/
Release Notes for PICOS 2.11.25

Release Notes for PICOS 2.11.25


These notes summarizes PICOS 2.11.25 new features, new hardware, known bugs, and bug fixes. Best practices recommend that you read all the content before upgrading to this release. For more detailed feature information, refer to the configuration guides.


New Software Features

Layer 2 and Layer 3

Bug IDReleaseDescription
113942.11.25 Secure Keys in Configuration
Present encripted code of share-key of RADIUS/TACAS+ and authentication-key and privacy-key of SNMP. 
115112.11.25

Add New Columns to "run show lldp neighbor"
Add to columns - "Platform" and "Capability" - to the output of "run show lldp neighbor"

115092.11.25

NAC - Invalid Downloadable ACL
If an invalid downloadable ACL is included in the returned access-accept RADIUS message, the suplicant client will be denied from the network access. And the invalid downloadable ACL will be marked when run "run show dot1x interface gigabit-ethernet XXX".

115382.11.25

Show "service-tag"
Add new Cli command - "run show system hwinfo service-tag" - to show service-tag. 

114752.11.25

Restore License and User Password Automatically
On OverlayFS platforms such as N3048 and N3132, license key and the updated user password for first login will not be lost if reboot system even though "save_config" is not executed.

117982.11.25.2Dynamical VLAN Overrides Voice VLAN
If the returned RADIUS access accept message includes an extra Pica8 vendor-specific-attribute (VSA)“pica8-traffic-class=voice”, the dynamic VLAN will take precedence over the locally configured voice VLAN.
104372.11.25.3RADIUS Accounting for 802.1x and MAB
PICOS switch sends start/stop accounting message to RADIUS server for supplicant's 802.1x/MAB authenticaiton session.
121322.11.25.3Response to session-timeout Attribute
If the returned access-accept RADIUS message has attribute session-timeout after MAB/802.1x authentication, the authenticated session will be expired after a period of session-timeout and start a new authentication process.
119762.11.25.3Show DACL Counters
Allow user to show the counter of downloadable/dynamic NAC ACLs.
123612.11.25.7Priority of Multiple NAC Servers
Allow user to configure the priority of multiple NAC servers. The reachable NAC server with highest priority will be used for NAC authentication.  
124672.11.25.7Enhancements on Server-Fail Recovery Methods
Three methods, namely auto, manual and timer, can be configured for the client to get out from the server failure. By default, manual comes into effective.

Linux Platform

Bug IDReleaseDescription
121292.11.25.3Use Space Key to Terminate Countdown
Due to upgrade2 process, will enter 10 seconds countdown before rebooting the system. User can only press space key instead of any key to end the countdown and abort the upgrade process.

Ampcon

Bug IDReleaseDescription
127282.11.25.10

Change server_hostname_prefix to "autopilot-pica8"
The value of server_hostname_prefix is changed to "autopilot-pica8" in auto-deploy.conf.

This is an enhancement for Ampcon agent.

Fixed Issues

Linux Platform

Bug ID

Release

Description

127292.11.25.9Port fails to come up with a Cisco RJ45 SFP (CISCO-METHODE) inserted
A qualified Optical RJ45 adapter (CISCO-METHODE) into a PICOS driven switch, the adapter failed to come up. The switch was AS4610-54P. The PICOS version was 2.11.25.7. 

Layer 2 and Layer 3 Features

Bug IDReleaseDescription
115602.11.25

Include "#" in Shared Key of TACACS+ Session
Allow character "#" to be included in shared key of TACACS+ session.

117182.11.25.1 Crash Caused by DHCP/ICMP
Enable DHCP snooping/relay. If received an DHCP OFFER and then immediately an ICMP, it is possible the process pica_sif would crash.
117382.11.25.2 Port Hangs after dot1x CoA-terminate and CoA bounce-port for MAB Authenticated Phone
If the configured voice VLAN is equal to the dynamic VLAN for a specific port and connected client device, the port is somehow stuck when receive a CoA terminate message. 
120152.11.25.3DHCP Discovery Packets are Discarded When it Fails to Reach NAC Server
The client will fall back to server-fail-vlan when the NAC server is not reachable. In this case, it should allow the client to reach the DHCP server even if DHCP snooping is enabled.
119202.11.25.3Send out LLDP with Power-Via-MDI TLV for Power Negotiation if PoE is Enabled
It's not all PDs (Powered Device) that send out LLDP with power-Via-MDI TLV initially when they request extra power via power negotiation. So the PICOS switch will send out LLDP with power-Via-MDI TLV initially if PoE is enabled on the specific port.
122572.11.25.6Aruba AP-515 Fails to Receive Power
Somehow Aruba AP-515 can not receive power from N3048 UPoE ports (ge-1/1/1 to ge-1/1/12).
122482.11.25.7DACL Counter Should Be in Packets
To keep consistent with the locally configured ACL, the number of counter of downloadable/dynamic ACL should be in packets.
123292.11.25.7DOT1X Authentication Failed when Configure Two Reachable Servers
The client will fail to be authenticated if multiple configured RADIUS servers are reachable.
124362.11.25.7Switch still Do MAB Auth when Client Send EAP Packet
If enable MAB and 802.1x on a specific port, and EAP is reaceived from the client on this port, the client can only be authenticated by 802.1x which has higher priority than MAB.
125082.11.25.7Lower the Level of a LOG Message
Lower the level of the log message, such as "The mac address 00:24:14:b3:68:3a is NAC session, ignore it", to "TRACE".
146322.11.25.16

Duplicate Access-Request Messages

The switch may send out duplicate access-request messages even though the RADIUS service for NAC is available and the associated access-accept messages are returned.

Related content

Copyright © 2025 Pica8 Inc. All Rights Reserved.