.
- Rainbow Social Login is now supported for Guest Users in the UPAM application. The Rainbow Social Login configuration options are available as part of the UPAM Guest Access Strategy and Unified Access – Access Role Profile configuration.
UI Enhancements Across Applications
The following section details UI enhancements introduced in this release.
- IoT Tab Added to Dashboard - In addition to the Global and WLAN tabs on the OmniVista Dashboard, there is now an IoT tab. This tab provides the same functionality as the Global and WLAN tabs, but displays widgets that are specific to the new IoT application.
Network and Device Prerequisites
The following prerequisites must be verified/configured before using OmniVista Cirrus.
Customer Network Prerequisites
The following Network Deployment, Bandwidth, Proxy, Firewall, and NTP Server configurations must be verified/configured on your local network before using OmniVista Cirrus.
Network Deployment
The following sections detail DHCP Network and Static Network deployment prerequisites.
DHCP Deployment Requirements
Standard Requirements
- IP Address - DHCP Server IP address.
- Option 1 - Subnet Mask.
- Option 2 - Gateway.
- Option 6 - Domain Name Servers - Required for FQDN resolution of OmniVista Cirrus connection points.
- Option 28 - Broadcast Address. This option is only recommended, not required.
- Option 42 - NTP Server(s) - Required for Certificate validation (start date and duration), and all related encryption functions. This option is not required on devices running AOS 6.7.2 R04 / AOS 8.5R2 / AWOS 3.0.4.1036 or higher. It is however, recommended.
ALE Specific Requirements
- Option 43
- Sub-Option 1 - Vendor ID. Validate the DHCP response (must be set with the value alenterprise). This sub-option is only required if you specify any of the sub-options listed below, or any devices on your network are running AOS 6.7.2 R03.
The following Sub-Options are only required if you are using a Proxy to connect to the Internet.
- Sub-Option 129 - Proxy URL. It can be either an IP address or a URL (e.g., "IP-address=4.4.4.4", "URL=http://server.name").
- Sub-Option 130 - Proxy Port.
- Sub-Option 131 - Proxy User Name. If the customer proxy access requires authentication, both 131 and 132 can be supplied via these sub-options.
- Sub-Option 132 - Proxy Password.
- Sub-Option 133 - Network ID.
- Option 138 - Remove any existing configuration (required for all ALE Devices).
Static Deployment Requirements
The following switch configuration prerequisites must be met for a Static Network Deployment.
1. Execute the following CLI commands on each switch. The commands can be contained in a CLI Script and pushed to network switches. See the CLI Scripting online help for more information.
ip name-server <dns_ip>
ip domain-lookup
ntp server <ntp_ip>
ntp client enable
2. (If you are using a Proxy), modify the <running directory>/cloudagent.cfg file on each switch as follows:
- Activation Server URL: Enter the Activation Server FQDN.
- HTTP Proxy Server: Enter the Proxy IP address.
- HTTP Proxy Port: Enter the Proxy IP port.
- HTTP Proxy User Name: Enter the Proxy username.
- HTTP Proxy Password: Enter the Proxy password.
3. Enable the Cloud Agent on each switch with the following CLI Command:
cloud-agent admin-state enable
Bandwidth Requirements
Onboarding
For basic onboarding of devices and connection to the OmniVista Cirrus Server, a minimum of 10 kbps end-to-end network throughput is required between the device and OmniVista Cirrus.
Advanced Management
To enable statistics data transfer, status queries, configuration commands, and other requests/responses between devices and OmniVista Cirrus, a minimum of 64 kbps end-to-end network throughput is required between the device and OmniVista Cirrus. APs must be running the latest AWOS software version.
Proxy Requirements
If a device is accessing the Internet via an HTTP/HTTPs proxy, the proxy server must be specified in DHCP Option 43, Sub-option 129 (Server) and Sub-Option 130 (Port). The server may be specified in 1 of 2 formats: 1) “URL=http://server.domain”, or 2) “IP-address=8.8.8.8”. The port is specified as a number (8080).
Firewall Requirements
The following ports must be configured to allow outbound traffic from your local network:
- 443 - If you are not using a Proxy to connect to the Internet, your firewall must allow outbound access to this port; if you are using a Proxy, you need to be able to access this port via your local proxy.
- 80 - Relevant only if you are accessing UPAM Guest/BYOD Captive portal via insecure HTTP. If you are not using a Proxy to connect to the Internet, your firewall must allow outbound access to this port; if you are using a proxy, you need to be able to access this port via your local proxy.
