USP Network Authentication System ® 16.1

Released 25 September 2025

Platform Compatibility

This release is compatible with the following platforms:

• Dell PowerEdge R660/R650/R640/R630/R620/R610
• VMware ESXi / Workstation
• Microsoft Hyper-V
• QEMU/KVM
• Oracle VirtualBox

Changelog

Features

• SNMP: Added the possibility to receive SNMPv3 traps from netdevices which have SNMPv3 credentials configured for scanning. (#235235)

Enhancements

• RADIUS: Added an option to enable auto-conversion from MAC to EAP identities when authenticating with a valid certificate and a related MAC identity already exists (#291457)

Bugfixes

• Modern GUI: Fixed a data refresh issue on the netdevice overview page which occurred when too many entries have been fetched. (#290791)

USP Network Authentication System ® 16.0

Released 17 September 2025

Platform Compatibility

This release is compatible with the following platforms:

• Dell PowerEdge R660/R650/R640/R630/R620/R610
• VMware ESXi / Workstation
• Microsoft Hyper-V
• QEMU/KVM
• Oracle VirtualBox

Changelog

Features

• Modern GUI: Added a restricted demo mode which allows to test the functionality of USP NAS without the need to provide a license. (#290510)
• Modern GUI: Added event log viewer including full-text search (#289904)
• Modern GUI: Added log file viewer (#213829)
• REST API: Added the possibility to import the inventory (endpoints, netdevices, ...) via REST API. See the online REST API documentation for details. (#291501)

Enhancements

• Core: Added support for enabling scanning of LAG interfaces (disabled by default). If enabled, these interface will be treated automatically as netport, except if their interface alias matches a customizable regular expression. (#290688)
• Core: Added support for monitoring of ring infrastructures / highly redundant networks by adding an option to mark endpoints as double attached nodes (DAN) in the inventory and to mark network ports on switches as HSR ports. In either a case, no event log 1101 "MAC found on multiple devices" will be emitted when a device is seen as active on two different ports. (#290552)
• Core: The switch scan now also detects the type of each interface. The type can be seen in the web GUI in the interface table on the netdevice details table, and is also included in the interface REST API response. (#291515)
• Core: The time needed to scan a netdevice is now recorded and can be seen in the netdevice details page in the modern GUI and in the netdevice REST API response. (#291485)
• Data import: When importing netdevice entries with SNMPv3 credentials using the CSV file importer, password(s) can now be omitted in the import file if a SNMP access profile matching the username is configured. (#290884)
• Logging: A new event message 1185 is emitted when an endpoint has been automatically added to the inventory when performing a valid EAP authentication. (#291479)
• Logging: Added a new informative event 1978 "Netdevice is assigned to multiple portgroups" when a user assigns a switch to more than one portgroups via the Web GUI (#291500)
• Logging: If an SNMP scan fails, the log event entry now contains more details about the SNMP version and credentials (username/community) used to perform the scan (#290964)
• Logging: When a new MAC address was found in the network, the event log message "New mac found" (1109) now also contains the location of the netdevice. (#291007)
• Modern GUI: Added DNS zone transfer settings to application config management page (#289916)
• Modern GUI: Added LDAP connection configuration page (#289917)
• Modern GUI: Added VLAN table to netdevice detail view, listing the VLANs configured on each switch (#290186)
• Modern GUI: Added a configuration setting to enable TLS 1.0/1.1 in the internal RADIUS server for backwards compatibility. (#290875)
• Modern GUI: Added commonly used pre-defined filter presets for connection events, endpoints and netdevices overview pages (#291360)
• Modern GUI: Added mechanism to detect when different users try to change settings on a specific page at the same time and prevent unintentional modifications (#290860)
• Modern GUI: Added monitoring and alarming page which allows to define forwarding destinations for each log event (#289919)
• Modern GUI: Added new tab for updating netport assignments on the netdevice detail page (#290202)
• Modern GUI: Added option to bulk-edit and bulk-delete netdevices (#289801)
• Modern GUI: Added option to configure OCSP settings of the internal RADIUS server. The OCSP configuration will now also allow to enable OCSP without overriding the certificate URL, so that different responders could be used based on the URL provided in the certificate. (#290876)
• Modern GUI: Added option to define asset types and asset classes on-the-fly when adding/editing endpoints (#291276)
• Modern GUI: Added option to export filtered table data to Excel/CSV based on the currently active filter, if available, or all data (#290740)
• Modern GUI: Added possibility to configure alarming thresholds for selected events (#290319)
• Modern GUI: Added possibility to create, restore and manage backups and schedule backup jobs (#289896)
• Modern GUI: Added possibility to test DNS zone transfer configuration (#124146)
• Modern GUI: Added remote system configuration page, which offers options to configure file servers, syslog server, mail server and SNMP trap receivers in one place. (#289897)
• Modern GUI: Added system and network settings configuration page (#289922)
• Modern GUI: Added user management page (#289923)
• Modern GUI: Added vendor code update settings to application config management page (#290514)
• Modern GUI: Ordered columns in Excel/CSV exports in a more sensible way (#290739)
• Modern GUI: RADIUS probe user settings can be configured on the application settings page (#290793)
• Modern GUI: Related log events can now be seen in a tab on endpoint and netdevice details pages (#290956)
• Monitoring: Added SSL/TLS support to mail server settings used for scheduled reports and alarming (#290667)
• RADIUS: Added configuration setting to enable checks against an expired CRL when using the internal RADIUS server. (#291478)
• RADIUS: Added option to send disconnect request to selected endpoints in order to trigger RADIUS re-authentication (#291032)
• RADIUS: Added support for configuring ECDH curves for the internal RADIUS server. The curves prime256v1, secp384r1, secp521r1 are now enabled by default and can be configured on the application configuration page. (#291439)
• RADIUS: When a RADIUS accounting request contains information about the current IP address of the endpoint (Attribute 8 Framed-IP-Address) the record in the database will be updated accordingly. Similarly, the VLAN ID will be updated if the RADIUS accounting request contains the related VLAN information (Attributes Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID). The event "Radius Accounting Endpoint updated" (1151) will contain this information if provided. (#290963)
• RADIUS: When auto-adding a new RADIUS netdevice to the inventory based on its subnet, the device name is set according to the NAS-Identifier RADIUS attribute, if provided in the authentication request packet, if it is a valid hostname, and a netdevice with this name not already exists. (#289791)
• REST API: Added new REST API properties for port group, access rule, access mode and many more and as well extended filter possibilities in endpoint, interface and netdevice APIs (#291205)
• REST API: Added possibility to block endpoints through the REST API, enabling better integration into third-party inventory and security systems (#290701)
• REST API: Added possibility to bulk-import endpoint details via REST API (#290470)
• REST API: Added possibility to bulk-import endpoint inventory via REST API (#290672)
• REST API: Added possibility to bulk-import netdevices via REST API (#290216)
• REST API: Added possibility to bulk-import netports via REST API (#290217)
• REST API: Added possibility to bulk-import portgroup assignments via REST API (#290218)
• REST API: Added possibility to temporarily register and authorize an endpoint through the REST API (#290716)
• REST API: Added status change timestamp to endpoint REST API response (#290872)
• REST API: Improved endpoint REST API performance (#291204)
• Traditional GUI: Netdevice scan fine-tuning options are now available on the application configuration page in the SNMP section. (#291470)
• Traditional GUI: The VLAN ID is now shown on access profile configuration pages (#289593)
• Traditional GUI: The global access control setting is now displayed in the policy widget in the dashboard (#289593)

Changes

• Backup: Backup/restore handling is now directly implemented in the USP NAS app and no longer requires dedicated support and scheduling in the operating system (#290671)
• Backup: Backups and scheduled reports are copied to configured remote servers using a Java-based SSH library instead of using programs from the underlying operating system. (#289868)
• Core: Added a dedicated updated field to interface table in order to keep an accurate timestamp of when the entry was last updated. In the past, the last scan time was used which is not always the correct value for this use case. (#291526)
• Core: On new installations, only switch interfaces of the standard "Ethernet CSMA/CD" type are scanned during a switch scan; other types can be enabled via configuration property nas.core.snmp.iftype.whitelist as needed. (#291515)
• Core: Removed leftover code and database fields related to obsolete endpoint VLAN settings and asset status (#289594)
• Core: Removed leftover database fields related to obsolete guest, default, MAC-bypass and VoIP VLAN configuration in access profiles, as well as guest VLAN setting in temporary endpoint register dialog. (#289593)
• Core: When setting up a new USP NAS instance, the DNS zone transfer configuration no longer contains any default zones to avoid unnecessary error events in the log. (#290133)
• Data import: Removed obsolete, broken feature "Assign import data source as tenant of the endpoint" (#291148)
• Licensing: Activating the internal RADIUS server no longer requires a license module. In the traditional GUI, the option to enable the internal RADIUS server has been moved to the "RADIUS / 802.1X" section of the application configuration page. (#291147)
• Licensing: License module checks have been cleaned up: Scheduled report and CSV export no longer need a dedicated license option, obsolete MobileIron, XML Webservice and NAS Basic modules have been removed. (#290072)
• Licensing: Removed license module check for VLAN management feature, it is now enabled by default (#291148)
• Licensing: Updated license count algorithm for endpoints (need to be registered and active within last 90 days) and enforce check for maximum licensed endpoints in the modern GUI. (#290733)
• Logging: Removed log event NO_TRAPS_FROM_DEVICE (1214) and related monitoring configuration. There are many cases where switches do not (regularly) receive traps, and this notification just unnecessarily fills the log files. (#291304)
• Modern GUI: Removed option to assign portgroups to netdevices directly in the netdevice overview (for UI performance reasons) (#291425)
• REST-API: BREAKING The naming in the data structure of the netdevices, interfaces and endpoints REST APIs has been standardized. All property names and filter parameters are now written in camel case instead of a mix of snake case and camel case. Also, some properties have been renamed to more sensible names. Please consult the migration guide and the online REST API documentation for more details. (#291205)
• Traditional GUI: "Last jobs" are no longer displayed on the system state page in the traditional GUI. Instead, a link is provided to see the last appliance related events in the new log viewer. (#290979)
• Traditional GUI: Removed manual DNS zone transfer button from legacy GUI dashboard (#289916)

Bugfixes

• Core: Fixed an issue where the netdevice status was set to OK (green indicator in the Web GUI) when it received an SNMP trap or RADIUS request, even though an SNMP scan issue exists at that time, and the error status should be visible with a red indicator in the Web GUI. (#291487)
• Core: Fixed an error log message which occurred when attempting to check a node whose netdevice no longer exists in the inventory (#291152)
• Core: Fixed an issue where VLAN names were not stored in the database during switch scan (#291076)
• Core: Fixed an issue where the error status "OID Scan error" was set instead of "no matching adapter" during switch scan when no matching adapter was found. (#291490)
• Core: Fixed an issue where the warning event 2030 "No layer 3 information found on device" was logged erroneously during ARP scan of a newly added router device. If a router adapter cannot be determined (due to connection issue or missing support), a error event 3009 "No matching adaptor found for device" will now be logged. (#291497)
• Core: The "last scan" time of a netdevice will now be updated even when a "missing netports" error is reported, as the actual scan was concluded successfully. (#291115)
• Core: When the USP NAS Core service is restarted during an active switch scan, the scan status flag of netdevices where a scan was in progress is now properly reset, in order to not indicate an incorrect scan status in the web GUI. (#291496)
• Data import: Auto-generated WLAN netdevice records are now replaced in case of a data import entry with the same IP address, analogous to RADIUS authentication devices. This fixes a regression introduced in USP NAS 15.3. (#291523)
• Logging: CAUTION The event and alert NO_NETPORT_DEFINED_ON_NETDEVICE (2090) is now only emitted the first time such an issue has been detected on a netdevice during switch scan, and not every time a device is scanned. The Web GUI and REST API offer appropriate filters to find out which devices currently are lacking a netport configuration. (#291486)
• Logging: The log event NO_SNMP_COMMUNICATION_WITH_DEVICE is no longer triggered for netdevices with status "Missing netports", as the SNMP communication was actually successful in this case. The severity level of this event has been changed from INFO to WARNING. (#291239)
• Modern GUI: Add missing event log handler for events triggered in the new GUI (e.g. user login/logout) so that the logs are correctly written to the database (#291182)
• Modern GUI: Fixed a display issue with long values in the first-time setup wizard summary view (#289854)
• Modern GUI: Fixed an issue where certain licensable features did not appear in the GUI when updating a license which contains this feature (#290722)
• Modern GUI: Fixed an issue where endpoints appeared again multiple times in the overview if multiple port groups were assigned. (#291441)
• Modern GUI: Quick filter on endpoint, connection events and netdevice overview pages does now search in all applicable records (#290320)
• RADIUS: A VLAN enforcement via RADIUS will no longer update the default VLAN set in the interface table in the USP NAS database as VLAN assignment via RADIUS are session-based and do not alter the configuration on the switch itself. (#291525)
• RADIUS: Added missing configuration setting to enable checks against the local CRL file when using the internal RADIUS server. (#291467)
• RADIUS: Fixed an issue which prevented endpoints authenticating with certificates from being auto-inventoried when a previously deleted related MAC based entry was still in the database. (#290728)
• RADIUS: Removed unnecessary check for configured netport on switch when performing RADIUS authentication (#291512)
• SAB: Improved system service status detection in the SAB API, which in some rare instances has led to false-positive alerts when checking the NAS Core service status check via SNMP (#291187)

USP Network Authentication System ® 15.4

Released 13 August 2025

Platform Compatibility

This release is compatible with the following platforms:

• Dell PowerEdge R660/R650/R640/R630/R620/R610
• VMware ESXi / Workstation
• Microsoft Hyper-V
• QEMU/KVM
• Oracle VirtualBox

Changelog

Enhancements

• RADIUS: Added log event RADIUS_NETDEVICE_ADDED (1935) which is triggered when a new netdevice from a RADIUS subnet is automatically added to the inventory (#291230)

Changes

• Logging: CAUTION Added missing vendor name and event exception to connection event message which is sent to syslog, email and SNMP trap receivers. The message contains two new fields exceptiontype and vendor, so existing log collection systems might need to be adapted. (#291246)
• Logging: Added an optional trace log file for USP NAS Core and changed the log level of certain log statements (e.g. task start/finish) to "trace" in order to reduce verbosity. This will significantly reduce the size of the debug log and make it easier to find relevant entries when debugging an issue. The trace log can be enabled by starting USP NAS core with the Java option -Dtrace.logging.enabled=true. The debug log events CONFIG_UPDATED (1009), START_CMDQUEUE_CHECK (1925) and CMDQUEUE_CHECK_COMPLETED (1926) have been removed. (#291232)
• REST-API: CAUTION Soft-deleted netdevices are no longer included in the netdevice REST API response. The related filter parameters deletedBefore and deletedAfter have been removed. The interface REST API response will also no longer contain records belonging to soft-deleted netdevices. (#290834)

