Increased MyPSK entry to 5,000 to support larger MDU/Domitory environment.
Supports sub-option codes within DHCP Option 43, enabling EnGenius APs to identify the correct Access Controller (AC) in mixed environments with multiple AP and AC brands.
Support client traffic logs when SSID is set is set to NAT mode, providing more information for trouble shooting.
Supports Configuration Rollback function, allowing the device to automatically rollback to the last stable configuration if a misconfiguration causes a loss of Cloud connection.
Increase 802.11 RTS/CTS disable option to reduce signaling overhead and latency. This improves data transmission efficiency in environments with strong signals and minimal interference, such as those using directional antennas.
Resolved mDNS loop issue. When there are multiple AP in a network with multiple SSID and mDNS Forwarding enabled, power cycle one of the AP may causes network unstable.
Enhance the gateway detection mechanism in Bridge Mode to solve the problem that captive portal clients could not correctly redirect to gateway.
Solve the issue that LSP can still access when Local Web Pages was disabled.
Fix the problem that AP goes offline when the third octet of gateway (GW) subnet mask is less than 255 (e.g., GW IP 192.168.1.1, mask 255.255.254.0).
Fix the issue that TX Bytes and RX Bytes statistics in the disconnection log always show 0.
Fix AP cannot send 802.11v post-association packets properly when band steering is enabled.
Support EnGenius fast-handover algorithm 2.0
Remove dropbear chacha20-poly1305@openssh.com encryption due to security concern.
Fix the issue that clients may get disconnected after editing ACL rules.
Add country code for Japan.
Add support for SAMLv2 (Security Assertion Markup Language version 2) in Captive portal with Azure-AD.
Support HTTPS-Only for local device page.
Support WPA2-PSK[AES] + WPA-PSK[TKIP] encryption mode.
Speed up the LED turn-off time when the user disables the LED Light function.
Add support for SAMLv2 in Captive portal with Azure-AD
A captive portal is a web page that users must interact with to gain network access, often seen in public Wi-Fi networks. This update introduces support for SAMLv2 (Security Assertion Markup Language version 2), a prominent protocol used for exchanging authentication and authorization data between identity providers and service providers.
(a) What is SAMLv2?
SAMLv2 is an XML-based open standard for secure exchange of authentication and authorization data. It enables Single Sign-On (SSO), allowing users to authenticate once and gain access to multiple applications without re-entering credentials. In the context of Azure AD, SAMLv2 facilitates secure communication between Azure AD (the identity provider) and various services (service providers) users want to access.
(b) Implications of This Update
Enhanced Authentication: Users can now authenticate through Azure AD when accessing a network via a captive portal. This means that organizations leveraging Azure AD for identity management can extend its use to captive portals, ensuring a consistent and secure authentication process.
Single Sign-On (SSO): With SAMLv2, users benefit from SSO capabilities. They log in once with their Azure AD credentials and gain seamless access to multiple services and applications without the need to re-authenticate, improving user experience and productivity.
Increased Security: SAMLv2 enhances security by enabling strong authentication and reducing password fatigue. It ensures that authentication tokens are securely transmitted and managed, protecting user credentials from potential attacks.
(c) Practical Applications
Organizations can now implement SAMLv2-based captive portals, allowing users to connect to networks using their Azure AD credentials. This integration streamlines access management and bolsters security, making it especially beneficial for enterprises with a high reliance on Azure AD for identity services.
In summary, the support for SAMLv2 in Azure-AD captive portals facilitates a more secure, efficient, and user-friendly authentication process, aligning with modern enterprise needs for robust identity and access management.
Support HTTPS-Only for local device page
To address security concerns, we have introduced an HTTPS-only switch that allows users to control access to the Local Service Page (LSP). This feature is essential for enhancing the security of local device management by ensuring that all communications are encrypted.
(a) Importance of HTTPS for Security
HTTPS (Hypertext Transfer Protocol Secure) is an extension of HTTP and is widely used to secure data transmission over the internet. When enabled, HTTPS ensures that all data exchanged between the user's browser and the local device page is encrypted. This encryption is crucial for several reasons:
Data Privacy: HTTPS uses TLS (Transport Layer Security) to encrypt the data, making it unreadable to any third party that might intercept the communication. This protects sensitive information such as login credentials and configuration settings from being exposed.