- 123 - Relevant if you are using an NTP Server that is outside of your network. You must ensure that your firewall allows outbound access to port 123 udp. This access cannot be mediated by a proxy, it must be direct (NAT is allowed).
- 53 - Relevant if you are using a DNS Server that is outside of your network.You must ensure that your firewall allows outbound access to both port 53 tcp and port 53 udp. This access cannot be mediated by a proxy, it must be direct (NAT is allowed).
NTP Server Requirements
An NTP Server(s) is required for Certificate validation (start date and duration), and all related encryption functions. Devices must have access to at least one NTP Server, whether local or external. Note that if a device's System Time is not correct, it may take several attempts to synchronize with the NTP Server before the device connects to the OmniVista Cirrus Server.
Device Prerequisites
The minimum device software versions for onboarding and management are detailed below. The minimum onboarding versions are required for the device to connect the to the OmniVista Cirrus Server. The specified management software versions are required to support all of the management features available in OmniVista Cirrus 3.1.0.
Onboarding
For onboarding (call home and connection to the OmniVista Cirrus Server), devices must be running the following minimum software versions:
- AOS 6.7.2.R05
- AOS 8.5R2
- AWOS 3.0.5.xx.
Management
Devices must be running the software versions specified below to support all of the management features available in OmniVista Cirrus 3.1.0.
- Essential Switch (E) - OS6350/OS6450 - (6.7.2.R06), OS6465 (8.6R1), OS6560 (8.6R1)
- Core Switch (C) - OS6900 (8.5R4)
- Advanced Switch (A) - OS6860/OS6860E/OS6865 (8.6R1)
- Stellar AP (SA) - OAW-AP1101, OAW-1201, OAW-1201H, OAW-AP1221, OAW-AP1222, OAW-AP1231, OAW-AP1232, OAW-AP1251 (AWOS 3.0.5.xx GA/MR Releases and AWOS 3.0.6.xx GA/MR Releases)
A link to the latest software images is included in the Verification E-Mail you receive when you create your account. If necessary, click on the link and download the required AOS software. Release Notes, containing detailed upgrade instructions for each device type, are available on the ALE Business Portal.
Supported Devices
A full list of ALE supported devices/AOS releases can be found here.
Issues/Workarounds
Application Visibility
AV No Longer Supports OS6900 Switches (OVC-4434)
Summary: Application Visibility no longer supports OS6900 Switches. Any Application Visibility Policies or Policy Lists applied to these devices should be updated/deleted.
Workaround: NA - Informational.
Configuration Manager
Error Message When Backing Up Stack of 6x Switches (OVE-4211)
Summary: User is unable to backup a stack of AOS 6x Switches if the switches are heavily loaded because of SNMP Timeout.
Workaround: Edit the device to increase the SNMP Timeout to 10 seconds. Go the Managed Devices Screen (Network – Discovery – Managed Devices), select switch(es) click on Edit icon to go to the Edit Discovery Manager window and increase the SNMP Timeout to 10,000 msec.
Device Catalog
OV Managed Device Automatically Deleted and License Unassigned (OVC-4683)
Summary: A currently-managed device can be automatically deleted, its license unassigned, and the device moved to “Registered” if the IP address assignments of devices are changed.
For example, suppose there are two devices discovered and managed by OmniVista: Device1 with IP address "IP1", and Device2 with IP address "IP2". At some point, the IP Address assignment for these devices are changed as follows: Device1 IP address is changed from "IP1" to "IP2"; and Device2 IP address is changed from "IP2" to something else. This scenario could happen, for example, if the DHCP Server is restarted and does not attempt to give the same IP address as before to the DHCP clients.
If Device1 is then rediscovered (as part of periodic polling or by a manual user action), Device2 will be deleted from OmniVista when OmniVista discovers that Device1 now has the "IP2" IP address to avoid the situation where two devices have the same IP address in OmniVista.
Workaround: NA - Informational.
Upgrades Are Triggered Differently for 6x and 8x Switches (OVC-435)
Summary: The Activation Server checks the "current software version" from the switches to determine whether a switch should upgrade or not. Because of the different behaviors of 6x and 8x Switches, there may be some inconsistencies about when a switch will be triggered to upgrade.
- AOS 8x switches send current software version of the current running directory.
- AOS 6x switches send current software version of WORKING directory when in sync.
Example AOS 6x:
Assume switch comes up in the Certified Directory.
Assume /flash/working has the same image version as "desired software version" set in Device Catalog, whereas /flash/certified has a lower version. Since AOS 6x sends current software version of /flash/working, upgrade will NOT be triggered on the switch.
Example AOS 8x:
Assume switch comes up in the Certified Directory.