Bugfixes

• Data import: When importing netdevices via CSV, the switch adapter is no longer reset. This prevents extended switch scans after each full import. (#291249)
• Legacy GUI: Fixed broken icon link to add an endpoint temporarily in the connection events table (#291227)
• Modern GUI: Fix downloading server certificate file as well as creating CSRs when using a certificate based on a elliptic curve private key. (#291287)
• RADIUS: Fix reading and writing elliptic curve-based private key files when updating the FreeRADIUS configuration during USP NAS Core startup. (#291287)
• RADIUS: Fixed an issue in RADIUS request processing where a connection abort event with error type "Object missing in context" was logged when the related netdevice was of class SWITCH and had no netports assigned. Now the proper error type "No netport defined" will be logged and shown in connection events. (#291231)
• RADIUS: Fixed an issue where no connection abort events were shown for EAP requests in case of a RADIUS secret mismatch (#291220)
• RADIUS: Fixed an logging issue in the RADIUS message authentication validator in case of a shared secret mismatch. It no longer fails silently without creating a connection abort event when it is the first time a client device gets connected to a specific interface. When the netdevice is unknown and not part of a configured RADIUS subnet or out of scope, a RADIUS_AUTHENTICATOR_OUT_OF_SCOPE log event is created instead. (#291172)
• REST-API: If a netdevice has been soft-deleted, its ID and the related interface index are no longer included in the results of the endpoint REST API query (#291203)
• Upgrade: Fixed an issue in properly assigning AES + SHA-2 SNMP access profiles during database migration when upgrading from USP NAS < 15.x (#291244)

USP Network Authentication System ® 15.3

Released 17 June 2025

Platform Compatibility

This release is compatible with the following platforms:

• Dell PowerEdge R650/R640/R630/R620/R610
• VMware ESXi / Workstation
• Microsoft Hyper-V
• QEMU/KVM
• Oracle VirtualBox

Changelog

Enhancements

• New GUI: The data import failure report download button is also shown for successful imports, in case some entries contain failures (#290858)
• Added duration value to CSV data import success event log message (#290878)
• Improved CSV data import error messages: Event CSV_IMPORT_NOT_VALID ("Too many erroneous entries, CSV import aborted") now contains the threshold value used, event CSV_IMPORT_NOT_PERFORMED ("Record count is too low compared to last import from same source") contains the current count, last count and validation threshold used, and the event message is no longer nested into a CSV_IMPORT_ERROR error. (#290858)

Changes

• Ensured that syslog messages sent by USP NAS applications have a trailing newline at the end, to ensure proper processing by certain syslog servers. The newline was removed in release 14.0 due to a replacement of the logging framework. If you are using USP NAS with a remote syslog server, we advise to validate the proper reception of log message sent by USP NAS. (#290890)
• If a WLAN AP/controller is being auto-added via RADIUS request subnet match, it will now get the device class WLAN instead of Generic RADIUS auth. device. This will ensure it is scanned in the correct way in case an SNMP access profile is defined. (#290840)
• When auto-adding via RADIUS request subnet match, no "fake" Generic Radius adapter is set anymore. The adapter will be set by the normal switch scan process, and the WebGUI will now show the correct status of the newly added netdevice. (#290068)

Bugfixes

• New GUI: Improved the performance of bulk-deleting large amounts of soft-deleted netdevices via the web GUI ("Deleted Netdevices" page) (#290985)
• Changed the id column of the endpoint details table to be an identity column instead of using global ids, in order to avoid conflicts and race conditions when dealing with large data imports. (#290955)
• Fixed a data migration issue during release upgrade which occurred when no RADIUS subnets were defined (#290906)
• Fixed an issue in the portgroup mapping CSV data importer where a mapping was unintentionally assigned to an single interface by interface index, when using a wildcard character as interface name (%) to assign the portgroup to the entire netdevice. (#291001)
• Fixed an issue where an EAP cache registered endpoint did not get removed, as intended, when an invalid certificate was supplied (#290841)
• Fixed an issue which caused some syslog server settings (protocol, format) to be reset to their default value during release upgrade (#290891)
• Fixed an issue which prevented the interface alias uplink matcher to work correctly with multiple devices. It is now also ensured that manually defined netports are never overwritten or removed by the uplink matcher. (#290954)
• Fixed an issue with scanning netdevices using SNMPv3 when multiple users with different credentials are configured (#291108)
• Fixed event log message RADIUS_SERVER_REJECT(1171) so that it does again contain proper information on why a certificate was rejected by the internal RADIUS server during authentication. (#241761)
• Fixed incorrect error count in data import. This could happed under certain circumstances when dealing with duplicate entries in the import file (#290878)
• Fixed the netdevice CSV data importer so that the default SNMP access profile is assigned to an entry if it requires SNMP but has empty community/username fields (#290877)

USP Network Authentication System ® 15.2

Released 6 May 2025

Platform Compatibility

This release is compatible with the following platforms:

• Dell PowerEdge R650/R640/R630/R620/R610
• VMware ESXi / Workstation
• Microsoft Hyper-V
• QEMU/KVM
• Oracle VirtualBox

Changelog

Enhancements

• New GUI: Improved UX of create/edit netdevice form: Fixed some validation issues, removed unnecessary confirmation dialogs, reordered and grouped inputs more logically and added explanation of the various properties. (#290838)
• New GUI: It is now possible to manually set the location of netdevices of type "Generic RADIUS authentication device". (#290838)
• Added new field status_changed in node table which contains the timestamp of the status change (active, inactive, disconnected, ...) of each network node entry. (#290438)
• Improved performance and lowered memory usage of REST API calls (endpoints, netdevices, interfaces) when dealing with large datasets (#290861)

Bugfixes

• New GUI: Fixed an issue where some entries were listed multiple times in certain circumstances on the endpoint overview page. (#290847)
• New GUI: On the connection event page, fixed broken EAP username filter, and ensured that when filtering for client name, both network and inventory-based FQDN are considered (#290837)
• New GUI: On the endpoint and netdevice overview pages, the source filter no longer includes sources of deleted entries. (#290862)
• New GUI: On the endpoint overview page, entries are again sorted by last event. (#290845)
• New GUI: Show case-insensitive netport auto-assignment on netdevice interface page (#290833)
• Fixed a regression which prevented a proper system configuration and network interface name migration, when upgrading directly from older USP NAS releases (<14.0) (#290859)
• Fixed an issue where a workspace change was created when restoring policy or full backups, due to an accidentally emptied profile rule table. Newly created backup files will no longer have this issue. (#290835)

USP Network Authentication System ® 15.1

Released 30 April 2025

Platform Compatibility

This release is compatible with the following platforms:

• Dell PowerEdge R650/R640/R630/R620/R610
• VMware ESXi / Workstation
• Microsoft Hyper-V
• QEMU/KVM
• Oracle VirtualBox

Changelog

Enhancements

• New GUI: Added link to regex online reference documentation on application settings page (#290737)
• New GUI: Extended the SNMP trap input form description on the application settings page to clarify that empty SNMP trap communities are allowed (in such a case, all traps will be accepted). (#290794)
• Avoid system reboot when restoring app backup; only reboot automatically when restoring full or system settings backup (#290690)
• Include access mode / access rule related to the netdevice in the endpoint REST API response (#290790)
• Include assigned portgroup names in netdevice REST API response (#290788)
• Paginate certificate list after 25 entries instead of 10 (traditional GUI) (#290756)
• RADIUS auth. devices are included in the 'number of switches' graph on the status page. A dedicated graph for the number of WLAN access points has been added as well. (#290797)
• Regex-based uplink-detection is now case-insensitive by default (#290737)

Bugfixes

• New GUI: Allow to set empty SNMP trap community string in application settings page (#290796)
• New GUI: Fixed a display issue on the dashboard with the HA authenticator name on smaller screens (#290782)
• New GUI: Fixed an issue where table filter presets could not be saved for LDAP-based users (#290738)
• New GUI: Fixed an issue with changing the scheduled script history retention setting in the configuration page (#290800)
• New GUI: Fixed display issues on the scheduled script overview page caused by invalid cron schedule expressions (#290777)
• New GUI: Fixed various table scroll issues on radius subnets, certificates, scheduled scripts overview and data import pages (#290780)
• New GUI: Shorten long location string, if needed, on netdevice overview page to avoid display issues (#290781)
• Added housekeeping mechanism to delete old SAB job logs (backup/restore/update) in order to not grow indefinitely (#290823)
• Exclude keep-alive requests (HA authenticator, probe user) from RADIUS statistics charts and counters (#290439)
• Fixed a data migration issue which may occur during upgrade to version 15.0 when CA certificates with non-unique aliases have been configured. Also, if multiple CA certificate entries have the same actual certificate data, their properties are now merged into one entry instead of keeping separate entries. (#290756)
• Fixed a dependency issue which prevented the tshark command line tool to work properly (#290792)
• Fixed an issue related to scheduled scripts with type "inventory importer" where the value for the changed-by field was written incorrectly in the resulting CSV file (#290795)
• Fixed an issue with processing RADIUS packets with segmented EAP message attributes (#290727)
• Fixed an issue with reading script contents in the script editor when different line endings were used (#290774)
• Improved Excel/CSV export memory consumption and set record limits to avoid Web GUI crashes when dealing with large tables (#290776)
• Improved memory usage of interface REST API query with large datasets (#290846)
• When setting up a new system, no alert should be generated for license change, as it's the first time a license is loaded (#290729)

USP Network Authentication System ® 15.0

Released 30 March 2025

Platform Compatibility

This release is compatible with the following platforms:

• Dell PowerEdge R650/R640/R630/R620/R610
• VMware ESXi / Workstation
• Microsoft Hyper-V
• QEMU/KVM
• Oracle VirtualBox

Changelog

Features

• New GUI: Add possibility to download data tables as Excel and CSV files in new GUI (#289554)
• New GUI: Basic configuration can be configured in the new GUI. (#253630)
• New GUI: Enhanced information about past data imports displayed in import status table (#289529)
• New GUI: RADIUS subnets can be defined in the new GUI. A portgroup and/or a SNMP access profile can be selected for each subnet. This enables setting SNMPv3 access credentials for auto-inventorying RADIUS authentication devices. (#256424)
• New GUI: SNMP access profiles can be configured in the new GUI and assigned to netdevices. (#289672)
• New GUI: Scheduled scripts can be added, edited and run in the new GUI. It is no longer required to edit script contents via command line. Script files which were stored in the file system are automatically migrated to the database. (#289637)

Enhancements

• New GUI: A new SNMP access profile can be defined on-the-fly when adding/editing a netdevice (#290322)
• New GUI: ARP table is now available on netdevice detail page if device class is router (#290177)
• New GUI: An "Operating figures" widget has been added to the dashboard (#289799)
• New GUI: CA certificates can be configured in the new GUI. Each CA certificate can be used for both peripheral systems and RADIUS at the same time. (#290389)
• New GUI: Display which portgroup a netdevice is assigned to on the netdevice overview and details page (#290373)
• New GUI: In router ARP table view, the MAC vendor is shown if available, as well as the asset type and class (if the related endpoint is registered) (#290176)
• New GUI: Server certificate can be changed in the new GUI (#290391)
• New GUI: Add option to reload NAS core directly after configuration value change (#290318)
• New GUI: Added maintenance page with options to restart USP NAS services or reboot the system (#286317)
• New GUI: Added possibility to update software image in new GUI, via maintenance page. (#289900)
• New GUI: Login with an LDAP-backed user is now possible via the modern GUI. (#289805)
• New GUI: The operating mode ("daemon mode") can be easily changed from the dashboard of the new GUI. A notification is shown in the sidebar if the mode is set to off. (#289662)
• Added an interface for scheduled jython scripts to send emails. See the related template for an example. (#290233)
• Added option to limit the number of scheduled script history log entries to keep (#290302)
• Added registered endpoint asset ID to Endpoint REST API response (#290630)
• Added scheduled script template for netdevice import, demonstrating how entries can be generated which use SNMPv2 or SNMPv3 credentials (#290197)
• Hardware vendor name is now included in connection event (#289793)
• Improved RADIUS connection chart in dashboard, showing more data points by default (#290437)
• Include assigned portgroup names in interface REST API response (#290249)
• Include netport flag in interface REST API response (#289792)
• On the page where netdevices can be added to a portgroup, show the netdevice location if available. (#290185)
• Scheduled script error message is visible in script history, in case script run failed (#290471)

Changes

• BREAKING: Removed MobileIron Fetch API functionality. We advise to use a custom scheduled script instead. (#290074)
• BREAKING: Sending emails using SAB CLI methods is no longer possible. Scheduled scripts might need to be adapted. See the migration guide for an alternative solution. (#290233)
• Added global SNMP access profiles which replace SNMP community/username/password settings for netdevices. SNMP credentials in existing netdevice entries will be migrated to the new access profiles. Credentials provided in netdevice imports will be matched to existing access profiles. A new field is availble in netdevice imports to specify the desired SNMP access profile name. (#289672)
• Emails (scheduled reports) are being sent directly by the USP NAS application instead of using the operating system mail service (postfix). (#289866)
• In the netdevice REST API, the query filter parameter snmpVersion has been replaced by snmpAccessProfileId which references the assigned SNMP access profile. The response will now contain the fields snmpAccessProfileId, snmpAccessProfileName, snmpVersion, snmpAuthenticationAlgorithm, snmpEncryptionAlgorithm. (#290220)
• It is now possible to change the NAS Core daemon mode without requiring workspace activation (#290355)
• Remove various tools from the USP Appliance OS base image to reduce space: postfix, gdb, ethtool, hwinfo, dstat, wpa_supplicant (eapol_test), sysstat, tmux (#212698)
• Standardized SAB CLI API log file names to be similar to NAC application logs (debug.log, info.log, ...) (#290628)
• The menu entry "Core configuration" is now called "Application configuration" (#5688)
• Updated Angular UI framework to version 18 (#258137)
• Updated several third-party libraries to fix reported security vulnerabilities (CVE-2024-52317, CVE-2023-5072, CVE-2024-38821, CVE-2024-1597, CVE-2024-22243, CVE-2024-22259, CVE-2024-22262, CVE-2024-38809) (#290248)

