Header Only - DO NOT REMOVE - Extreme Networks

Recommended Patch Course for 7181


What would the recommended course of action be with EOL devices and the recent Krack attack? I know the 7181 is EOL, but has a patch been released for the last firmware? I believe the latest firmware that was supported was 5.8.4.0-034.

6 replies

Userlevel 4
Hello Kendal,
WiNG v5.8.5.x was the last release for the EOL AP7181 and Extreme Networks is only patching v5.8.6, v5.9.0, and v5.9.1 builds in regards to the WPA2/KRACK vulnerability. I would ensure that 802.11r and broadcast key rotation for WPA2/CCMP WLANs are disabled (disabled by default on WiNG 5). Both settings are within the WLAN configuration (broadcast key rotation is under WLAN/Security and 802.11r/Fast BSS Transition is under WLAN/Advanced).
Userlevel 4
Christopher Frazee wrote:

Hello Kendal,
WiNG v5.8.5.x was the last release for the EOL AP7181 and Extreme Networks is only patching v5.8.6, v5.9.0, and v5.9.1 builds in regards to the WPA2/KRACK vulnerability. I would ensure that 802.11r and broadcast key rotation for WPA2/CCMP WLANs are disabled (disabled by default on WiNG 5). Both settings are within the WLAN configuration (broadcast key rotation is under WLAN/Security and 802.11r/Fast BSS Transition is under WLAN/Advanced).

Christopher, can we see this as official information, that version old as 5.8.6. get no patch? At the begin the KRACK site says "5.7.x / 5.8.x / 5.9.x". Not it's 5.8.6 / 5.9.0 / 5.9.1
Userlevel 4
Christopher Frazee wrote:

Hello Kendal,
WiNG v5.8.5.x was the last release for the EOL AP7181 and Extreme Networks is only patching v5.8.6, v5.9.0, and v5.9.1 builds in regards to the WPA2/KRACK vulnerability. I would ensure that 802.11r and broadcast key rotation for WPA2/CCMP WLANs are disabled (disabled by default on WiNG 5). Both settings are within the WLAN configuration (broadcast key rotation is under WLAN/Security and 802.11r/Fast BSS Transition is under WLAN/Advanced).

Hello Timo,
You can view the info at the following URL:

https://extremeportal.force.com/ExtrArticleDetail?n=000018005
Bummer! I will look at the recommendations you have given.
Userlevel 3
Go have a look at this thread: https://community.extremenetworks.com/extreme/topics/krack-attack-on-wpa2

If your APs are controlled by a current controller (pretty much anything except RFS7000), it contains AP code for the most recent version of firmware, so for instance AP71xx 5.8.6.7 is present on the Controller, and it can upgrade the devices. A note a caution however, it would not be supported by GTAC if you needed assistance.


As a general observation, there appears to be an underlying sentiment in this forum that Extreme Networks (to be clear, I'm talking about the decision makers and not the excellent technical and support staff) is attempting to profit from the WPA2 Krack vulnerability by pushing customers off the legacy gear by simply not supporting it.
The code change in the RFS7000 for instance would be identical to that in the RFS6000, since for years the sales argument is that all the platforms run the same code. Similarly even going back to 5.7.x it would be the same code changes to fix the problem. So technically speaking there's nothing stopping Extreme Networks from issuing patches for older code revisions, which would go a long way to making it feel like Extreme Networks takes their customers' networks to heart.
Userlevel 4
The RFS series controllers have limited amount of flash available and the following are the pre-oaded AP images when upgrading an RFS wireless controller (example from RFS4000 v5.8.6.7):

RFS4K-WAN#sh device-upgrade ver
--------------------------------------------------------------------------------
CONTROLLER DEVICE-TYPE VERSION
--------------------------------------------------------------------------------
RFS4K-WAN ap621 5.8.6.7-002R
RFS4K-WAN ap622 5.8.6.7-002R
RFS4K-WAN ap650 5.8.6.7-002R
RFS4K-WAN ap6511 none
RFS4K-WAN ap6521 5.8.6.7-002R
RFS4K-WAN ap6522 5.8.6.7-002R
RFS4K-WAN ap6532 5.8.6.7-002R
RFS4K-WAN ap6562 5.8.6.7-002R
RFS4K-WAN ap71xx none
RFS4K-WAN ap7502 none
RFS4K-WAN ap7522 none
RFS4K-WAN ap7532 none
RFS4K-WAN ap7562 none
RFS4K-WAN ap81xx none
RFS4K-WAN ap82xx none
RFS4K-WAN ap8432 none
RFS4K-WAN ap8533 none

All other AP images would need to be uploaded to the RFS controller and typically no more than 2 to 3 additional images can be uploaded to the controller.

As for the RFS7000 comments, the RFS7000 has been EOS for a couple of years now, with plenty of time for customers to refresh. The code is the same across each platform, but the hardware is not.

For the time being, with 802.11r disabled and broadcast key rotation is disabled (both disabled by default on all WiNG 5 platforms), you should be fine, but would start looking to refresh your RFS controllers with newer models.

Reply