Assume /flash/cloud has the same image version as "desired software version" set in Device Catalog, whereas /flash/certified has a lower version. Since AOS 8x sends current software version of current running directory which is /flash/certified. there will be an upgrade. The switch will download the desired software version to /flash/cloud and reboots from /flash/cloud.
Workaround: NA - Informational.
Inventory
Upgrade Workflow Should Be Changed When Device Is Loaded From Certified Directory (OVC-435)
Summary: When an AOS 6.x Switch with "Set to Software Version" set to "Latest Version" contacts the OmniVista Server, the server checks the Working Directory to see if it is running the latest AOS software. If the Working Directory contains the latest software version, an upgrade will not be triggered, even if the Certified Directory is running on an older software version. To upgrade the Certified Directory to the latest software, reboot the switch from the Working Directory.
Workaround: NA - Informational.
IoT
APs Are Displayed as IOT Devices in IoT Inventory (OVE-5542)
Summary: Stellar APs connected to AOS switches are displayed as IOT endstation devices in IoT inventory List.
Workaround: To prevent an AP from being displayed in the Inventory List, you must disable IoT profiling on the switch port connected to the AP using the following CLI command: device-profile port slot/port admin-state disable.
IoT Inventory Does Not Work if sFlow is Enabled on Switch (OVE-5544)
Summary: Devices are not displayed in the Inventory List if sFlow is enabled on a switch.
Workaround: The problem is fixed in AOS 8.6R2. Upgrade switch to AOS 8.6R2.
Device Start Time Is Incorrect in IoT Inventory List (OVE-5658)
Summary: If a device is moved to a different port on a switch, the Start Time displayed in the Inventory List will reflect the first time the device was connected to the switch.
Workaround: The problem is fixed in AOS 8.6R2. Upgrade switch to AOS 8.6R2.
IoT Inventory List Displays Active/Online Endpoints as Offline (OVC-6788)
Summary: The IoT Inventory List displays multiple Active/Online endpoints as offline for devices connected to switches running AOS 8.6R1.
Workaround: The problem is fixed in AOS 8.6R2. Upgrade switch to AOS 8.6R2.
Provisioning
Cannot Onboard a Switch Running AOS 6.7.2.R05 (OVC-6879)
Summary: You cannot successfully onboard a 6.x switch in the Provisioning application that is running a AOS 6.7.2.R05.
Workaround: For 6.x Switches, Provisioning is only supported on AOS 6.7.2.R06 and higher. Upgrade the 6.x Switch to a supported build.
SSID
MTS-Managed Tenant Local Users Cannot Use "View SSIDs on an AP Group" Feature (OVC-6321)
Summary: When managed by MTS, local Tenant Users cannot use the "View SSIDs on an AP Group" button to quickly view SSIDs by AP Group.
Workaround:Users who want to view SSIDs associated with a specific AP Group need to go to each SSID and view its AP Group association. Click on the AP Group Assignment and Schedule button at the top of the SSIDs screen to bring up the “AP Group Assignment and Schedule” Screen. Select an SSID from the SSID Service Name drop-down. The AP Group(s) associated with the SSID are displayed.
UPAM
HTTPs Traffic is Not redirected to Portal Page for an HSTS Website (OVC-1777)
Summary: The first time a user opens an HSTS website, they are redirected to the portal page, as expected. The second time a user opens an HSTS website, the redirection will not work. If the user clears browser cache and retries connecting to the HSTS website, it will work. The behavior depends on the browser used. Chrome is very strict, so the problem is always seen, Firefox is not as strict; the problem will still happen but not as frequently.
Workaround: There is no workaround at this time.
Delay in UPAM Interactions After Subscriber Gets a Paid Account (OVC-6806)
Summary: After a subscriber gets a paid account, UPAM related interactions will not work until free radius server is restarted (at 00:00 AM the subsequent day).
Workaround: There will be a delay in realizing any expected changes in UPAM function when any of the following occurs:
- Creation of a new tenant
- Activation of a different RADIUS Server Certificate
- Synchronization of RADIUS Attribute Dictionary at OmniVista with RADIUS Server
- Edit of NAS Client details.
After any of the above actions, expected UPAM changes will take effect after the following midnight (00:01 a.m. PST), as these require a restart of the OmniVista internal RADIUS Server. The OmniVista internal RADIUS Server is restarted periodically at midnight PST. All tenants sharing the same OmniVista VM will experience a brief period of interruption of UPAM RADIUS functionality during this periodic restart.