Bugfixes

• New GUI: Allow RADIUS authentication netdevices to be assigned to a portgropup, instead of switches only (#290373)
• New GUI: Fixed an issue where filter criteria info is lost on page refresh (#289853)
• New GUI: Improved performance of endpoint view (last connection event time is now stored in endpoint node table) (#290372)
• Added 'Generic RADIUS Device' to the list of selectable switch adapters in netdevice filter (#289962)
• Correct network type is shown in connection event in case the netdevice is of type RADIUS authentication type (#290012)
• Fixed an error which occurred when processing a RADIUS request belonging to a soft-deleted auto-inventoried RADIUS authentication device. (#290597)
• Fixed an issue where a "Switch adaptor class loading failed (GenericRadiusAdaptor)" message was logged for generic RADIUS authentication devices (#289962)
• Fixed an issue where certain regular expressions for uplink detection could not be read correctly from the configuration when scanning netdevices (#290647)
• Fixed an issue where data sources of deleted inventoried endpoints were shown as an option in the table filter on the registered endpoints page (#290584)
• Fixed an issue which prevented Netdevices from correctly being written to CSV import files in scheduled scripts which are using the "netdevice" import type (#290147)
• Fixed an issue with properly updating the table ID sequence when restoring a backup. (#290662)
• Fixed event log message MAC_IN_MULTIPLE_VLANS being logged unnecessarily. (#290519)
• Fixed some issues in data import event log messages (prevent nested messages, always show simple filename without path) (#290610)
• Improved exception handling in connection event logger (#290649)
• In case no DNS servers for zone transfer are configured, don't show a warning (WARN_DNS_IMPORT_FAILED) in the log file. (#290406)
• In case of an invalid uplink regex configuration, log error and continue, instead of crashing the entire netdevice scanner task. (#290646)
• Profiler default datasets are only imported when really needed (license module enabled and table empty) (#289969)
• When configuring a network interface statically via console, set default gateway and DNS servers to static as well, if they have been previously configured to use DHCP. (#289789)
• Whitespace is now removed from interface alias when scanning switches and storing switch interface information into the database. This should prevent certain issues with uplink detection from port tags. (#290587)

Documentation

• Added USP NAS Quick Setup Guide (#290511)
• Added list of known compatible network equipment vendors and models to documentation (#289957)
• The USP NAS Migration guide, which describes how to handle potentially breaking changes during major upgrades, can now be accessed from the NAS WebGUI (#290171)

USP Network Authentication System ® 14.2

Released 11 March 2025

Platform Compatibility

This release is compatible with the following platforms:

• Dell PowerEdge R650/R640/R630/R620/R610
• VMware ESXi / Workstation
• Microsoft Hyper-V
• QEMU/KVM
• Oracle VirtualBox

Changelog

Bugfixes

• Fixed an issue where endpoints were not recognized on some Cisco Switches (VTP MIB) when using SNMPv3, because the VLAN context was not properly applied when scanning the bridge table. (#290629)

USP Network Authentication System ® 14.1

Released 17 February 2025

Platform Compatibility

This release is compatible with the following platforms:

• Dell PowerEdge R650/R640/R630/R620/R610
• VMware ESXi / Workstation
• Microsoft Hyper-V
• QEMU/KVM
• Oracle VirtualBox

Changelog

Enhancements

• Added filter by ifalias (contains string) for interface REST API (#290252)
• WebGUI default admin user password can be reset via console menu (#290174)

Changes

• Re-added id property in the interface REST API response (#290252)

Bugfixes

• BACKPORTED: When configuring a network interface statically via console, set default gateway and DNS servers to static as well, if they have been previously configured to use DHCP. (#290547)
• Added missing changed-by field in the endpoint REST API and legacy GUI endpoint details view (#290267)
• Corrected improper RADIUS accounting backend service default port (should be 1815 but was 1) (#290548)
• Ensure REST API cannot be accessed when the related user account is disabled, locked or expired (#290223)
• Ensure internal DHCP server is only enabled on Dell hardware, in order to provide a debug console interface. (#289785)
• First-time setup wizard will be marked as completed when setting up the NAS through the legacy GUI (#290183)
• Fixed a data type issue with the netdevice id filter in the interface REST API (#290252)
• Fixed a problem in the connection events view of the new GUI which occurs when records do not contain (EAP) authentication time data (e.g. after upgrade from older releases) (#290361)
• Fixed an issue related to database upgrade when updating from an older release, which caused the update to take much longer than intended. (#290363)
• Fixed an issue where the NAS Core RADIUS service was not started properly if the RADIUS accounting service was disabled (#290489)
• Fixed month number in RADIUS connection chart on new dashboard (#290245)
• Improved performance of endpoint REST API queries, especially in cases where lots of endpoint details are stored in the database (#290225)
• Removed obsolete GUI configuration settings related to LDAP, which could cause validation errors (#290219)
• Show warning in the GUI if the deprecated "VLAN assignment with default VLAN" is still set as access control mode (#290203)

USP Network Authentication System ® 14.0

Released 18 November 2024

Platform Compatibility

This release is compatible with the following platforms:

• Dell PowerEdge R650/R640/R630/R620/R610
• VMware ESXi / Workstation
• Microsoft Hyper-V
• QEMU/KVM
• Oracle VirtualBox

Changelog

Features

• New GUI: A new first-time setup experience has been added, guiding the admin user through the first steps in setting up the USP NAS appliance system (#200314)
• New GUI: Added endpoint attributes management view with a unified approach to manage asset types, asset classes and tenants (#258281)
• New GUI: Added enhanced netdevice detail view, with associated endpoints, ports and related connection events sub-views. (#258277)
• New GUI: Added improved connection events page with customizable property filter, quick filter, auto-refresh and infinite scrolling. (#228553)
• New GUI: Added improved netdevice overview page with customizable property filter, quick filter, auto-refresh and infinite scrolling. (#258276)
• New GUI: Added inventory import page with detail view for each import type. (#243512)
• New GUI: Added possibility to delete endpoint register permanently or restore them from the "recycle bin" (#289386)
• New GUI: Added simplified modernized dashboard (#258284)
• New GUI: Added view listing all temporarily approved endpoints. Approvals can be revoked, renewed, or the endpoint could be permanently added directly from this view. (#258278)
• New GUI: Endpoint-certificate information is displayed in the USP NAS Web GUI endpoint details page, if available. (#241762)
• New GUI: Endpoints can be temporarily approved directly from the connection events view page (#258278)
• Added automatic detection of uplinks from the port-tags (ifalias) using regular expressions (see "Core Configuration" -> "Import" -> "Regular expression to match and assign uplinks automatically from ifalias") (#243519)
• Added status REST API (/status) which provides some basic runtime information about the USP NAS appliance system and application (#289773)
• Added system label setting, which can be used to indicate the purpose of each instance (e.g. Test, Prod, ...). A color can be chosen for the label as well. (#232945)
• FreeRADIUS stores endpoint client certificates in the USP NAS database (table endpoint_certificate) for further analysis and display in the Web GUI. (#249650)

Enhancements

• New GUI: A customer feedback button has been added (#258289)
• New GUI: Added license management page (#286316)
• New GUI: Current hostname and system label are shown in the new sidebar. (#251827)
• New GUI: Help and FAQ documentation are available directly via the help button in page header. (#112559)
• New GUI: Show warning in dashboard if USP NAS core is not running (#289864)
• A script template has been added which can be used for updating the CRL used by FreeRADIUS authentication (#241756)
• A specific log message is created when updating to a new NAS release. This can be forwarded to monitoring system, similar to other alerts. The new message has identifier 1022 and text 'USP Network Authentication System application version changed.'. The current and previous versions will be appended. (#253870)
• A system hardware summary has been added to the appliance system info page in NAS Web GUI. This information is also shown when logging in to the CLI via SSH. (#228730)
• Added a "changed-by" field for inventory. This can be set via endpoint import files, and it is automatically set by the Web GUI when a user makes changes to a registered endpoint entry. The value of this field is displayed on the endpoint details page in the new GUI. (#289407)
• Added list of open-source components used in building USP NAS to the documentation (#228732)
• Added navigation elements to switch between current and next-generation GUI (#258287)
• Added option to configure NAS Core Java heap space size. To set an upper limit of 4096 MB for example, execute the CLI command sab applications:config:set_configuration application=nas-core variable=max_mem value=4096m (requires restart of NAS Core service). (#213831)
• Added option to configure system DNS server via CLI console menu. (#289766)
• Added possibility to set all ports of as switch as portgroup by using a wildcard character '*' in the ifname column of PORTGROUP import files (#286171)
• Added rate limit filter for requests to the USP NAS WebGUI. The max number of requests allowed per minute can be configured on the Web GUI configuration page. The filter can be disabled by setting the configuration values to 0. (#256193)
• Documented usage patterns for EAP username matching in GUI (#290086)
• Extended CSV import with option for setting UTF8 charset; this can be configured on the core configuration page. (#289565)
• Extended remote syslog options. It is now possible to use TCP instead of UDP as transport protocol (UDP remains the default), and to use IETF (RFC5424) instead of BSD (RFC3164) message format (BSD remains the default). (#244484)
• Highlight in GUI if switch adapter does not support reading or moving VLANs (e.g. Generic Bridge MIB) (#290104)
• Improved validation of backup files when attempting to restore a backup. If opening a backup file fails, the error will display the reason (e.g. incompatible version, missing metadata, wrong decryption key, etc.) (#230919)
• Include additional graphs in "NAS application" and "operating system" status views. This includes graphs related to netdevices, RADIUS authentication as well as application and database performance. (#228590)
• Internal network range (default 172.17.0.0/16) used by the Docker service can now be changed via SAB CLI to avoid conflicts with existing networks. Execute sab docker help to see the available options for customizing docker on the appliance. (#228086)
• It is now possible to set the community string of the local SNMP server on the system settings page (this was previously only possible via CLI). The local SNMP server can be queried for system status data which can be used for monitoring of the health of the USP NAS system. (#245264)
• Log events are created for scheduled backups, indicating if the backup was successful or if an error happened. The log message 1601 "Automatic backup executed successfully." has been added and can be configured in the alarming settings. (#286309)
• Log events are created when performing an authenticator sync, indicating if the sync was successful or if an error happened. The log message 1600 "Authenticator sync executed successfully." has been added and can be configured in the alarming settings. (#272981)
• Log packet details in debug log if no response packet from RADIUS backend has been received (#289312)
• Scheduled scripts and config are now part of "application configuration" backup archive (#241757)
• Show MAC vendor in connected endpoints table on netdevice details page (#290120)
• System audit log events (e.g. SSH logins) are now forwarded to a remote syslog server (if configured) (#233044)
• System-LDAP login (nslcd) logs are now stored in a dedicated logfile /var/log/nslcd.log (#251576)
• The number of RADIUS authentication devices is shown on the dashboard, and the list of active switch adapters now also includes adapters in use by RADIUS authentication devices. (#289798)
• Threshold values are now included in hardware and OS alarm messages, along with the current value (#273020)
• Updated vendor database file. The dataset is now automatically updated with every release. (#240940)
• Web server version is now hidden in response headers and error pages. (#258323)
• When collecting endpoint details via X.509 attributes during EAP authentication, set their source to 'EAP' (#289872)

Changes

• BREAKING: API keys for REST-API users need to be generated again via the user management page in the USP NAS WebGUI, and any existing keys in client scripts need to be replaced with this new key. (#289261)
• BREAKING: Alerting messages sent via SNMP trap might now display a different agent address (source address) depending on the appliance network setup as the logic to determine the primary address has been improved; the primary IP address is based on the subnet which contains the default gateway. (#271028)
• BREAKING: Removed data fetch scripts functionality. Scheduled scripts should be used instead. (#271246)
• BREAKING: Removed legacy WSDL/SOAP-based inventory XML webservice; it is recommended to use the new REST API instead (#255450)
• BREAKING: The REST API responses have been extended and slightly changed: In the Endpoint API, the id field has been removed as it might be ambiguous, the netdevice_id and the ifindex are now a number instead of a string, a typo has been fixed in the defaultvlan field (from defaulvlan), the field inventoried has been added, and entries are now sorted by MAC address. A source query parameter has been added to filter endpoints by inventory source and a inventoried query parameter has been added do filter endpoints based on if they are in the inventory or not. In the Netdevice API, the fields snmpversion, devicetype (Switch adapter) and description have been added, the inscope value is now a number, and entries are now sorted by device name. In the Interface API, the id field has been removed, and entries are now sorted by netdevice_id, ifindex and ifname. (#289723)
• BREAKING: The application name used in syslog messages (BSD format) has been changed in order to comply with RFC 3164 (program[pid]: message text). This means that log messages begin now with uspnascore[PID]: instead of usp-nas-core and uspnaswebui[PID]: instead of usp-nas-webui (PID being an arbitrary number). (#244484)
• BREAKING: Updated log4j logging framework for NAS core and GUI to latest major version. This leads to the following changes in Syslog messages sent from NAS: The full hostname (FQDN) is now used as sender instead of the base hostname, and an unnecessary newline character has been removed from the end of log messages. Scheduled scripts using log4j (org.apache.log4j.Logger) need to be adapted (see the new Jython template for logging). (#258020)
• Adapted SAB CLI methods related to back up, restore and update to use a 'file' parameter (requiring an absolute path) instead of an 'url' parameter, and adapted interfaces and paths accordingly in other NAS components. (#233682)
• Add option for endpoint restrictions to USP NAS license (#289427)
• Adjust PDF/HTML documentation theme to match new USP corporate branding (#277927)
• Default vendor database remote update URL is now using HTTPS. It is highly recommended to set the URL to https://standards-oui.ieee.org/oui.txt on existing installations. (#240940)
• Disabled TRACE method on WebGUI application server to prevent unwanted information disclosure. (#258323)
• Firewall rules now follow a whitelist approach, any ports not in the list if allowed ports are blocked by default on new installations. To add an exception, use the SAB CLI, for example sab network:firewall:set_rule type=input protocol=udp port=11812 action=accept comment=Example (#212941)
• Generate secure random JWT secret on first GUI startup. This key is used to generate the access token when accessing the API. (#289261)
• Implemented new database migration mechanism which provides more flexibility and does not rely on NAS release versions number schema. (#213838)
• Legacy reports removed: Endpoints connected in a VLAN, Number of known, unknown and new unknown endpoints, MAC Tracker, Port activation diagram, Access control statistic, Authorization chart, System overview, Log report 802.1X authentications (#241946)
• Removed creating unused PostgreSQL standby database on new installations (#212838)
• Removed non-functional FreeRADIUS: 'Allow all' feature until a better solution is found (#289861)
• Removed obsolete GUI password expiration feature (#233331)
• Removed obsolete and unused housekeeping script related methods from SAB CLI tool as well as the /data/transfer/logrotate directory (#245295)
• Removed obsolete and unused local SNMPD script functionality from SAB CLI tool (#245663)
• Removed obsolete link speed and duplex mode from network configuration (#241951)
• The ability to define a VLAN for a specific device has been removed. The VLAN assignment is done exclusively via access profiles. (#289553)
• The access control "default VLAN" has been removed. This is not relevant for RADIUS authentication. (#289553)
• The display of the asset status of a device has been removed because it has no functional relevance. (#289553)
• The specific configuration for guest, default, MAC-bypass and VoIP access has been removed from the access profile. In the future, these will be assigned in a standardized manner using their own access profile. (#289553)
• Updated implementation of SNMP trap and email alert sending functionality by using Java-based libraries instead of shell scripts for better portability. (#271028)
• Updated openSSH to version 9.8_p1 to address CVE-2024-6387 (regreSSHion) (#289546)
• Updated to latest 5.10 Linux kernel version (#289374)