Data Integrity: Encryption also ensures that the data transferred has not been altered during transmission. It prevents tampering and ensures that the information received by the user is exactly what the server sent.
Authentication: HTTPS verifies the identity of the local device page, ensuring that users are connecting to the correct page and not a malicious site impersonating it. This helps prevent man-in-the-middle attacks where an attacker might intercept and alter communications between the user and the device.
User Trust: Users are more likely to trust and engage with local device pages that employ HTTPS, as indicated by the padlock icon in the browser's address bar. This visual assurance helps build confidence in the security of the connection.
(b) Implementation and Control
By introducing an HTTPS-only switch, we empower users to enforce this level of security. Users can easily enable this switch to ensure that all access to the Local Service Page is through HTTPS. This change mitigates risks associated with unencrypted HTTP connections, such as eavesdropping and data breaches.
In summary, the HTTPS-only feature significantly enhances the security of local device pages by ensuring encrypted, authentic, and tamper-proof communication, thereby protecting user data and fostering trust.
Support wireless client MAC-based WMM.
Support application DSCP tagging.
Enhance Traffic Log to support additional NAT information to syslog server.
Support Radsec to provide TLS encryption for Radius connection initiated from AP.
Enhance MyPSK Radius requests for external Radius server to contain both RoamingIQ attribute and mac authentication attribute.
Support additional dolphin action to run Radius server existence test.
Support group of multiple AD configuration for single SSID.
Use dolphin subscribe actions for all channel utilization scan in diag tools.
Support malware URL Blocking.
Support website filtering.
Support hotspot2.0 and openRoaming.
Support client-balancing 2.0
Fix mesh topology that may sometimes display failed.
Enhance Multicast to Unicast function for legacy clients.
Support wireless client MAC-based WMM
(a) Wi-Fi Multimedia (WMM) Overview:
Wi-Fi Multimedia (WMM) is a QoS (Quality of Service) standard that is an integral part of modern Wi-Fi technology, based on the IEEE 802.11e standard. WMM is essential in environments where different types of data compete for bandwidth because it ensures that time-sensitive applications like voice and video conferencing perform well even in congested network conditions. This protocol prioritizes traffic according to four access categories:
Voice: Highest priority, dedicated to voice-over-IP (VoIP) services.
Video: High priority, allocated for streaming video.
Best Effort: Standard priority for general data traffic such as web browsing.
Background: Lowest priority, intended for data that is not time-sensitive, like backups or bulk data transfers.
(b) What Does "MAC-Based WMM Support" Mean?
The feature "Support wireless client mac-based WMM" refers to the capability of the wireless access point (AP) to apply WMM rules based on the MAC address of each connecting client device. A MAC address is a unique identifier assigned to network interfaces for communications on the physical network segment. Implementing MAC-based WMM allows network administrators to assign different data priorities to devices according to their MAC addresses. This functionality is particularly useful in diverse operational environments where devices have varying bandwidth and latency requirements.
(c) Practical Applications of Mac-Based WMM
Here are several scenarios where mac-based WMM can significantly enhance network management and performance:
Tailored Experience: Enterprises can customize network performance based on the roles or departments within the organization. For example, devices belonging to the executive team or those used in critical operations might be assigned higher data priorities.
Enhanced Security: By controlling which devices have priority access, administrators can better manage network security protocols and reduce the risk of unauthorized data access.
Optimized Network Utilization: Mac-based WMM enables the network to adapt dynamically to changing conditions and user demands, prioritizing critical applications automatically.
Improved Scalability: As more devices join the network, administrators can manage traffic effectively without manual reconfiguration, ensuring consistent performance across all connected devices.
Support application DSCP tagging
(a) What is DSCP?
DSCP stands for Differentiated Services Code Point. It is a field in the IP header used to enable Quality of Service (QoS) on networks. DSCP replaces the older system of IP precedence with a more flexible and granular approach to traffic classification and prioritization. The DSCP field consists of six bits, allowing for 64 different traffic classes that can be defined and used to manage packet forwarding policies.
DSCP plays a crucial role in network traffic management by providing a mechanism for marking packets to receive different levels of service based on their assigned class. This capability is essential for managing congestion and ensuring that high-priority traffic, such as real-time voice or video, receives the necessary bandwidth and minimal latency.
