ExtremeCloud IQ (XIQ) Announcements

IQVA 21.1.21.11 has been released!

You can view the release notes here. 

The downloadable files can be found on the Extreme Portal, under Products: 

• ExtremeCloud™ IQ On Premises

It seems you guys didn’t consider all parts of deactivating TLS 1.0 and TLS 1.1 (https://docs.aerohive.com/330000/docs/help/english/ng/Content/reference/virtual-appliance-release-notes.htm).

Transport Layer Security (TLS) 1.0 and 1.1 Deprecation

SSL TLS 1.0 and TLS 1.1 have been disabled in IQ Virtual Appliance and are no longer available in the user interface. TLS 1.2 is now the default supported cipher.

Now my APs with IQ Engine 10.0r10b cannot connect anymore to IQVA as a PPSK radsec proxy:

2021-07-21 08:53:45 err     radsecproxy[30081]: tlsconnectnonblock failed
2021-07-21 08:53:45 err     radsecproxy[30081]: tlsconnectnonblock: TLS: error:14090086:lib(20):func(144):reason(134)
2021-07-21 08:53:45 warn    radsecproxy[30081]: verify error: num=19:self signed certificate in certificate chain:depth=2:/CN=Aerohive/ST=CA/C=US/O=Aerohive Networks, Inc./OU=Engineering
2021-07-21 08:53:45 warn    radsecproxy[30081]: connecttcphostlist: TCP connection to <censored> port 2083 up
2021-07-21 08:53:45 warn    radsecproxy[30081]: connecttcphostlist: trying to open TCP connection to <censored> port 2083

With means: PPSK is broken after the upgrade!!!

For others running in this issue, this is the fix:

With regards to the certificate change, you will need to refresh the certificate on the AP. Go to device>select all>actions>reset idm client certificate.

 

Our recommendation is to perform a complete update on the APs whenever the IQVA is updated in order to avoid issues such as this certificate issue.