Bugfixes

• Added character-set detection for scheduled scripts when they are displayed in the GUI. This fixes an issue where some scripts appeared as empty when viewing their content. (#289653)
• Added missing FQDN of registered endpoints in connection-events log (#242678)
• Asset type and asset class information in endpoints REST API is now properly displayed (#289722)
• Corrected netdevice import field names in related syslog messages (added missing columns for deprecated fields) (#242677)
• Device scan of WLAN devices is only attempted when SNMP reads are enabled (previously they were scanned regardless of this setting) (#290103)
• Endpoints which are only in the inventory but have not yet been observed in the network are now included in the endpoint REST API response as well. (#289723)
• Ensure Web GUI SSL certificate is synchronized and activated during authenticator synchronization (#286767)
• Ensured a matching status bubble is always shown in the netdevice overview; added conditions for the case where communication with a switch with netports already defined fails or where an undefined state is detected. (#253113)
• Ensured that RADIUS accounting request are forwarded from an authenticator to the master system in transparent HA setups. (#256387)
• Error messages in GUI do no longer automatically vanish after a few seconds. (#249437)
• Fix an issue in vendor lookup for "invalid port config" log messages in case of the port configuration enforcement feature being enabled. (#289497)
• Fixed a NPE when logging into the GUI with a pending workspace activation but no workspace admin set in the database. (#289762)
• Fixed an issue where RADIUS authentication devices were not assigned automatically to a portgroup specified in the RADIUS subnet configuration. (#250576)
• Fixed an issue where a guilty endpoint was displayed based on a deprecated/old entry of another node which was connected on the same port (#286172)
• Fixed an issue where time used for EAP-authentication has been stored as negative value (milliseconds) (#289707)
• Fixed an issue which prevented some event logs being stored in the database after synchronization of authenticator instances (#289847)
• Fixed an issue which prevented some monitoring history entries being stored in the database after synchronization of authenticator instances (#289857)
• Fixed an issue which prevented updating endpoint inventory information in certain circumstances (e.g. when using '\' in a form field) (#289950)
• Fixed detection of ports on SFP module on Alcatel OS6900-T40 switches. (#289600)
• Fixed reset root password functionality in console menu (#289703)
• Fixed switch scan for Extreme (210 Series QBridge MIB) switches (#289641)
• Fixed typo in default value of database field nas.node.epc_action which was previously set to UNDEFINIED (#248819)
• Fixes a configuration loading issue which resulted in not processing RADIUS requests when enabling the internal FreeRADIUS server for the first time. (#289871)
• Identifier of proxy request extended with hash to avoid potential ambiguous identification of proxy response packets. (#289354)
• Improved error handling in scheduled script runner and fixed an issue in determining the proper script engine in certain circumstances. (#289951)
• Mark scheduled scripts which are marked as still running during (re)start of USP NAS core as failed, to prevent long-running stale script states in certain error conditions. (#286820)
• Regex for Netdevice import extended for maintenance mode and snmp v3 SHA 224, 256, 384, 512 authentications (#289247)
• Remove unnecessary calls to system API during RADIUS MAC authentication processing (#232924)
• Removed duplicate field 'EAP Identity' in 'Registered endpoints' table in GUI; added 'Authentication' field instead. (#289361)
• Removed obsolete 'isolated' access profile from dashboard and portgroup entries in policy manager (#289955)
• Reworked status bubbles in netdevice overview. Netdevices which are monitored ("in scope") but without SNMP scanning enabled (due to SNMP read setting disabled or maintenance mode enabled) are now shown with a blue indicator bubble. (#282274)

Documentation

• Added documentation about recently added features (#170743)
• Extended documentation about the various backup types (#289729)
• The REST API documentation has been extended to describe each action, its parameters and response values. The documentation can be accessed from the help menu of the new GUI. (#289723)

USP Network Authentication System ® 5.13.4

Released 9 March 2025

Platform Compatibility

This release is compatible with the following platforms:

• Dell PowerEdge R650/R640/R630/R620/R610
• VMware ESXi / Workstation
• Microsoft Hyper-V
• QEMU/KVM
• Oracle VirtualBox

Changelog

Enhancements

• Enable configuring SNMPv3 with authNoPriv SHA256 authentication (#290226)

Bugfixes

• Add check for duplicates during netport import and remove them if necessary (#289655)
• Fixed a regression introduced in 5.13.2 affecting the scanning of Huawei netdevices when upgrading form a previous USP NAS version. (#289807)
• Fixed an issue in the Cisco VTP switch adapter which might lead to wrong MAC addresses being seen on specific interfaces in some situations (MAC address marked as static in 802.1d bridge table). (#290500)
• Fixed an issue in the adapter detection with Cisco VTP MIB compatible switches in certain circumstances (the Generic Bridge MIB Adapter was chosen instead of the Cisco VTP MIB Adapter) (#290528)
• Fixed an issue where duplicated portgroup interface mappings where shown in the GUI, and ensured that such mappings are stored in the database containing interface index AND name, if available. (#289721)
• Fixed an issue where endpoints were not recognized on some Cisco Switches (VTP MIB) when using SNMPv3, because the VLAN context was not properly applied when scanning the bridge table. (#289719)
• Fixed null-pointer exception during scan of onway devices (#289809)

USP Network Authentication System ® 5.13.3

Released 6 August 2024

Platform Compatibility

This release is compatible with the following platforms:

• Dell PowerEdge R650
• Dell PowerEdge R640
• Dell PowerEdge R630
• Dell PowerEdge R620
• Dell PowerEdge R610
• VMware ESXi / Workstation
• Microsoft Hyper-V
• VirtualBox 6.x/7.x

Changelog

Enhancements

• BACKPORTED: Added possibility to set all ports of as switch as portgroup by using a wildcard character '*'

Bugfixes

• Fixed certificate key-length detection for non-RSA keys in WebGUI SSL certificate management view (#289533)
• Fixed issue with connected endpoints not properly recognized on some Alcatel switches (OmniSwitch 6855-U24X/6855-14) (#289580)
• Scan error on Cisco switches in the query of the cdp-MIB fixed (CiscoVtpMibAdaptor) (#289521)

USP Network Authentication System ® 5.13.2

Released 7 May 2024

Platform Compatibility

This release is compatible with the following platforms:

• Dell PowerEdge R650
• Dell PowerEdge R640
• Dell PowerEdge R630
• Dell PowerEdge R620
• Dell PowerEdge R610
• VMware ESXi / Workstation
• Microsoft Hyper-V
• VirtualBox 6.x/7.x

Changelog

Enhancements

• Added QBridge-MIB switch adapter for Hirschmann devices (#289257)

Changes

• When using the RADIUS server module (FreeRADIUS), the server certificate sent to clients includes now the CA certificate chain, in case any matching CA certificates have been added via USP NAS GUI certificate management. This solves some issues with 802.1x authentication when using Android phones. (#284718)

Bugfixes

• Enable caching of local SNMPv3 engine ID to avoid performance-intensive re-creation on every request. (#286423)
• Fixed an issue with MAC address parsing (which resulted in 00-00-00-00-00-00 being reported) during port detection when scanning certain switches (e.g. Hirschmann) (#289257)
• Fixed detection/scanning issues in OnWay switch adapter (#255817)
• Fixed endpoint REST API query to not consider data which has been deleted in the inventory. (#289291)
• Fixed exception handling during switch scan in relation to dot1xPAE MIB, ensuring switch can does not abort in certain cases. (#285030)
• Fixed number of netdevices displayed on NAS WebGUI Policy Manager -> Portgroup page (#256388)
• Fixes applied in the switch-report. Netports are now displayed corretly and authorization state of invenorized endpoints have been fixed. (#282278)
• Removed ID from netdevice scope filter label used on netdevices page in NAS Web GUI (#270735)

USP Network Authentication System ® 5.13.1

Released 22 January 2024

Platform Compatibility

This release is compatible with the following platforms:

• Dell PowerEdge R650
• Dell PowerEdge R640
• Dell PowerEdge R630
• Dell PowerEdge R620
• Dell PowerEdge R610
• VMware ESXi / Workstation
• Microsoft Hyper-V
• VirtualBox 6.x/7.x

Changelog

Features

• Added Maintenance mode for Netdevices. In this mode, SNMP queries are not executed, but RADIUS requests are still processed. The maintenance mode corresponds to an inscope value of "2" in netdevice import files. (#200191)
• Added initial default policy configuration for new installations. (#241970)
• Added log messages for scheduled scripts (start, success, failure) which can be configured for alarming (#255970)
• Added possibility to change maximum backup directory storage size for daily housekeeping process via CLI. Run 'sab housekeeping help' on the command line to see available actions and options. To change the size e.g. to 50 GB, run 'sab housekeeping:set_rule path=/data/transfer/backup max-size=50g' (#217126)
• Added possibility to define SNMPv2 community for RADIUS subnet (#217101)
• Added switch adaptor for Huawei S6730-H28Y4C and S8700-10 devices (#233755)
• Client IP address has been added to login/logout event log messages (#224446)
• Disk size used by backup files is shown on backup download page (#217126)
• Docker logs and status info are now part of the system dump (#218057)
• Enabled access log for USP NAS GUI web server (#218427)
• Extended REST-API with additional data: "endpoints" extended with array of endpointdetails, "netdevices" extended with SNMP-Version, Adaptor-info and description. (#238738)
• Extension for TimetraSwitchAdaptor to support "NOKIA SAS" Types (#225037)
• Overwrite source-field for imports with scheduled scripts using parameter "importSource" (#239240)
• Portgroup source is displayed in GUI (#213830)
• The MD5-hash check in the importer will also work with .md5 checksum files which contain only the checksum string (#212747)

Changes

• Added scheduled script config, port config and node profiling tables to database backup. (#220130)
• Caching-timout and max-request config values increased to avoid dropping requests in case of authentication peaks or duplicate requests (#252268)
• Color-highlight deleted endpoint in endpoint detail view (#228528)
• Don't show PolicyChange events for RADIUS authentication in Connection Events view anymore (#200312)
• Implemented new SNMP library which supports SNMPv3 with SHA-2 algorithms (#200297)
• Updated release notes document style and handling (#212882)

Bugfixes

• Add log rotation for FreeRADIUS log file to prevent it from growing indefinitely (#218424)
• Added debounce delay to search field in Endpoint details view page to reduce backend database overload when typing into that field (#218421)
• Added missing authentication time (duration) to connection event syslog messages (#229249)
• Added missing feedback when trying to save multiple temporary approvals of an endpoint (given "Allow to temporarily approve an endpoint more than once" is enabled) (#228740)
• Check of downtime fixed on Authenticator. If downtime is less than 3 hours an Authenticator will not be set to OFF-Mode, according to behaviour of Master. (#253866)
• Docker service will only be started when really needed (#229108)
• Ensured portgroup mapping source is stored properly when managing portgroup assignments in GUI (#229021)
• Ensured that cron job logs are again written to the correct log file (cron.log) (#226630)
• Exchange of certificates from an existing endpoint to another existing endpoint of type "EAP Identity WLAN" fixed (#253336)
• Exclude docker runtime files from system update savepoint, reducing the time and disk space needed during system update in case docker is being used. (#249499)
• Extended power supply hardware check to detect AC loss, and not only absence/malfunction of the power supply itself (#256389)
• Fixed XML webservice functionality which was broken in the 5.13.0 release (#253494)
• Fixed a misconfiguration in the system LDAP authentication related to a setting which caused LDAP requests every time the GUI executed a SAB system API query, potentially slowing down the GUI and creating lots of LDAP traffic. (#251734)
• Fixed a switch adapter detection issue in the Alcatel TiMetra switch adaptor (#228291)
• Fixed an issue where the VLAN ID was cut short in the Switch report in some cases (#223811)
• Fixed an issue where the system LDAP configuration was not correctly applied to the system after a change in the GUI or CLI (#226577)
• Fixed broken file download icons in GUI (#229400)
• Fixed detection/scanning issues in OnWay switch adapter (#255817)
• Fixed execution of daily file cleanup job (old backups files, reports, imports etc) (#215302)
• Fixed handling of proxy request from authenticator (#232439)
• Fixed issue with duplicated netports during inventory import by properly matching index and port names (#253872)
• Fixed outdated logrotate configuration which led to certain log files not being rotated on new installations of USP NAS 5.13.x (#254464)
• Fixed potential netdevice duplicates when importing RADIUSAUTH devices (#255360)
• Fixed retrieval of system alert messages in USP NAS core when running in authenticator mode (#256401)
• Fixed system memory diagram total size (#218091)
• Fixed vlan field size in log table to accommodate entries related to Alcatel Timetra netdevices (#253882)
• Fixed wrong file permissions of firewall rules script (#254460)
• HA menu items are only shown if appropriate license is active (#230937)
• If scheduled Jython scripts don't set the exitCode variable, a proper error is now logged, instead of leaving the script execution in an undefined state. (#255970)
• Improved SAB system API config writer to properly handle certain system LDAP authentication filter values (#252010)
• Improved performance of REST API queries (#230939)
• Increased fileserver public key text field size in GUI (#214748)
• LDAP login of GUI administrator user validates username now case-insensitive (#252018)
• Properly support for non-RSA SSH server keys when updating known host keys for remote backup fileservers. (#214680)
• Removed an unnecessary recurring warning in log files related to discontinued MPP server monitoring (#222442)
• Removed leftover firewall rules from legacy HA (#218084)
• Removed leftover monitoring configuration from legacy HA setup to avoid getting related errors in the logfiles. (#218080)
• Switch adapter list on dashboard does now also show RADIUS Authentication devices (#228595)
• The MD5-hash check in the importer does now accept hashes in uppercase letters as well (#212747)
• The identity type of the inventory (MAC/EAP-LAN/EAP-WLAN) is now displayed in the node details page. (#213258)
• The template for MAC-flooding cleanup script and csvToMail has been fixed with regards to sending reports by mail (using USP SAB CLI instead of jython mail function which no longer works) (#239562)