(b) How Does DSCP Work?
When a packet is sent from a source, the DSCP value is set in its IP header, indicating the level of priority it should receive across the network. Network routers and switches read this DSCP value and make decisions about the packet's forwarding priority and queue placement. By doing so, networks can differentiate between various types of traffic, prioritizing them according to organizational policies and network requirements.
(c) Benefits of DSCP Tagging
Improved Network Performance: By prioritizing critical applications, DSCP helps in managing network resources efficiently, thus enhancing overall performance. Traffic like VoIP and video conferencing can operate smoothly even under heavy network load.
Enhanced Quality of Service: DSCP enables more granular control over packet forwarding decisions, allowing network administrators to fine-tune QoS policies. This leads to better service quality, especially for latency-sensitive applications.
Scalability: DSCP scales well with the size of the network, providing a consistent approach to QoS even as the network grows and traffic volume increases.
Flexibility: The ability to define multiple levels of service makes DSCP highly flexible. Organizations can customize their traffic management strategies to align with specific business needs.
(d) Applications of DSCP Tagging in Enterprise Networks
Voice and Video Prioritization: DSCP is extensively used to ensure that voice and video traffic is given priority over other types of data, reducing delays and improving communication quality.
Data Center Traffic Management: In data centers, DSCP can help manage the flow of traffic between servers, storage systems, and external networks, optimizing response times and service delivery.
Remote Work Solutions: With the rise of remote work, DSCP can play a pivotal role in prioritizing VPN traffic to ensure that business-critical applications have the bandwidth they need.
Support hotspot2.0 and openRoaming
(a) What is Hotspot 2.0?
Hotspot 2.0, also known as Wi-Fi Certified Passpoint, is a standard created by the Wi-Fi Alliance to streamline and secure the process of connecting to Wi-Fi hotspots. It allows mobile devices to automatically discover and connect to Wi-Fi networks without user intervention, using a seamless, secure authentication process based on the credentials issued by the service provider, much like cellular networks.
(b) Key Features of Hotspot 2.0
Seamless Connectivity: Hotspot 2.0 enables devices to automatically connect to Wi-Fi networks with robust security protocols, without requiring users to manually search for and select networks.
Enhanced Security: It supports advanced security protocols, such as WPA2-Enterprise and WPA3-Enterprise, providing end-to-end encryption and preventing unauthorized access.
Simplified User Experience: By automating the discovery and connection process, Hotspot 2.0 eliminates the need for users to repeatedly enter login credentials.
Interoperability: Designed to work across different wireless service providers and geographies, facilitating easier roaming and connectivity.
(c) What is OpenRoaming?
OpenRoaming is a federation service that allows users to seamlessly roam between Wi-Fi and cellular networks, removing the need to manually connect to different Wi-Fi networks. It is a collaboration spearheaded by the Wireless Broadband Alliance (WBA) that brings together a consortium of companies aiming to create a globally interconnected network.
(d) Benefits of OpenRoaming
Effortless Network Transition: With OpenRoaming, devices can automatically switch between Wi-Fi and cellular networks without user interaction, depending on the best available network.
Universal Coverage: It aims to combine the benefits of both private and public Wi-Fi networks with cellular service, expanding network coverage dramatically.
Secure Connectivity: OpenRoaming ensures that security standards such as WPA3 are met, keeping the user's data protected during transmission across different networks.
Enhanced User Experience: Provides a smooth, uninterrupted service as users move between different network environments, ideal for travelling users and mobile professionals.
(e) Applications and Implications of Hotspot 2.0 and OpenRoaming
Travel and Hospitality: For travelers, Hotspot 2.0 and OpenRoaming can significantly enhance connectivity in airports, hotels, and public spaces, offering seamless access to high-quality Wi-Fi.
Urban Mobility: In smart cities, these technologies can facilitate uninterrupted internet access across different urban spaces, improving navigation, streaming, and communication services.
Enterprise Connectivity: Businesses can provide secure, seamless Wi-Fi access to employees and visitors, improving productivity and user satisfaction.
Telecommunications: For telecom operators, integrating Hotspot 2.0 and OpenRoaming can reduce the load on cellular networks and provide a better balance of traffic across networks.
