This migration guide provides a set of guidelines to migrate the USP Network Authentication System^® from versions prior to 14.0 to the latest version 15.0.

In most cases, no actions are required and all changes are done automatically. However, some minor manual changes might be required by the update. Consult the migration guide carefully prior the update and apply any steps required before or after the update.

When upgrading existing installations, please follow the recommended upgrade procedure outlined in ???.

If you are updating from a Network Authentication System^® Appliance older than version 14.0, please consult also the migration guides for all intermediate versions, as this migration guide only outlines the changes between the new and the previous USP Network Authentication System^® version.

Starting from this release, SNMP access profiles are being used to store credentials for accessing switches and routers via SNMP for network mapping, monitoring and enforcement (if SNMP MAC authentication is used). SNMP access profiles define the SNMP version to be used as well as the read/write community (in case of Version 1 and 2) or username, passwords and encryption algorithms (in case of version 3). These profiles can be managed at a dedicated location in the WebGUI, and therefore SNMP credentials no longer have to be defined for each netdevice; an SNMP access profile must be chosen instead. Every netdevice which should be monitored by SNMP must be assigned an SNMP access profile. There is no default SNMP community/username/password settings anymore in the global configuration.

SNMP access profile can be given a unique name; if omitted, an auto-generated name based on the stored data is created.

Due to the redesigned user interface for managing these profiles, new SNMPv3 authentication and encryption algorithm combinations are now supported, which increase security and compatibility in communicating with your netdevices.

During USP NAS Appliance update, existing entries are migrated automatically, and SNMP access profiles are created as needed. This applies as well to netdevices which use the global configured credentials in the past.

CSV data imports make use of the new profiles as well: for each record in an import file, it is checked if a profile matching the provided data exists, and it is assigned, or a new profile will be created. Therefore, existing import mechanisms don’t need to be adapted. Optional, named SNMP access profiles can be specified directly as a new column in the import file. Please see the dedicated data import specification document for details.

If you use scheduled scripts to create netdevice entries in the database, some manual changes might be needed. Please refer to the newly added scrip template NetdeviceGenerater.jy to see an example on how this can be used.

RADIUS subnet definitions make use of the new profiles too. This enables the possibility to auto-inventorize netdevices with SNMPv3 credentials configured.

In the netdevice REST API, the query filter parameter snmpVersion has been replaced by snmpAccessProfileId which references the assigned SNMP access profile. The response will now contain the fields snmpAccessProfileId, snmpAccessProfileName, snmpVersion (which can now be SNMPV1, SNMPV2C or snmpv3), snmpAuthenticationAlgorithm and snmpEncryptionAlgorithm.

Therefore, a REST API response for netdevices, which previously looked like this:

{
    "id": 1055600,
    "device_name": "cisco250",
    "device_ip": "192.168.100.100",
    "device_class": "SWITCH",
    "errorcode": 0,
    "source": "WEBGUI",
    "inscope": 1,
    "updated": "2024-11-18T11:26:34.653+00:00",
    "created": "2024-11-18T11:24:53.841+00:00",
    "deleted": null,
    "location": "USP Lab",
    "snmpVersion": "V2C",
    "devicetype": "GenericQBridgeMibAdaptor",
    "description": "CBS250-8T-D 8-Port Gigabit Smart Switch"
},
{
    "id": 1056000,
    "device_name": "v3test",
    "device_ip": "1.2.3.4",
    "device_class": "SWITCH",
    "errorcode": null,
    "source": "WEBGUI",
    "inscope": 1,
    "updated": "2024-11-18T14:14:39.278+00:00",
    "created": "2024-11-18T14:14:39.278+00:00",
    "deleted": null,
    "location": null,
    "snmpVersion": "V3_PRIV_AES_SHA512",
    "devicetype": null,
    "description": null
}

will now look like in release 15.0:

{
    "id": 1086800,
    "device_name": "cisco250",
    "device_ip": "192.168.100.100",
    "device_class": "SWITCH",
    "errorcode": 0,
    "source": "WEBGUI",
    "inscope": 1,
    "updated": "2025-01-06T10:44:44.609+00:00",
    "created": "2025-01-06T07:24:01.525+00:00",
    "deleted": null,
    "location": "USP Lab",
    "devicetype": "GenericQBridgeMibAdaptor",
    "description": "CBS250-8T-D 8-Port Gigabit Smart Switch",
    "snmpAccessProfileId": "9b9f8e1e-2239-4599-8d36-94e5ffa3791e",
    "snmpAccessProfileName": "SNMPv2 default profile",
    "snmpVersion": "SNMPV2C",
    "snmpAuthenticationAlgorithm": null,
    "snmpEncryptionAlgorithm": null
},
{
    "id": 1089000,
    "device_name": "v3test",
    "device_ip": "1.2.3.4",
    "device_class": "SWITCH",
    "errorcode": 1,
    "source": "WEBGUI",
    "inscope": 1,
    "updated": "2025-01-06T10:46:04.034+00:00",
    "created": "2025-01-06T10:40:34.565+00:00",
    "deleted": null,
    "location": null,
    "devicetype": null,
    "description": null,
    "snmpAccessProfileId": "728500ae-e051-4ab2-a846-67b0f8acac63",
    "snmpAccessProfileName": "v3 Test Profile",
    "snmpVersion": "SNMPV3",
    "snmpAuthenticationAlgorithm": "SHA512",
    "snmpEncryptionAlgorithm": "AES128"
}

Some mail-related functionality of the SAB CLI API tool has been migrated into the USP NAS core daemon Java code. As a consequence the following SAB function can no longer be used in custom scripts to send emails:

sab monitoring:alerting:send_mail
sab tools:send_mail

mail.sendMail(String recipient, String subject, String body)
mail.sendMail(String recipient, String subject, String body, String attachmentFilePath)

We removed support for the MobileIron MDM solution, a company and product which has been acquired by Ivanti and integrated into their "Ivanti Neurons for MDM" solution a few years ago. If by any chance you are still using MobileIron in connection with USP NAS to obtain endpoint inventory details, please contact USP product support, as it might be possible be re-implemented this functionality using the scheduled script engine built into USP NAS.