USP Network Authentication System ® 5.13.0

Released 31 July 2023

Platform Compatibility

This release is compatible with the following platforms:

• Dell PowerEdge R650
• Dell PowerEdge R640
• Dell PowerEdge R630
• Dell PowerEdge R620
• Dell PowerEdge R610
• VMware ESXi / Workstation
• Microsoft Hyper-V
• VirtualBox 6.x/7.x

Changelog

Features

• Added OnWay switch adapter (#153811)
• Added RADIUS EAP configuration switch called "Allow All", which, if enabled, forces the USP NAS to returns an ACCEPT response, even in the case of an invalid certificate. (#133165)
• Added additional log output to SAB logs related to process runtime, user and locking behaviour (#222586)
• Added possibility to specify completely custom RADIUS attribute values using HEX notation (e.g. 1b0600000005 defines the session timeout attribute (27) with value length 6 and value 5) (#204203)
• Added support for certificate-based authentication with RADIUS EAP for devices with certain old TPM chips based on version 1.2 and specification 1.16. Support for these devices can be enabled by running an older, compatible version of FreeRADIUS and OpenSSL in a docker container, instead of the regular FreeRADIUS system service. (#157531)
• Added support for the USP NAS appliance image to be deployed on AWS EC2 and Azure (#156257)
• Authenticator sync time can now be defined as cron schedule to allow more flexibility (#175893)
• Enable collection of x509 Attributes in Database (endpoint details) (#196084)
• Implemented a REST API which allows to fetch endpoint details in an automated and standardized manner (#133160)
• Source code revision information is displayed on system info page. (#170784)
• Updated Linux system kernel to 5.10 LTS version, with added support for Dell PowerEdge R650 (#150177)

Changes

• Accounting-STOP requests trigger a DISCONNECT event (#207920)
• Blocked Java JMX/RMI ports on local firewall for external access (only local access is allowed anyways, but Java still creates publicly open ports which can be confusing) (#212521)
• Console configuration menu now works with UTF-8 character encoding (#193674)
• EAP-inventorise algorithm has been changed: Avoid overwrite of MAC-Identities by EAP. The EAP-Identities are now classified in EAP-LAN and EAP-WLAN. (#200185)
• Ensure authenticator status commands don't have to wait for other commands to finish (#222586)
• Layer3 scan is now disabled on USP NAS Authenticator instances (#220091)
• RADIUS Auth Device which is auto-generated will be overwritten with Device from Inventory. If a netdevice of type SWITCH, SWITCH/ROUTER or RADIUSAUTH is imported from CSV import, it will overwrite an existing RADIUS Auth device. (#135586)
• Removed legacy HA functionality which has been superseded by master-authenticator architecture (#133180)
• Removed memtest86+ from appliance boot menu as it is not needed in virtual environments and our supported hardware brings its own diagnostics utility (#137346)
• Replace PostgreSQL temp tables with alternative solution for better stability and performance (#170214)
• Standardized, tested and documented scheduled script templates, and removed obsolete scripts (#124406)
• The default value for RADIUS accounting is set to ENABLED ALL for the netdevice import interface (#218085)
• Update base operating system packages (#171264)
• Updated third-party libraries to fix reported vulnerabilities and bugs (#133193)
• Updated vulnerable version of cron-utils 9.1.5 (CVE-2021-41269) (#128694)

Bugfixes

• Added missing support for Diffie-Hellman-Group14-SHA1 algorithm for SFTP connections (#124944)
• Automatic portgroup assignment for RADIUS auth devices fixed (#208182)
• Avoid setting a tunnel attribute with a negative value (#156582)
• Corrected PostgreSQL version check during appliance update (#137722)
• Deleted Netdevices no longer show up in the portgroup view (#149577)
• Dot1x port might not be detected correctly on Alcatel devices. (#153783)
• EAP username patterns are now included in backup (#220051)
• Ensure SSH server is running properly after hostname change (#195726)
• Error detecting connected devices in GenericQBridge Switch-Adaptor (#212155)
• Fix handling requests with Authenticator ip on Master (#200302)
• Fixed an issue where the system log was full of nslcd-related error messages on first boot (#156635)
• Fixed an issue with a delayed system configuration update (#183014)
• Fixed an issue with restoring system configuration when network routing settings are present. (#191665)
• Fixed database logging error concerning NULL characters in the log message (#193470)
• Fixed inconsistencies in endpoint status reports and updated documentation accordingly (#133195)
• Fixed incorrect VLAN on Alcatel 801 adaptor (add missing OID conversion for 801 switch type) (#137299)
• Fixed issues when adding and updating certain RADIUS attribute types in the GUI (#204203)
• Fixed log exception when validating RADIUS message authenticator attribute and username attribute is no valid MAC address (#212310)
• Fixed order of network interfaces in CLI and GUI (#171257)
• For EAP-Authentication the specific 802.1X vlan is applied instead of MAC-Auth vlan (#128127)
• Link down traps were not processed on RADIUS AUTH devices (#207920)
• Link to customer portal on help page now points to USP Connect. (#138802)
• Network interfaces on virtual machines are renamed properly to new format during appliance upgrade from older versions (<5.11). (#137353)
• Non-existing network interfaces are now properly cleaned up from system configuration (#217203)
• Persist portgroup source value when activating workspace. This fixes an issue where a portgroup full import does not properly delete removed entries. On existing installations, a manual cleanup of all portgroup-netdevice entries with source NULL might be required before a full import in order to have a clean portgroup dataset. (#109408)
• Prevent multiple authenticator sync processes to run at the same time on a USP NAS authenticator instances to prevent race conditions. (#222586)
• Properly show reboot screen after restoring backup file (#192182)
• Remove Warning for RADIUS Accounting with wrong device class (#154669)
• Removed a warning about using proprietary JKS keystore during first boot; a PKCS#12 keystore is now used by default (#137352)
• Removed invalid entries from profiler database (#193490)
• The validation for 'Remote vendor update file path' also accepts values starting with https:// (#216050)
• Trusted certificates are now properly stored in system SSL CA certificate store (used for LDAPS-based system login) (#205987)

Documentation

• Added topic regarding the cases in which an endpoint counts as connected (#133184)

USP Network Authentication System ® 5.12.0

Released 16. September 2022

Changelog

• Feature: Bulk-onboarding view available to inventorise endpoints in a bulk operation
• Feature: CSR generation/certificate renewal in Web-Management console
• Feature: Authentication time available in Connection-Events
• Feature: Option to send reject on MAC-Auth block decision available
• Feature: HyperV Gen2 support
• Feature: Global configuration of SNMPv3 as fallback
• Feature: HTML- and PDF-based documentation is available directly in the web GUI help page
• Feature: FAQ Based documentation
• Feature: CSV-Import for RADIUSAUTH devices available
• Feature: Added support for Aruba 25xx/19XX and HP 54XX switches
• Feature: Add portgroup edit button for Support User on switch page
• Feature: Extend Radius attributes with configurable parameters
• Bugfix: DNS zone is displayed in DNS-zone alert
• Bugfix: Radius Attributes now included in backup
• Bugfix: Radius Attribute length fixed
• Bugfix: Display of blockvlan in connection events fixed
• Bugfix: invalid hardware events on vm-environment removed
• Bugfix: Update syslog-ng configuration template to match installed software version
• Bugfix: FreeRADIUS Certificate formatting error with certain imported / migrated certificates fixed
• Bugfix: Layer3 information for ArubaCX devices is now available
• Bugfix: VendorSpecific Radius Attribute does now allow to set value of integer type
• Bugfix: Delayed compress of logfiles during daily rotation to avoid unnecessary alarm messages

USP Network Authentication System ® 5.11.0

Released 26. January 2022

Changelog

• Feature: Multiple LDAP configurations can run concurrently
• Feature: New configuration to avoid MAC-Authentication for MAC-Addresses in EAP-Identity
• Feature: Manage SSL server and trust certificates from one central screen
• Feature: Handle change of EngineID in snmpv3
• Feature: Improvement in logging and error handling
• Feature: Configuration sync for HA
• Feature: Performance improvement in EndpointImport Task
• Feature: Performance improvement in Radius Auth
• Feature: Removed hostname from full backup
• Feature: Test function for LDAP configuration
• Feature: Connect to unix system via LDAP login
• Feature: Add single switch to portgroup (also available for support role)
• Feature: Show content of active scheduled scripts
• Feature: Automatically update RADIUS flags on netdevice interface on RADIUS auth
• Feature: Manually reset RADIUS flags on netdevice
• Change: MAC Bypass for SNMP authenticated Ports removed
• Bugfix: Display error in Endpointdetails view for entries without macaddress has been fixed
• Bugfix: Duplication for import error log removed

USP Network Authentication System ® 5.10.0

Released 28. October 2021

Changelog

• Feature: Admin can force login if another admin is still logged in
• Feature: Scheduled Scripts management in WEBGUI
• Feature: Import files can be uploaded without MD5 file
• Feature: New useful links added in the Endpoint detail view
• Feature: Additional information in portconfig logs
• Feature: New 'EAP Username' column and search criteria in Endpoint detail view
• Feature: Network interface is editable even if there is only one interface
• Feature: Info in connection event when there is a RADIUS secret mismatch
• Feature: HA Partner key can be added even if there is no HA configuration available
• Feature: NO-VLAN option for accessprofile
• Feature: New VLAN MIB for vlan detection on ALCATEL switches has been added
• Bugfix: Performance issue in Endpointdetails fixed
• Bugfix: Special characters are now allowed in ssh password
• Bugfix: Special characters are now allowed in ssl certificate passphrase
• Bugfix: Healthcheck for RADIUS authenticator fixed
• Bugfix: Display error in the notifications detail view fixed
• Bugfix: Error on EAP cache update for empty mac address fixed
• Bugfix: Policy-Readonly role removes permissions from support role fixed
• Bugfix: Netdevices with LAYER3 type are excluded for RADIUS Authentication
• Bugfix: Portconfig check using ifname has been fixed

USP Network Authentication System ® 5.9.0

Released 15. June 2021

Changelog

• Feature: Policy definition based on EAP username pattern
• Feature: EAP Identity inventory Management in GUI
• Feature: ARP resolution for EAP authenticated endpoints
• Feature: Extended default configurations for GUI-filter
• Feature: Alcatel RADIUS port detection for MAC-AUTH added
• Feature: RADIUS log available in syslog
• Feature: Cron-based script scheduler
• Change: The format for syslog messages has been modified
• Change: MAC vendor list updated
• Bugfix: Decryption of RADIUS shared secret fixed for internal RADIUS server
• Bugfix: Decryption of password for LDAP bind fixed
• Bugfix: Default sort order changed in connection events from action colum to timestamp
• Bugfix: Rotation for system-log fixed
• Bugfix: Date selection fixed in log reports

USP Network Authentication System ® 5.8.0

Released 30. October 2020

Changelog

• Feature: New devicetype RADIUSAUTH available for RADIUS only authentications
• Feature: RADIUSAUTH-Netdevice may be auto-generated from defined ip-range
• Feature: Detail-view for LAYER3 device with ARP-table available in WEBGUI
• Feature: Detail-view for WLAN device with connected endpoints available in WEBGUI
• Feature: ALCATEL Adaptor extended with VLAN ids from mobile ports
• Feature: The database Logging/Statistics have been extended
• Feature: Audit-Log scripts are configurable in WEBGUI
• Change: Plaintext password fields replaced in WEBGUI
• Change: Cleanup of no-trap-received warning messages
• Change: Initial RADIUS config changed
• Bugfix: Scheduling of FULLBACKUP without log fixed
• Bugfix: Disconnected(INACTIVE) devices removed from Switch-Overview
• Bugfix: Reading of VLANs on ALCATEL mobile ports
• Bugfix: Performance issue on endpointdetails-table fixed
• Bugfix: Positive false log-message 3038 fixed (Exception in policy engine)

USP Network Authentication System ® 5.7.0

Released 31. May 2020

Changelog

• Feature: Connection-events available on syslog
• Feature: Additional full-backup type without log table
• Feature: Alcatel Adaptor extended for specific dot1x MIB
• Feature: Reject event added to connection-event view
• Feature: Switch-Adaptor reset function in WebGUI
• Feature: Inventory import interface extended for valid-until field
• Change: Network interface information removed from full-backup
• Change: Feasible check removed from nortel adaptors for every scan (performance improvement)
• Bugfix: Message 1111 removed for RADIUS ports
• Bugfix: Policy-Change events removed for RADIUS ports
• Bugfix: Snmp writes removed in authenticator mode (on periodic Policy-Recheck)
• Bugfix: Prevent sync on authenticator if master is in OFF-Mode
• Bugfix: Internal trap port fixed for alerting
• Bugfix: Syslog port fixed for application events
• Bugfix: Profil-Matching fixed with eapusername
• Bugfix: Filename for RADIUS log fixed

USP Network Authentication System ® 5.6.0

Released 15. January 2020

Changelog

• Feature: New Web-GUI user role policy-readonly
• Feature: Syslog port customizable
• Feature: Mail port customizable
• Feature: Ssh port customizable
• Change: Web-GUI role support extended with readonly view on portgroups and policy-manager
• Change: Potential shared secret mismatch added to INFO-log
• Bugfix: Labeling fixed in Radius Attribute page
• Bugfix: IEEE vendor link fixed for vendor code update
• Bugfix: Starting of open vm tools fixed

USP Network Authentication System ® 5.5.0

Released 15. October 2019

Changelog

• Feature: Flexible RADIUS attribute assignment
• Feature: Import interface for endpoint details (CSV)
• Feature: Import interface for dns/ip mapping (CSV)
• Feature: Netdevice import interface extended with L3-Mode (IPV6)
• Feature: Column separator configurable in import-files
• Bugfix: Adding DB user in SAB fixed
• Bugfix: Netdevice import fixed (missing L3 column)
• Bugfix: Radius subsystem failure on reboot