The inclusion of "Support for Hotspot 2.0 and OpenRoaming" in our firmware underlines our commitment to enhancing connectivity and user experience. These features enable devices to leverage advanced network technologies to automatically connect to the best available network, securely and effortlessly. By adopting these standards, we are setting a new benchmark for seamless and secure mobile connectivity, catering to the needs of modern users who require reliable and effortless internet access wherever they go.
Fix the issue that AP sometimes goes offline even when the network is functioning normally.
Fix the device online status issue where certificates may sometimes disappear after device firmware update.
Fix AP sometimes getting offline upon device firmware updates, requiring a reboot to get AP online.
Fix AP offline issue caused by UTF-8 device name.
Resolve the issue of a full system reload occurring when adding/deleting MyPSK Users.
Add multi-language support for System Name in LSP--You can modify the name of your AP from the cloud page where multiple languages are supported. Any changes made will synchronize to the LSP page “Device Overview” -> “System Name” field
Update LSP web GUI style--We've revamped the LSP web GUI with a sleek and modern design, enhancing visual appeal without compromising any of the existing LSP functionality. Enjoy an updated interface that not only looks stylish but also aligns with contemporary design standards, providing a more visually pleasing and user-friendly experience.
Support shaping policies or block schemes on a per-application basis--Elevate network management with our SSID traffic throttling feature, now upgraded to customize bandwidth limits for specific applications such as YouTube, Apple iCloud, Facebook, Netflix, Apple App Store, and Line, etc. Facilitate enterprise clients to efficiently allocate limited bandwidth, ensuring optimal service delivery for a larger clientele.
If mDNS forwarding is enabled, BCMC suppression will not block mDNS packets.
mDNS (Multicast DNS) Overview:
mDNS, or Multicast DNS, is a protocol that allows devices on a local network to discover and connect to each other without the need for a centralized DNS (Domain Name System) server. It enables automatic assignment of domain names to devices, making it easier for users to access services on the network without manual configuration.
In practical terms, mDNS simplifies the process of identifying and connecting to devices such as printers, smart home devices, and other networked services within a local environment. Instead of relying on traditional DNS, which typically involves a central server, mDNS uses multicast packets to resolve domain names to IP addresses directly on the local network.
BCMC (Broadcast/Multicast Control) suppression Functionality:
On the other hand, BCMC, or Broadcast/Multicast Control, is a feature designed to manage and control the impact of broadcast and multicast traffic on a network. Broadcasting and multicasting can lead to increased network congestion and reduced efficiency, especially in large-scale deployments.
BCMC helps address these challenges by suppressing or controlling unnecessary broadcast and multicast traffic. By doing so, it ensures that the network operates more efficiently, reducing the risk of bandwidth saturation and enhancing overall performance.
Interplay between mDNS and BCMC:
In certain network scenarios, there may be a potential conflict between mDNS and BCMC functionalities. By allowing mDNS packets to pass through when mDNS forwarding is enabled, the network ensures that devices can continue to discover and communicate with each other seamlessly using the mDNS protocol. This synergy between mDNS and BCMC functionality aims to strike a balance between efficient network management and the need for smooth, decentralized device discovery and connectivity in local environments.
Client List supports more OS types - Meta VR devices, Honeywell IoT device…etc--Clients List feature now includes expanded compatibility with various operating systems such as Meta VR devices, Honeywell IoT devices, and more. To ensure ongoing accuracy and relevance, we regularly update our fingerprint identification system. This proactive approach allows us to seamlessly integrate newly released devices into the Cloud Clients List page, ensuring that you have precise and up-to-date information about connected clients.
SSID on LAN : support AD and LDAP captive portal authentication.
Fixed the issue for encountering failure when selecting specific country: Liechtenstein, Montenegro, or Angola.
Update openssl version (from 1.1.1n to 3.0.9) to support TLS1.2
Optimize captive portal re-authentication with backup cache.
Improve client balance background scan algorithm: optimize the algorithm flow by reducing unnecessary actions in client balance background scan algorithm to increase the efficiency.
Set BCMC suppression enabled by default. Enabling BCMC suppression may eliminate unnecessary broadcast and multicast packets from Ethernet to wireless interface and result in less wireless interference.
Set min. bitrate value as 12Mbps for each radio interface. Higher minimum bitrate value can help reduce the client connections with lower signal strength and result in faster roaming to other AP to avoid AP sticky connection issue.