WLAN
ALE-BYOD Users and ALE-Corp Users Disassociated from SSIDs (OVE-6759)
Summary: ALE-BYOD users and ALE-Corp users are being frequently disassociated from their respective SSIDs. APs allow a maximum of 32 MAC OUIs/MAC addresses to be treated as friendly. If this number is exceeded, APs recognize neighbor APs as “rogue”, causing them to be disassociated from the SSID.
Workaround: When configuring a WIPs Policy, do not delete the default MAC OUIs (34:e7:0b and dc:08:56). These are for Stellar APs. In addition, configure no more than 32 Friendly MAC OUIs/MAC addresses.
Other
If You Remove a Master from a Virtual Chassis Slave Devices Lose Connectivity
Summary: If You Remove a Master from a Virtual Chassis (VC), Slave devices Lose Connectivity Due to stale certificates. Devices use a certificate to communicate with OmniVista Cirrus. This certificate is given to the devices by the OmniVista Cirrus on their first Activation attempt. In a VC, the Master chassis is issued a certificate for its Serial Number and this certificate is copied over to all the Slaves. If the owner of the certificate (Master) is removed permanently from the VC, the remaining chassis will form a VC and attempt activation using the certificate of the old Master, but will be unable to activate using this certificate. Customers should raise a ticket with ALE Customer Support to overcome this issue. After understanding the VC topology, ALE Customer Support might take a decision to remove the certificate from the VC and enable the remaining chassis in the VC to attempt Cloud Activation afresh.
Workaround: Raise a ticket with ALE Customer Support. After investigating the VC topology, ALE Customer Support may decide to remove the certificate from the VC and enable the remaining chassis in the VC to re-attempt activation.
Issues Fixed
Issues Fixed Since Release 3.0
- If Network ID Strict Mode Is Enabled Some Devices Will Be Unable to On-Board (OVC-4381)
- Cannot Notify Policy List with Accept All | Deny All Policy on AOS 6x Devices (OVC-6133)
- Unable to upload Captive Portal Certificate on UPAM (ALEISSUE-410)
- Unable to change “Account Validity Period” While Creating Guest Access Code with Service Level (ALEISSUE-459)
- APs were UP, however showed DOWN in OmniVista (ALEISSUE-383)
Issues Fixed Since Release 2.1.0
- External LDAP Server Requires Direct Connection (OVCLOUD-2832)
- BYOD Access Strategy "Go to initial URL" Option Does Not Work on AOS 6x Switches (OVC-421)
- No CLI Command to Configure Network ID in Statically Configured Cloud Agents (OVC-4569)
Issues Fixed Since Release 2.0
- Cannot Remove a BYOD/Guest Online Device From Device List on AOS 8x Switches (OVC-419)
- Cannot Find Audit Logs in OmniVista Cirrus (OVC-456)
- Error When Applying Access Role Profile with Policy List to 6x Device (OVC-459)
- Cannot Apply Policy List from RADIUS Attribute "Alcatel-Policy-List" in UPAM on AOS 6.x Switches (OVC-463)
- Captive Portal Page Is Not Kept After Upgrading From 1.0.2 (OVC-2467)
- AP Image Upgrade From 3.0.2 to 3.0.4 Requires 2 Reboots (OVC-2957)
- Device Status Color Does Not Change When a Trap is Sent From an AP (OVC-3220)
- Minimum OS Versions Required for Full OmniVista Cirrus Functionality (OVC-3468)
- OS6560 Device Loses VPN Connectivity and Remains in a DOWN State (OVC-3530)
- Guidance for Users with ALE Business Store Based OmniVista Cirrus Subscriptions That Are Pending Activation (OVC-3776)
- OS6560 Dumps ipcmmd pmds When Calling Home (OVC-3834)
Issues Fixed Since Release 1.0.2
- Hide Top N clients and Top N App Charts (OVC-1565)
- OS6560 Does Not Support Policy List on OS6560 Switch running AOS 8.4.1.R03 (OVCLOUD-1384)
- Status of All AOS Devices Changed from “OV Managed” to “Pre-Provisioning" in Device Catalog (OVC-145)
- Analytics Line Chart Does Not Display Date in X-Axis (OVC-461)
Issues Fixed Since Release 1.0.1
- Device Added to Data Lake Is Not Added to Device Catalog Even Though "Call Home" Was Successful (OVC-146)
- VC of 2 OS6900-X20 Disappeared from the List of Managed Devices (OVC-147)
Additional Documentation
Online help is available in OmniVista Cirrus and can be access by clicking on the Help Link (?) in the upper-right corner of any screen. You can also search through the online help on the OmniVista Cirrus Home Page. An overview of OV Cirrus as well as Getting Started Guides for Freemium and Paid Accounts is available here.