These notes summarizes PICOS 2.11.25 new features, new hardware, known bugs, and bug fixes. Best practices recommend that you read all the content before upgrading to this release. For more detailed feature information, refer to the configuration guides.

New Software Features

Layer 2 and Layer 3

Bug ID	Release	Description
11394	2.11.25	Secure Keys in Configuration Present encripted code of share-key of RADIUS/TACAS+ and authentication-key and privacy-key of SNMP.
11511	2.11.25	Add New Columns to "run show lldp neighbor" Add to columns - "Platform" and "Capability" - to the output of "run show lldp neighbor"
11509	2.11.25	NAC - Invalid Downloadable ACL If an invalid downloadable ACL is included in the returned access-accept RADIUS message, the suplicant client will be denied from the network access. And the invalid downloadable ACL will be marked when run "run show dot1x interface gigabit-ethernet XXX".
11538	2.11.25	Show "service-tag" Add new Cli command - "run show system hwinfo service-tag" - to show service-tag.
11475	2.11.25	Restore License and User Password Automatically On OverlayFS platforms such as N3048 and N3132, license key and the updated user password for first login will not be lost if reboot system even though "save_config" is not executed.
11798	2.11.25.2	Dynamical VLAN Overrides Voice VLAN If the returned RADIUS access accept message includes an extra Pica8 vendor-specific-attribute (VSA)“pica8-traffic-class=voice”, the dynamic VLAN will take precedence over the locally configured voice VLAN.
10437	2.11.25.3	RADIUS Accounting for 802.1x and MAB PICOS switch sends start/stop accounting message to RADIUS server for supplicant's 802.1x/MAB authenticaiton session.
12132	2.11.25.3	Response to session-timeout Attribute If the returned access-accept RADIUS message has attribute session-timeout after MAB/802.1x authentication, the authenticated session will be expired after a period of session-timeout and start a new authentication process.
11976	2.11.25.3	Show DACL Counters Allow user to show the counter of downloadable/dynamic NAC ACLs.
12361	2.11.25.7	Priority of Multiple NAC Servers Allow user to configure the priority of multiple NAC servers. The reachable NAC server with highest priority will be used for NAC authentication.
12467	2.11.25.7	Enhancements on Server-Fail Recovery Methods Three methods, namely auto, manual and timer, can be configured for the client to get out from the server failure. By default, manual comes into effective.

Linux Platform

Bug ID	Release	Description
12129	2.11.25.3	Use Space Key to Terminate Countdown Due to upgrade2 process, will enter 10 seconds countdown before rebooting the system. User can only press space key instead of any key to end the countdown and abort the upgrade process.

Ampcon

Bug ID

Release

Description

12728

2.11.25.10

Change server_hostname_prefix to "autopilot-pica8"
The value of server_hostname_prefix is changed to "autopilot-pica8" in auto-deploy.conf.

This is an enhancement for Ampcon agent.

Fixed Issues

Linux Platform

Bug ID	Release	Description
12729	2.11.25.9	Port fails to come up with a Cisco RJ45 SFP (CISCO-METHODE) inserted A qualified Optical RJ45 adapter (CISCO-METHODE) into a PICOS driven switch, the adapter failed to come up. The switch was AS4610-54P. The PICOS version was 2.11.25.7.

Layer 2 and Layer 3 Features

Bug ID	Release	Description
11560	2.11.25	Include "#" in Shared Key of TACACS+ Session Allow character "#" to be included in shared key of TACACS+ session.
11718	2.11.25.1	Crash Caused by DHCP/ICMP Enable DHCP snooping/relay. If received an DHCP OFFER and then immediately an ICMP, it is possible the process pica_sif would crash.
11738	2.11.25.2	Port Hangs after dot1x CoA-terminate and CoA bounce-port for MAB Authenticated Phone If the configured voice VLAN is equal to the dynamic VLAN for a specific port and connected client device, the port is somehow stuck when receive a CoA terminate message.
12015	2.11.25.3	DHCP Discovery Packets are Discarded When it Fails to Reach NAC Server The client will fall back to server-fail-vlan when the NAC server is not reachable. In this case, it should allow the client to reach the DHCP server even if DHCP snooping is enabled.
11920	2.11.25.3	Send out LLDP with Power-Via-MDI TLV for Power Negotiation if PoE is Enabled It's not all PDs (Powered Device) that send out LLDP with power-Via-MDI TLV initially when they request extra power via power negotiation. So the PICOS switch will send out LLDP with power-Via-MDI TLV initially if PoE is enabled on the specific port.
12257	2.11.25.6	Aruba AP-515 Fails to Receive Power Somehow Aruba AP-515 can not receive power from N3048 UPoE ports (ge-1/1/1 to ge-1/1/12).
12248	2.11.25.7	DACL Counter Should Be in Packets To keep consistent with the locally configured ACL, the number of counter of downloadable/dynamic ACL should be in packets.
12329	2.11.25.7	DOT1X Authentication Failed when Configure Two Reachable Servers The client will fail to be authenticated if multiple configured RADIUS servers are reachable.
12436	2.11.25.7	Switch still Do MAB Auth when Client Send EAP Packet If enable MAB and 802.1x on a specific port, and EAP is reaceived from the client on this port, the client can only be authenticated by 802.1x which has higher priority than MAB.
12508	2.11.25.7	Lower the Level of a LOG Message Lower the level of the log message, such as "The mac address 00:24:14:b3:68:3a is NAC session, ignore it", to "TRACE".
14632	2.11.25.16	Duplicate Access-Request Messages The switch may send out duplicate access-request messages even though the RADIUS service for NAC is available and the associated access-accept messages are returned.

PICOS-2.11.25_Configuration_Guide

Release Notes for PICOS 2.11.25

New Software Features

Layer 2 and Layer 3

Linux Platform

Ampcon

Fixed Issues

Linux Platform

Layer 2 and Layer 3 Features

Related content