Fixed traffic log for wrong format issue.
Fixed abnormal banned message displaying when message length is more than one line.
Don't force disabling accounting server in voucher service.
Fixed Wi-Fi crash issue in v1.x.60 FW which caused system reboot.
Adjust DHCP Discover-packet sending scheme when both L2 isolation and portal are enabled.
Update channel spec to v230404.
Revise L2-Isolation to allow broadcast and multicast traffics to go through.
Add a new function for channel candidate list.
Enhance Application Analysis to support per-client statistics.
Disable default open Management SSID.
Enhance DCS mechanism to support CSA (Channel Switching Announcement).
Fixed vulnerability issue (CVE-2022-38546).
Support SNMPv3 with multiple user accounts.
Support application blocking feature.
Support 802.11r in more security types:
(a) WPA3 Personal (SAE)
(b) WPA3-Personal/WPA2-PSK mixed
(c) WPA3 Enterprise with suite-b disabled
Support packet capture functions.
WPA3-Personal supports Dynamic Client VLAN Pooling.
WPA3-Enterprise supports external Radius with VLAN assignment.
Support DFS channel 144.
Update openssl to 1.1.1n
Support AD server with multi-group feature.
Optimize Wi-Fi reload time.
Support Wi-Fi Calling QoS.
Support 1000 myPSK rules per AP.
Support SSID-based IPSec VPN tunneling (StrongSWAN).
Support EnGenius auto VPN (mediator).
Support SMBv2/v3 for AD authentication.
Adjust EAP-Enterprise rekey interval to avoid wireless IOT issues.
Fix hostapd daemon dead issue.
Add protection for hostapd zombie symptom.
Fix VLAN by RADIUS issue.
Enhance IOT client association compatibility.
Support RADIUS CoA disconnect-client requests (802.1x)
Support SmartTV SSID
LSP page encloses language support for Japanese language.
Resolved Fragattack vulnerability issues.
Support EoGRE tunnel and DHCP option 82.
Support multiple domains of AD server.
Adjust DCS algorithm.
Recognize new iOS/MAC OS version.
Fixed captive portal for IPv6 issue.
Adjust log messages.
Fixed diag tool/Speed Test issue
Add configuration to accept RADIUS server's VLAN attribute or not.
Support wireless spectrum analysis.
Support DFS channel fallback scheme.
Support MAC-based authentication with RADIUS (OPEN).
WPA3-SAE and WAP3/WAP2 mixed mode support Dynamic Client VLAN Pooling.
Support DCS (Dynamic Channel Selection) by background scanning.
Enhance bcmc function that may block DHCP broadcast OFFER/ACK packets.
Support auto-channel with "Exclude DFS" config.
Support EnGenius cloud diagnostic mode.
Enclose fix for FragAttacks security issue.
Support system-reserved IP range pool.
Support RADIUS CoA disconnect-client requests.
Perform periodically scanning for 802.11k report without background scanning.
Support intelligent band-steering.
Support proxy ARP.
Support 802.1x/captive portal with Google Auth.
Support RADIUS WISPr traffic control and traffic quantity attributes.
Support RADIUS MAC-Auth in captive portal.
Support captive portal authentication by LDAP/AD server: single SSID, single server.
Update 2.4GHz HT20 auto-channel algorithm for using 1,6,11 channels.
Optimized wireless connectivity for 11AX models.
Fix target assert issue caused by iPhone11/iPhone12 for 802.11ax models.
Add log message for Wi-Fi reload event.
Add protection to prevent Wi-Fi interface could not be brought up.
Force client balancing disabled on ECW220/ECW230.
Support Facebook Wi-Fi.
Add client's TX/RX Byte information in disassociation event log.
Modify LSP Page about HTTP/HTTPS proxy setting.
Handle HTTP error code 504 upon check-in to cloud server.
Handle private MAC address detection with blocked info messages.
Adjust mesh related syslog contents.
Support RSTP.
Support background scanning ON/OFF option.
Update certificate for HTTPS access to LSP page.
Remove unnecessary WLAN event logs.
Handle larger max. client limit value from cloud server.
Fixed the issue that LED on/off would trigger network reload with specific configurations.
Support MAC address authentication with RADIUS server.