USP Network Authentication System ® 5.4.0

Released 18. July 2019

Changelog

• Feature: IPv6 support for endpoints
• Feature: Configurable authenticator health-ping period
• Feature: Alerting for frozen-xid
• Feature: SAR (Alcatel/Nokia) Layer3-Adapter extended to read vprn ARP tables (snmp v2c)
• Change: Regex for SAR (Alcatel/Nokia) extended
• Change: Menu-entry for corrupt ports view recovered
• Bugfix: Inconsistent Authenticator state fixed
• Bugfix: Frozen-xid overflow in db fixed

USP Network Authentication System ® 5.3.0

Released 13. February 2019

Changelog

• Feature: Enhanced connection-view (details on authentication-protocols and authentication-types)
• Feature: Optimized layout of connection-view
• Feature: Switchdescription displayed in switch detail page
• Feature: HP/Aruba 2930 Series Adaptor
• Feature: Syslog messages enhanced with additional detail attributes
• Change: RADIUS-Reject event view removed. Reject events moved to connection-event view
• Change: Fallback on source-ip for RADIUS-Packet added
• Bugfix: Deletion failure of vlan in GUI fixed
• Bugfix: incomplete inventory failure reports fixed
• Bugfix: IP-extracting error for snmpv2/3 traps fixed
• Bugfix: pattern matching for Alcatel adapter fixed
• Bugfix: Division by zero-log for empty import files (delta-import) fixed
• Bugfix: Handling of PERMISSIVE mode for RADIUS-Reject on Mac Authentication fixed

USP Network Authentication System ® 5.2.0

Released 30. Juli 2018

Changelog

• Feature: Authenticator Module
• Feature: ARP table queries optimized (by factor 4)
• Feature: Automatic access-decision cleanup on endpoint/netdevice deletion
• Feature: Support for SNMPv3 Traps
• Feature: Automatic zip of reports sent by email
• Change: Scheduled reports are send by email in zip-format
• Bugfix: Link for culprit endpoint fixed
• Bugfix: Ignore CDP information has no effect
• Bugfix: Portconfig import fixed (Case-insensitiv)
• Bugfix: Radius statistic counter fixed

USP Network Authentication System ® 5.1.2 (4.15.2)

Released 29. Januar 2018

Changelog

• Bugfix: Performance fix for common name based authentication (802.1x)
• Bugfix: Filter on report download fixed
• Bugfix: Filter for netdevice status fixed

USP Network Authentication System ® 5.1.1 (4.15.1)

Released 17. Januar 2018

Changelog

• Bugfix: HA init failure fixed (64bit only)

USP Network Authentication System ® 5.1.0 (4.15.0)

Released 24. November 2017

Changelog

• Feature: Common name based authentication (802.1x)
• Feature: Option to disable connection events for re-checks
• Feature: Radius Accounting support for switches
• Feature: Display portconfig in endpoint/switch status pages
• Feature: Port configuration enforcement
• Bugfix: EAP Message missing in RMA Access Accepts
• Bugfix: Null-pointer fixed in Alcatel adaptor
• Bugfix: Regex validation for profiling pattern fixed
• Bugfix: Error on empty pattern string in profiling fixed
• Bugfix: Ifname update fixed (incorrect ifname on switch replacement)
• Bugfix: Vlan field extended for serviceId (Alcatel SAR)

USP Network Authentication System ® 4.x-Series

4.14 - 30. July 2017

• Feature: Extended endpoint profile definition (device vendor, DNS name)
• Feature: Automatic system mode management after restart
• Feature: Radius Accounting support for switches
• Feature: Support for Radius polling
• Feature: Port configuration enforcement
• Feature: CSV import interface for port configuration
• Feature: CSV import interface for portgroups
• Change: Set default for new registered endpoints to "authorized" instead of "unauthorized"
• Change: Syslog used for alerting has been extended for using 3rd-party logging applications
• Bugfix: Reset knownhosts file on fileserver change or reset
• Bugfix: Customized db user missing in backup
• Bugfix: Nullpointer fix for H3C switch adaptor
• Bugfix: Fixed error on network setting save function
• Bugfix: Backup folder for fetch scripts fixed
• Bugfix: Missing menu-entries for reporting role fixed

4.13.2 - 19. December 2016

• Feature: Integrated Radius server which supports EAP-TLS and OCSP
• Feature: Generate additional info when CSV import has failed
• Feature: Save source/timestamp for endpoint arp updates (client ip address)
• Change: Limit HTTP verbs to GET and POST only
• Change: Disabled all SSL protocols lower than TLSv1.1
• Change: Enforce HTTPS for all resources
• Change: Set "secure" flag in every cookie
• Change: Set "httpOnly" flag in every cookie
• Bugfix: Avoid session fixation, every successful authentication now generates new session ID
• Bugfix: Fixed Endpoint report CSV output which now correctly shows only one line per endpoint
• Bugfix: Log of potential network port fixed
• Bugfix: Updated Apache commons library which was vulnerable
• Bugfix: Fixed RADIUS packet flush delay
• Bugfix: Fixed update timestamp for DISCONNECTED endpoints

4.13.0 - 29. July 2016

• Feature: Responsive GUI
• Feature: Endpoint Profiling
• Feature: USP NAS service monitoring over SNMP
• Feature: RMA (Radius Mac Authentication) support for Alcatel Omniswitch added
• Feature: RMA (Radius Mac Authentication) support for Avaya Switches added
• Feature: Support for VRF-tables on Avaya Routers added
• Bugfix: Avoid false low diskspace alerts
• Bugfix: Eliminate net port duplicates on import
• Bugfix: Improve GUI responsiveness after '3303' notifications
• Bugfix: For scheduled reports form add missing Submit button on IE11
• Bugfix: No access decisions are reported in PERMISSIVE mode
• Bugfix: Handle admin duplicate logon check case-insensitive

4.12.0 - 17. August 2015

• Feature: Performance improvement for connection event view
• Feature: Major overall performance improvements
• Feature: Radius MAC Authentication support added for Fortiwifi devices
• Bugfix: Import abort fixed in case of wrong number of columns or special characters in device description
• Bugfix: Index cleanup fixed for temporary database tables

4.11.0 - 22. April 2015

• Feature: Connection event view where all connects, disconnects and policy checks are listed and can be filtered
• Feature: Netdevice status info view where the current state of a netdevice is listed: all ports, all connected endpoints
• Feature: Global configuration added for enabling Radius MAC Authentication when the MAC address is present in the attribute 'User-Name' only
• Feature: Configuration of alternative record separator for the CSV import files
• Change: USP NAS installations without a valid license file will only display the basic setup menus
• Change: Due to some size limitations, we changed some views to be viewed on fullscreen. Minimal supported screen resolution is still 1024x768
• Bugfix: Avoid unique constraint errors after a restore
• Bugfix: Updated OpenSSL components to version 1.0.1l-r1
• Bugfix: HA shared IP now usable with different NIC identifier on each system (problem occurred on VM-HW high availability setups)

4.10.1 - 14. November 2014

• Feature: Inventory webservice for retrieving inventory information about switches and endpoints

4.10.0 - 29. October 2014

• Feature: CA certificate upload for trusted CA certificates which must be used for SSL/HTTPS connections to other systems like e.g. MobileIron or LDAPS
• Feature: 802.1X Disconnect Message for already connected wired devices. Used when the policy of an already connected endpoint changes
• Feature: 802.1X multi-auth (each individual endpoint on port has to authenticate itself) and multi-domain (VoIP phone and data endpoint have to authenticate individually. The multi-domain is only supported when the VoIP security feature in USP NAS is enabled too)
• Feature: Radius accounting service will always return an ACK message, even if USP NAS is not processing the request
• Feature: Log out of scope Radius requests as a warning
• Feature: Show warning in GUI when operating mode is in OFF state
• Bugfix: Don't enforce VLAN assignment on 802.1X ports when handling MAC notifications
• Bugfix: Radius MAC authentication logging now use the correct VLAN
• Bugfix: Don't reset active MAC bypasses during HA shutdown on the passive appliance
• Bugfix: Set correct VLAN after blocking a device with MAC bypass on 802.1X port
• Bugfix: Ignore Radius requests from devices without configured netports
• Bugfix: Asset types and classes can be edited from their overview pages
• Bugfix: Don't handle MAC Notification coming from 802.1X ports

4.9.2 - 18. June 2014

• Feature: ifAlias/ifDescription added
• Feature: List of rejected 802.1X devices added in menu "Support"
• Feature: Ignore MAC notifications from netports
• Feature: Ignore SNMP traps and MAC notifications from switches which don't have a configured netport yet
• Feature: HP A5000 series switch adapter now supports ports in access mode
• Feature: CSV inventory importer updated to be more fail-safe when there are empty fields in a row
• Feature: SNMP communication exceptions for router devices are now displayed on the status column (red bubble) on the netdevice overview
• Feature: VoIP endpoint detection updated to be more accurate
• Change: Info message UNHANDLED_RADIUS_ACCOUNTING_REQUEST changed to debug message because it was flooding the info log with no purpose
• Change: VLAN zones are no longer automatically enabled for MPP and WAP/FAP
• Change: Renamed 802.1X to 802.1X in reports
• Change: Don't alert the EPC non-compliant message in GUI
• Change: Ethernet interface naming changed due to a component update on the OS
• Bugfix: HP A5000 series switch adapter get correct VLAN trunk information
• Bugfix: Endpoints learnt from a Radius accounting device (without authorization) will now be disconnected correctly after 24 hours
• Bugfix: CSV netports import fixed when there is an empty ifIndex
• Bugfix: RMA with the access control block VLAN functions now properly
• Bugfix: Set node state correctly to disconnected on Radius Access-Reject
• Bugfix: Radius failover no longer produces faulty Access-Request packets which are producing errors on the backend Radius server
• Bugfix: Radius failover will be triggered more exactly after an Access-Request timeout
• Bugfix: Disconnects of WLAN endpoints are no longer producing side effects when a second WLAN endpoint was reusing the same virtual ifIndex
• Bugfix: Disconnects of WLAN endpoints are no longer producing side effects when a second WLAN endpoint was reusing the same virtual ifIndex
• Bugfix: Several reports fixed
• Bugfix: Don't set MAC bypasses when there is an ongoing Radius communication with a Radius backend which is currently not responding (timeout which triggers a failover)
• Bugfix: Remote vendor update task fixed
• Bugfix: Don't log potential netport when USP NAS is searching for the correct switch adapter
• Bugfix: Don't log DNS_ERRENOUS_RECORDS_DETECTED when the counter is 0 (zero)
• Bugfix: WAC/FAP no longer produces warnings about missing traps
• Bugfix: MobileIron compliant flag is now interpreted correctly
• Bugfix: OpenSSL component updated to version 1.0.1h due to heartbleed and other OpenSSL bugs. OpenSSL is used in internal tools only and not exposed to external interfaces.

4.9.1 - 4. February 2014

• Feature: Radius MAC authentication feature for wired access added
• Feature: Radius proxy, accounting and MAC authentication services can be started and stopped individually
• Feature: Registered and authorized flags now displayed in the node details view
• Bugfix: HP A5000 series switches are now fully supported for the feature VLAN assignment
• Bugfix: Automatic backup scheduler fixed
• Bugfix: Endpoint report and system overview report now correctly take count of the configured netports
• Bugfix: Added missing Mobile Iron states
• Bugfix: Scan all in netdevices overview will now take account of the desired filter

4.9.0 - 10. December 2013

• Feature: Radius MAC authentication feature for WLAN added
• Feature: WTP/LWAP zones for overriding VLAN IDs for different WTPs added
• Feature: Wireless Access Controller and Fat Access Points can now be grouped together in portgroups
• Bugfix: Corrupt port fix in access control mode Block-VLAN
• Bugfix: Performance optimizations for every GUI request
• Bugfix: Use referrer in LDAP requests to resolve complete subtrees when searching for users or roles
• Bugfix: Initial state of a Switch or Switch/Router netdevice is orange when adding it to the list
• Bugfix: A VLAN which is defined for an endpoint will new overwrite the guest, MAC bypass VLAN

4.8.2.1 (4.8.39.5) 18. July 2013

• Bugfix: DNS gracecount check is case-insensitive, add log message if an enforcement is done because of this feature
• Bugfix: Import file permissions fixed after HA start
• Bugfix: HA initialization for large systems
• Bugfix: Backup for very large systems (larger than 4GB)
• Bugfix: Optimized access to log table
• Bugfix: Adapter updates for 3Com 4400/OfficeConnect 9 (fix detection of adapter), 3Com NJ225/NJ226 (enable VLAN), H3C S5820X (fixed mapping)
• Bugfix: Make report parameter case-insensitive
• Bugfix: Optimize Radius Requests for 802.11 devices
• Bugfix: Optimize forecast if a lot of portgroups are used
• Bugfix: Optimize status view
• Bugfix: Access profile, VLAN definition is not dependent on global work mode
• Bugfix: Fix manual decisions in VoIP security mode
• Bugfix: Misc. GUI fixes
• Bugfix: Configuration added to enable/disable the automatic registration of 802.1X authenticated endpoints

4.8.2 (4.8.37/2.8.37) 6. April 2013

• Feature: Shared IP for HA cluster
• Feature: VoIP security feature now supports the VLAN assignment access control mode
• Feature: Upload a license file while a HA cluster is active will distribute the license file on both nodes
• Feature: Minor GUI and usability updates
• Bugfix: Radius proxy server sanity checks
• Bugfix: MobileIron data fetcher can now handle single device objects (before: only an array of devices)
• Bugfix: Radius accounting for wireless devices use virtual ifIndex
• Bugfix: Empty SNMP community allowed
• Bugfix: Import regex for network devices
• Bugfix: Health view
• Bugfix: Netdevice CSV import now handles WLAN devices correctly (according to import specification v2.16)
• Bugfix: Forecast speed improvements
• Bugfix: 802.1X improvements
• Bugfix: Endpoint details now show the correct access mode from the connection point