Support MyPSK with RADIUS server authentication.
Handle VLAN ID attribute from RADIUS authentication responses.
Support SSDP responder and adjust mDNS response content.
Band Steering feature encloses improvement for 802.11k/v and utilizes 802.11r fasting roaming technique to avoid re-authentication upon connection to different radio band.
Procedures of applying WLAN configuration has been optimized to shorten needed time for setting update.
Enhance Captive Portal secure login with HTTPS-based information exchange.
Support my-PSK with dynamic VLAN for WPA2-PSK authentication. (only available from EnGenius Cloud, not external radius)
Mesh AP node supports traffic shaping.
Support SNMP v2/v3 for local management with Get function.
Support multicast to unicast per radio.
Captive Portal feature supports client-leave-network timeout.
Support Client Balancing to steer the client to connect to best available AP.
Support dynamic VLAN (VLAN Pooling).
Support Broadcast/Multicast suppression.
Adjust channel candidates of Auto-channel selection (ACS).
Adjust power table limitation of Malaysia and Indonesia.
Apply auto-channel selection mechanism update
Apply regulatory domain update
Adjust DTIM from 2 to 3
Adjust amsdu parameter from 7 to 3 for Wi-Fi 6 models
Turn Uplink OFDMA on by default for Wi-Fi 6 models
Support Client Balancing
Support scheduling system reboot
Support L2-Isolation exception rules for VIP feature
Support radius NAS-id/port/addr attributes
Support software reset-to-default for mobile App
Captive portal supports redirurl parameter
Fixed the issue that AP may become unstable when some 2.4GHz-only WiFi clients try connecting to AP.
Fixed the issue that AP may hang up where the SSID profile included “hidden” and users downgrade firmware from v1.3.9 to v1.3.7
Resolve connectivity issue when SSID included space character.
Add log for blocking message clients.
Add log for the action of kicking clients.
N/A
Adjust client isolation behavior in NAT mode.
Support DNS settings per SSID.
Support wireless association banned message.
Support https redirect of captive portal.
N/A
Add an option to disable 802.11ax in 5G Radio
.
Support L2 (MAC Address) client Block List
per SSID.
Support advanced feature called Traffic Log
to send more wireless client information to dedicated syslog server.
Improve auto-channel algorithm to avoid multiple AP choosing the same channel in certain situation.
Support advanced feature called presence reporting
which makes the AP continuously gathering 802.11 probe request frames sent by wireless clients and then sending the data to specific 3rd party server.
Improve the efficiency of applying traffic shaping rules.
Support new Client Timeline
feature.
Adjust default DHCP lease time of SSID in NAT mode to 5 minutes.
Fix the captive portal issue that triggered RADIUS accounting events before an user is authenticated.
Fix the issue that caused limited IP address allocation for a SSID running in NAT mode.
Fix the issue that caused long duration of captive portal splash page redirection.
Fix driver layer log mechanism to avoid unexpected wireless performance drop.
Improve the efficiency of SSID running in bridge mode.
TX Power tuning options now start from 1 to 10 dBm.
Adjust WMM/DSCP/802.1p mappings to follow conventions.
Support LED Blinking
function to trigger an AP to blink its LED for 10 seconds. This could help user to quickly identify the AP.
Fix the issue that caused system to get wrong 2.4G channel utilization data in some special cases.
Support WPA3.
Support Mesh Auto Pairing
.
Support the way to access LSP (local support page) with URL http://EnGenius.local and discover AP with Bonjour protocol.
Support the way to show system status with specific SSID name to ease the troubleshooting on device on-boarding.
NAT/Bridge mode now is configurable per SSID. They are supported only in Captive Portal in previous version.
Support the option to discard association requests from legacy 802.11a/b/g clients.
Enhance the efficiency to apply idle-timeout and session-timeout settings of Captive Portal.
Fix the issue that caused memory leak in a special case.
Improve the accuracy of device fingerprint.
Support default configurations of EnGenius Cloud Radius.
Fix captive portal IOT issues for certain wireless clients.
Fix the malfunction of EnGenius Radius authentication that caused by firmware upgrade.
Fix the issue that wireless LED did not blink normally in certain situation.
Fix the issue that the 2nd radius server doesn't work.
Fix the issue that DUT may fail to reload configurations during the system applying mesh.