4.8.1.2 (4.8.25.4/2.8.25.4), 24. January 2013

• Feature: Show WLAN endpoints in support overview when they are not authorized
• Feature: Updated filter in support overview with the following filter criteria: Netdevice class, MAC bypass, enforcement type and ACL filter ID
• Feature: Two H3C switch adapter added (H3C Huawei and H3C HP)
• Feature: 3Com NJ2000 adapter added
• Feature: Daily vendor update task added which can get the vendors from a local file or directly from standards.ieee.org
• Feature: H3C MAC notification handling added
• Feature: Performance update for general MAC notification handling without SNMP lookup on the switch
• Feature: Fully implement RFC 2324
• Feature: Updated reports for endpoint devices with several filters
• Feature: Scheduled reports can be sent as email or copied on a scp/sftp server
• Bugfix: Back link if another administrator is already logged in, points now to the correct login page
• Bugfix: Forecast improvements
• Bugfix: Radius accounting response
• Bugfix: Cleanup temporary db data after file import is done
• Bugfix: Report CSV export
• Bugfix: Always convert role names from LDAP to lower case
• Bugfix: Fixed timestamp in autogenerated import file from data fetch script

4.8.0 (4.8.14.1/2.8.14.1), 29. October 2012

• Feature: Major performance update
• Feature: Generic data script fetching interface added
• Feature: Mobile Iron EPC information added in the endpoints details view
• Feature: WLAN ACL filter mapping added
• Feature: WLAN RADIUS accounting added
• Feature: Updated 802.1X enforcement with WLAN handling
• Feature: EPC information will always be imported and persisted in the database
• Feature: Add all ports of a switch if it's added to a portgroup
• Feature: Automatically detected asset types/asset classes and tenants can now be selected for usage in new views
• Feature: Portgroup assignments are now available in the forecast view
• Feature: Updated portgroup GUI
• Feature: New report 'Switch operation report'
• Feature: Minor updates for GUI look & feel
• Bugfix: Invalid license files are ignored
• Bugfix: Several bugfixes in reports

4.7.0 (4.7.2/2.7.48), 30. April 2012

• Feature: Additional endpoint details added. They can be imported with inventory import and displayed on the endpoint details page
• Feature: Mobile Iron EPC fetcher added
• Bugfix: Forecast improvements

4.6.47 (2.7.46), 11. April 2012

• Feature: Reports are role-dependent, remove obsolete Reports
• Feature: Helpdesk role users have now a tenant capability
• Feature: SNMPv3 encryption parameter DES/AES added
• Feature: More statistic data
• Feature: Scheduled reports added
• Feature: MobileIron inventory fetcher added
• Bugfix: Trap Forwarding was not working correctly
• Bugfix: Filter on client device overview was not showing
• Bugfix: DNS Import ignore records which are not rfc conform (hostname length)
• System update

4.6.27 (2.7.26), 4. January 2012

• Bugfix: Performance improvements for Forecast and support Overview pages
• Bugfix: Improved ScannerTask logging
• Bugfix: Security checks in the GUI for delete operations

4.6.24 (2.7.23), 06. December 2011

• Feature: New Switch Adapter for Nortel 4500 series and MICROSENS
• Bugfix: Fixed Vendor Report
• Bugfix: Editing a switch does not reset the access control variant
• Bugfix: CDP information is read correctly on all ports

4.6.22 (2.7.21), 30. November 2011

• Bugfix: After adding a router or switch, the NetDevice list disappears
• Bugfix: Repeated updating of a switch could cause this switch in the VLAN zone was no longer displayed

4.6.20 (2.7.19), 25. November 2011

• Feature: USP NAS Standard Edition shows a simplified Policy Manager
• Feature: Simplified configuration of the access controller (port shutdown, port block, Vlan Move)
• Feature: Filter on the Support overview and the NetDevice list can be a hidden
• Feature: Internationalized GUI (eng/ger)
• Feature: Vendor codes updated

4.6.4 (2.7.4), 3. October 2011

• Feature: Possibility to minimize the rule editor if you do not need tenants

4.6.3 (2.7.3), 14. September 2011

• Bugfix: An access profile can be deleted only if it is no longer referenced
• Bugfix: Check for invalid host name (HA)
• Feature: Multiple devices on a port are moved to a defined VLAN due the VLAN priority. Before the VLAN was randomly selected.

4.6.0 (2.7.0), 16. August 2011

• Feature: Policy Manager for simplified policy definitions. A distinction is made between WLAN, Port groups, tenants and global policies.
• Feature: New access-control and health editor for editing a simplified and consolidated overview of the rule
• Feature: Intuitive assignment of clients to network devices and port groups. Per port group can be given only one client. The assignment of switches to a port group is only possible if the network device has assigned the same port as the client group
• Feature: Menu simplifies and eliminates unnecessary menus. Thus, now is a more intuitive operation possible
• Feature: Optimized Appliance business logic
• Bugfix: Status Overview is loaded noticeably faster when HA is not active
• Bugfix: MAC bypass report shows only fields that contain relevant information

4.5.14.9 (2.6.14.8), 21. Juni 2011

• Bugfix: ARP Scans werden nun die ARP Tabelle und die IP-Net-to-Media Tabelle abrufen und die Resultate zusammenfassen

4.5.14.8 (2.6.14.7), 10. Juni 2011

• Bugfix: Backup und Restore der VLAN Zonen funktioniert nun
• Bugfix: MPP Decisions werden nun abgespeichert und die gesperrten Geräte werden in der Supportübersicht angezeigt
• Bugfix: MPP Profile von verschiedenen MPP's generieren keine Errors mehr beim Aufstarten von NAS
• Bugfix: Supportübersicht zeigt nun einen "Inventar aktual." Link an, falls ein Gerät schon inventarisiert ist

4.5.14.5 (2.6.14.4), 13. Mai 2011

• Feature: NAS Capacity Report.
• Bugfix: Zeige keine Endgeräte mehr in der Supportübersicht, die an potenziellen Netports gesehen werden.

4.5.14.2 (2.6.14.2), 03. Mai 2011

• Feature: Unterstützung von Cisco VoIP-Phones (Handling der CDP-Info).
• Feature: Implementation der Option "Security" beim Handling von VoIP-Geräten.
• Feature: Suchfunktion für Helpdesk von Inventarisierten Endgeräten.
• Bugfix: Korrektur Forecast bei nicht erfassten Netports

4.5.13 (2.6.13), 20. April 2011

• Feature: NAS Kennzahlen Report.
• Feature: Report-Kategorien überarbeitet.
• Feature: Default Source Filter kann konfiguriert werden.
• Feature: NetDevices können neu auch via IP-Adresse gesucht werden.
• Feature: Portgruppen Detailansicht und Netport Detailansicht konsolidiert.
• Bugfix: Layer 3 Scan Warnung wird auf der NAS Statusseite nicht mehr angezeigt und kann auch nicht mehr konfiguriert werden
• Bugfix: User können bei aktiven Lizenz-Modulen das Passwort wieder ändern.

4.5.12 (2.6.12), 25. February 2011

• Feature: HTML Links in der Core Status Seite.
• Feature: Netdevice-Filter erweitert.

4.5.10 (2.6.9), 14. February 2011

• Bugfix: Beim RESTRICTIVE Betriebsmodus und dem Shutdown Switch-Betriebsmodus wurde das manchmal auftretende Port-Flapping (Port geht auf-zu-auf-zu usw.) gefixt.
• Bugfix: Reports überarbeitet/optimiert.

4.5.9 (2.6.8), 2. February 2011

• Feature: DNS Name Enforcing kann nun global eingeschaltet werden. Angeschlossene Geräte müssen dabei im Netz den DNS Namen erhalten wie er im Inventar Import daherkommt, ansonsten werden sie gesperrt.
• Feature: Endgeräte Detail Ansicht erweitert und direkt anwählbar aus dem Menu
• Feature: Portgruppen, VLAN und MPP Zonen können umbenannt werden.
• Feature: Session Timeouts können pro Benutzerrolle einzeln definiert werden
• Bugfix: Verbesserungen beim Inventar Import - dieser wird bis zu 10x schneller durchgeführt.

4.5.7 (2.6.6), 12. January 2011

• Bugfix: Verbesserte SNMPv2 Fehlerbehandlung
• Bugfix: Diverse Verbesserungen für Switch-Adaptoren
• Bugfix: Aktualisierte SNMP Library
• Bugfix: Backup/Restore: Workspace Daten werden nun auch gesichert/restored

4.5.6 (2.6.5), 15. December 2010

• Feature: Gerätetyp und Geräteklasse für temporäre Geräte definierbar
• Feature: 802.1X Report
• Feature: Mac-Bypass Report
• Bugfix: MAC Notification Tasks werden nicht mehr verworfen wenn schon ein anderer MAC Notification Task am laufen ist
• Bugfix: Restore von ungültigen Backups verursachen keine falschen Fehlermeldungen mehr
• Bugfix: Verschiedene HA Verbesserungen
• Bugfix: Beim Löschen eines Switches werden die zugehörigen Netports nun ebenfalls gelöscht. Dies verhindert auch falsche Access Profil Verwendungen.
• Bugfix: EAP Status Informationen (802.1X) gehen bei einem Scan nicht mehr verloren

4.4.35 (2.5.32), 26. November 2010

• Feature: Zwei neue Zugangsarten hinzugefügt: produktiver Zugang (MAC Bypass) und produktiver Zugang (802.1X)
• Feature: SNMP v3 für Switches und Router über das GUI aktivierbar (nur Scan ohne Trap)
• Feature: 802.1X Widget erweitert, Anzahl unbekannte Response Meldungen werden angezeigt.
• Feature: VoIP-Port Blocking über Konfiguration aktivierbar
• Bugfix: Multiselektboxen werden beim Klick auf den Zurück-Button in einem Report mit den zuvor ausgewählten Werten selektiert

4.4.32 (2.5.29), 12. November 2010

• Bugfix: NAS Reports werden schneller generiert
• Bugfix: Passwortänderungen funktionieren wieder
• Bugfix: Diverse MPP Fixes (GUI Anzeige, GUI Aktionen, GUI Export, SSL Verbindung, Aktualisieren der Profile)
• Bugfix: MPP für Wired Node funktioniert

4.4.30 (2.5.27), 5. November 2010

• Feature: SSL Support für XML RPC Webservice (MPP Schnittstelle)
• Feature: Erweiterte Aktionen für MPP NetDevices im Webui (Profile ID's, Force Profile ID rescan)
• Bugfix: Alle Passwörter in den Properties Files werden verschlüsselt
• Bugfix: Endgeräte Report zeigt auch bei Geräten, die über das GUI erfasst wurden, die (Geräte)klasse an.

4.4.29 (2.5.26), 2. November 2010

• Bugfix: Datenbank Diskrepanzen zwischen einem aktualisierten NAS und einer Neuinstallation wurden behoben
• Bugfix: Input Validation für "zu überwachende Netzwerkinterfaces" wurde angepasst, ein Input ist nun benötigt. Ein leerer String war erlaubt, führte beim Speichern jedoch zu einem Fehler.
• Bugfix: DNS Hostnamen können nun bis 255 Zeichen lang sein (war vorher nur 80 Zeichen)
• Bugfix: Rücksprung bei Paging. Alle Übersichtsseiten speichern nun die aktuelle Sortierung und aktuelle Seite - wenn ein Eintrag bearbeitet wird erleichtert dies die Arbeit enorm.
• Bugfix: MPP Updates

4.4.27 (2.5.24), 19. October 2010

• Feature: Forecast Drill-Down für Regeln und Geräte
• Feature: Cisco Port Channels werden wie Netports behandelt. Alle MAC Adressen der Port Channels (und allen VLAN's) werden nicht mehr in den Reports angezeigt und berücksichtigt. Ein aktives Setzen des Port Channels als Netport ist nicht notwendig.
• Feature: Globale Konfiguration zum Ein- und Ausschalten von mehrmaligem temporären Freigaben in der Supportübersicht
• Feature: Modul Wireless überwachung (MPP)
• Bugfix: Report "Traps von Geräten ausserhalb des NAS Scope" zeigt wenn möglich nun die IP-Adresse und den Port des Traps an
• Bugfix: HP Switch Adapter entfernt einen Port nun automatisch aus der VLAN Egress Liste (tagged VLAN's) beim VLAN Setzen.
• Bugfix: MAC Bypass wird auch auf einem Port ohne konfiguriertes Voice VLAN und mit Control Direction All erstellt
• Bugfix: Log Meldung MAC_ON_MULTIPLE_DEVICES zeigt anstatt der NetdeviceId den Namen und IP Adresse des Netdevices an
• Bugfix: EPC Monitoring wird nur durchgeführt, wenn das Modul aktiviert wurde
• Bugfix: Monitoring optionen werden nur angezeigt, wenn das Modul aktiviert wurde

4.4.24 (2.5.21), 17. September 2010

• Feature: MAC Bypass bei Access Reject (kann über Core Config global ein oder ausgeschaltet werden. Default: aus).
• Bugfix: Problem mit automatischem Backup und uppercaseScheduler Namen fixed
• Bugfix: Probleme mit Closed Health Issues behoben (SOLL Wert==IST Wert im GUI)
• Bugfix: Full Import Size Check diverse Bugs
• Bugfix: VLAN Flipping beim Einstecken eines verbotenen Gerätes an einem Port, bei dem vorgängig ein Erlaubtes, registriertes Gerät angeschlossen war.
• Bugfix: Port Block oder VLAN Move wird nur durchgeführt, wenn Netports vorhanden sind, die keinen Deleted Timestamp haben resp. der Deleted Timestamp in der Zukunft liegt

4.4.23 (2.5.18), 10. September 2010

• Bugfix: viele EPC Updates
• Bugfix: Access-Decision korrigiert wenn der Port down ist
• Bugfix: Fix SNMP Trap Daemon
• Bugfix: Update Problem mit DHCP Server behoben
• Bugfix: Problem mit grossen Portgruppen behoben

4.4.20 (2.5.16), 23. August 2010

• Feature: Modul EPC (End Point Compliance)

4.4.17 (2.5.13), 9. August 2010

• Bugfix: überprüfe dot1x Port Status bei MAC Notification Task

4.4.12 (2.5.8), 2. August 2010

• Bugfix: Extreme Networks Adapter VLAN Setzen auf 12.4 Firmware

4.3.26 (2.3.39), 31. March 2010

• Feature: Login: User mit den Rollen admin, helpdesk oder support werden automatisch auf die Core-Status Seite weitergeleitet
• Feature: Netdevice: Neuer Blockmechanismus "COMPLIANTVLAN" hinzugefügt
• Feature: SNMP Error View: Listen können exportiert werden, Paging aktiviert
• Feature: CliNG funktioniert (überwachung NAS-Threads)
• Feature: DNS und Radius Konfiguration verbessert
• Bugfix: USP Reports angepasst für NG Build (2x Endgeräte Report)
• Bugfix: User mit der Rolle "monitoring" können sich wieder einloggen
• Bugfix: NAS Alerting funktionierte nicht, wenn SNMP Trap-Forwarding aktiviert wurde
• Bugfix: Radius Server Konfiguration, Passwort kann Sonderzeichen enthalten
• Bugfix: Gleichzeitiges Login von mehreren Clients konnte zu einer JSP Exception führen
• Bugfix: Portgroup edit, Tabellen werden per Default nach Namen sortiert
• Bugfix: NAS TRAPD, Logfile wird nicht neu erstellt bei einem Restart - vereinfacht debugging

4.3.22 (2.3.35), 11. February 2010

• Feature: DB Anpassungen für neue PostgreSQL Version
• Bugfix: Monitoring Tabelle wurde 2x angezeigt, wenn der User die Rolle Administrator und Support hatte

4.3.21 (2.3.34), 2. February 2010

• Feature: Regel übersicht: Default Sortierung nach Priorität
• Feature: Forecast: Ansicht auf 2 Spalten, kein Scrollen mehr.
• Feature: Alert: Wenn ein automatisches Backup fehlschlägt, wird ein Alert generiert
• Bugfix: PDF Export Netdevice Liste: HTML Tag (wbr) erscheint nicht mehr im Export
• Bugfix: Inkonsistente ResultSet handhabung korrigiert (DAO)

4.3.20 (2.3.33), 26. January 2010

• Feature: NAS Core Task können überwacht werden (wird noch nicht aktiv überwacht)
• Feature: NAS Monitoring, RRD Bilder können als PDF exportiert werden
• Feature: MAC Notification Enterasys
• Feature: SNMP Location von Router anzeigen
• Feature: Disconnect Nodes nach einem NetPort Import
• Feature: System State Dump kann via Web-GUI exportiert werden
• Feature: NAS Logging Einstellungen, nach der Konfiguration einzelner Log Systeme (Syslog, SMTP, SNMP) kann eine Testnachricht verschickt werden
• Bugfix: Backup: wenn ein automatisches Backup fehlschlägt, wird dies korrekt erkannt.
• Bugfix: Backup: Textkorrekturen im automatischen Backup-GUI
• Bugfix: Restore von ungültigen backup wird gestoppt
• Bugfix: Restore: Sequenz ID gefixt
• Bugfix: Restore: ein Restore überschreibt HA Konfiguration nicht mehr
• Bugfix: Reports: MAC-Adresse Parameter-Felder bei Reports gleich behandeln wie bei Inventarisierung (js)
• Bugfix: Reports: Endgerätereport zeigt nun auch Geräte an, wenn keine Port-Gruppe ausgewählt wurde
• Bugfix: Logrotate: Aufgrund eines Schreibfehlers wurden die nas-core Logfiles nicht rotiert.
• Bugfix: HA: nas-webui Log wird nicht mehr gelöscht bei einem Restart von Tomcat. Wichtig bei HA
• Bugfix: Shutdown von nas-trapd funktioniert per stop
• Bugfix: SAB Registry schreibt keine doppelten Einträge mehr
• Bugfix: Monitoring: Links werden auf der Core-Status-Seite nur noch für die Rollen Administrator und Support angezeigt
• Bugfix: SSH Zugriff: Im GUI wird ein Text angezeigt, bei dem klar wird, dass wenn ein leeres Passwort angegeben wird, das momentan gültige übernommen wird
• Bugfix: Login Exceptions (account locked/expired) wurden nicht richtig angezeigt
• Bugfix: Reset korrupte VLAN's
• Bugfix: Neue Regel hinzufügen: keine Entität - Exception
• Bugfix: SAB Alerts konnten "verloren" gehen, wenn viele Alerts gleichzeitig geschickt wurden

4.3.16 (2.3.30), 11. January 2010

• Bugfix: Sys Standort und Sys Location Angaben sind nicht mehr zwingend
• Bugfix: Backup: Reset DB Sequenzzähler nach Restore
• Bugfix: Backup: VLAN Tabellen werden auch gesichert/restored
• Bugfix: VLAN Aktivierung war nicht möglich
• Bugfix: "Back"-Button in "VLAN Mapping definieren" ist falsch benannt. Anstelle 'Zurück zu VLAN Zonen Verwaltung' heisst es nun 'Zurück zu VLAN Mapping'
• Bugfix: Gast-VLAN setzen funktionierte wieder mit VLAN ID oder mit VLAN Namen
• Bugfix: HA: falsche Alert Meldungen
• Bugfix: HA: Job "HA Entfernen" kann immer ausgeführt werden
• Bugfix: Monitoring Task crashte bei langen Hostnamen
• Bugfix: Monitoring, Alert Datum war in der Detailansicht im 12h Format
• Bugfix: Maske zum Erfassen eines temporären Gerätes hat eine falsche Beschreibung beim Feld Gast-VLAN gehabt
• Bugfix: Automatisches Backup nahm leeren Namen an
• Bugfix: Endgerätereport zeigte nichts an, wenn keine Portgruppen definiert waren (INNER JOIN statt LEFT JOIN auf die Tabelle portgroup_netdevice)
• Bugfix: Inventar bearbeiten von EAP_CACHED Source funktioniert mit MS_CHAP nicht, da dort der Clientname = DOMAIN\USERNAME ist und der Bearbeiten-Link mit dem Clientnamen aufgerufen wird
• Bugfix: Userrolle monitoring bekommt beim Login nur eine Fehlerseite, Redirect auf nasHealthCheck.html gemacht
• Bugfix: MAC Bypass Delay Config wieder in Core Config eingefügt
• Bugfix: MAC Bypass wird nicht entfernt, wenn ein DownTrap von einem 802.1X Port kommt
• Bugfix: Default VLAN auf 802.1X Port nach dem Ausziehen des Gerätes funktioniert nicht
• Bugfix: Default VLAN bei MACBypass funktioniert ebenfalls nicht
• Bugfix: Traphandling von UP-Traps welche vor MacNotification (DOWN) kommen. Nun wird der Node nicht mehr auf disconnected gestellt, wenn er bereits an einem anderen Switch gesehen wurde
• Bugfix: Automatischer Backup wird in System-Info nicht aufgelistet
• Bugfix: SNMP Daemon ist nun mit SNMP v1 erreichbar (nur v2c ging davor)
• Bugfix: SNMP Daemon rapportiert 'komischen' Systemtyp 'the USP Appliance System'. Neu ist 'USP Appliance System'
• Bugfix: Scheduled Backup Form, DNS Einstellungen Form, Radius Einstellen Form: fix "null ist ein Pflichtfeld" errors
• Bugfix: HA: Backup/Restore fixes, HA Daten auf backup excluden (#4353), Fehlermeldung, wenn DB nicht läuft
• Bugfix: SNMP Alarming versendet wieder Traps

4.3.11 (2.3.28), 4. January 2010

• Feature: Alcatel Switch Integriert
• Feature: Diff-Upgrade Mechanismus für DB-Scripts
• Feature: Neue Config Seite für Einschaltung von Compliant VLAN's
• Bugfix: Berechtigungen Read-Only Rollen
• Bugfix: Portgruppenupdate bei grossen Switches fixed
• Bugfix: HA: Backup/Restore Funktionen sind auf einer passiven Appliance nicht mehr möglich
• Bugfix: HA: Bevor HA gestartet wird, wird überprüft ob die Konfiguration auf beiden Appliances übereinstimmt ( aktiv/passiv, hot stby oder cold stby)
• Bugfix: HA: nas-core Log wird nicht mehr gelöscht bei einem restart von nas-core. Wichtig bei HA
• Bugfix: Minor Changes (#4329:not closed input streams, #4309:nas ha: "job ha entfernen" fehlerhaft, #4348: update commons-pool)

4.3.7

• Bugfix: VLAN Setzen Enterasys Router Matrix N1
• Bugfix: DB-Timeout für GUI und Reporting

4.3.2

• Feature: Unterstützung Enterasys Router Matrix N1
• Feature: High Availability Hot-Standby Modus
• Feature: Definition von VLAN Zonen in GUI integriert
• Feature: VLAN Mapping von VLAN-Namen und VLAN-ID
• Feature: Es können mehrere Interfaces für HA verwendet werden
• Feature: Radius Failover
• Feature: Setzen von Default VLAN's auf Down-Ports

4.2.6

• Feature: High Availability Cold-Standby Modus
• Feature: Unterstützung Extreme Network Switches

4.1.25

• Feature: Neues GUI zum Definieren von DNS Zonen
• Feature: Verschlüsseln des DB-Passworts für Enterprise Version
• Bugfix: DNS Import gefixt

4.1.24

• Feature: Zusätzliche Benutzer-Admin Rolle eingeführt
• Bugfix: MAC Notifications
• Bugfix: Update des Node Status
• Bugfix: Weiterleitung Monitoring User auf Monitoring Seite
• Bugfix: Port Down-Up Problem bei VLAN-Move
• Bugfix: VoIP-Problem

4.1.20

• Feature: Konfigurierbares AutoPVID. Global einschaltbar über die Konfiguration
• Feature: Compliant VLAN Modus
• Bugfix: Enterasys Switchadapter
• Bugfix: Inventar-Deltaimport welcher Zeilen ohne MAC-Adresse nun korrekt rejected.
• Bugfix: Layer3 Scan

4.1.0

• Feature: Monitoring überwachung der Hardware, des Betriebssystems und der NAS Applikation
• Feature: Alarming bei Problemen betreffend der Hardware, des Betriebssystems und der NAS Applikation
• Feature: Support SMTP Auth für Alarming eMails
• Feature: Tabellensortierung wird während einer Session gespeichert
• Feature: Reporting:
• Report: Out of Scope Traps
• Report: Inventarisierte/ nicht inventarisierte Geräte
• Report: Anzahl bekannte, unbekannte und neu unbekannte Geräte
• Report: Systemübersicht: Anzahl Full-Imports, Delta-Imports, DNS Zone Transfers, OOS-Traps, Errors pro Tag
• Report: Systemauslastungsgrafik
• Report: Statistik Autorisierung (Gemäss SBB Spez.)
• Report: Autorisierungsgrafik
• Report: Endgeräte im Netz: Erweiterung mit Portgruppenfilter.
• Report: Nicht-autorisierte Geräte am Netz: Auflistung aller Systeme, die abgewiesen wurden (Mac, Netzkomponente, Port, Zeitpunkt).
• Reporting: Gesperrte Ports über einen selektiven Zeitraum
• Reporting: "Unused Ports": Sämtliche Ports, die im Scope sind, aber an denen keine MAC Adresse gesehen wird
• Bugfix: Verbesserte Webserver Stabilität
• Bugfix: Persistente Passwort änderungen

4.0.33

• Feature: Konfiguration VLAN-Move/Port-Block pro Switch
• Feature: HP Switch-Adaptor
• Feature: Layer3 Info-Scan
• Feature: Sen-Ddelay für Alerts kann konfiguriert werden (Alerts werden nur beim ersten Auftreten innerhalb einer Periode versendet)

4.0.31

• Feature: Backup/Restore über Webui
• Feature: Pre- und Postskripts für Update Mechanismus
• Bugfix: "file not found" nach factory reset
• Bugfix: Postgres: ASCII zu utf8
• Bugfix: SCSI CDROM Treiber
• Bugfix: eth2 nach Reboot nicht gesetzt
• Bugfix: Aufteilung Datensicherung / Export
• Bugfix: Ethernet Interfaces erscheinen erst verzögert nach Reboot
• Bugfix: Update schreibt initrd nicht korrekt
• Bugfix: Hostname wird nun auch in /etc/hosts eingetragen
• Bugfix: dhcpd stop/start via SAB
• Bugfix: nas-core stop beendet nicht alle Prozesse
• Bugfix: Shutdown nicht möglich

4.0.29

• Feature: Neue Seite für das Definieren von Portgruppen
• Feature: Logische Gruppierung in Konfigurationsseite
• Feature: Workspace Aktivierung asynchron
• Feature: Migration Read-Only Rolle auf NAS4
  • Feature: Neue Rolle Useradmin eingeführt. Der bisherige Administrator kann keine Benutzer mehr erstellen/ändern/löschen
• Feature: Integration LDAP User Authentisierung
• Bugfix: Der Link für das Freigeben nach einer restriktiven Blockierung und anschliessender temporärer Freigabe verschwindet gänzlich, auch wenn das Gerät aus der Registertabelle gelöscht wird.
• Bugfix: Wenn ein Netdevice logisch gelöscht wird, so wird kein Cleanup der zu diesem Netdevice gehörigen Access-Decisions gemacht. Dies ist insofern ein Problem, als die Permissiven Pending Decisions für immer gelten und deshalb kein Ablaufdatum haben.
• Bugfix: Das GUI sollte auf der Alarming Seite keine GUI Meldungen anzeigen die mit x9xx gematcht werden können, da diese standardmässig keinen Alarm auslösen können.
• Bugfix: Im Config GUI kann kein leerer String für Trap Community gesetzt werden
• Bugfix: NAS-DB Restart - NAS Gui hat keinen Zugriff auf die db mehr (kein reconnect)
• Bugfix: Reaktivierung von Switches über Full-Update nicht möglich
• Bugfix: Wenn ein Netdevice mit dem Hostnamen: abc.host.ch. erfasst werden möchte, wird dies nicht zugelassen, dies ist jedoch die korrekte Schreibweise. Dazu muss die Validierungs-Regex angepasst werden.
• Bugfix: Gerät temp. freigeben, variable Zeitspanne wird ignoriert
• Bugfix: nas core config, parse error
• Bugfix: nas core config: NPE nach Session Timeout

4.0.20

• Feature: Erweiterte Filter im Inventar der Endgeräte
• Feature: Es werden mehr infos zu den Switches im GUI angezeigt (Standort)
• Feature: Konfiguration für das "Block Port Enforce" ist auch über GUI möglich
• Feature: Datenimport akzeptiert beliebige Gerätetypen und Geräteklassen
• Feature: Appliance Menu überarbeitet
• Bugfix: Netports werden korrekt gelöscht
• Bugfix: Problem beim Editieren des Passworts gefixt (Browser-Cache: Plaintext überschrieb DB-Hash)
• Bugfix: Alerting GUI: Internal Messages wurden eliminiert
• Bugfix: BO Link aus Hilfeseite entfernt
• Bugfix: Das doppelte Erfassen von Netdevices wird verhindert
• Bugfix: Beim Löschen eines Netports werden die daran betroffenen Nodes auf DISCONNECTED gesetzt
• Bugfix: Blocking Time kann angepasst werden
• Bugfix: Versenden von Alerting Traps/E-mails gefixt