These are the release notes for Sophos AP6 access points.
The features mentioned in these release notes are only available if you have the appropriate license.
View the product documentation at Sophos AP6 access points.
View the Sophos Central wireless documentation at Sophos AP6 access points.
Sophos Central FSC regions (Australia, Brazil, Canada, India, and Japan) now support Sophos AP6 access points.
Sophos APX access points continue to be supported by Sophos Central United States and Europe regions.
Wireless clients connected to AP6 access points using all captive portal authentication methods can roam between access points without reauthenticating.
There are no new local UI changes in this release.
| Issue ID | Description |
|---|---|
| WIFIX-5351 | Wireless clients no longer need to reauthenticate when roaming between access points for all captive portal authentication modes. |
| WIFIX-7319 | Fixed an issue causing voucher authentication to fail when an SSID is applied to multiple access points. |
You can reset the local administrator's password for AP6 access points registered in Sophos Central from the control panel on the access point details page.
The creation of SSIDs for AP6 and APX access points is now separate. You can create SSIDs and mesh networks at My Products > Wireless > SSIDs using the Create AP6 and Create APX buttons.
You can clone APX SSIDs for AP6 access points using the Clone for AP6 button on My Products > Wireless > SSIDs. This button lets you create an SSID for AP6 access points using the same settings as the selected APX SSID.
The mesh creation workflow has been streamlined and improved. New functionality within the workflow makes it easier to satisfy all prerequisites for AP6 access points without leaving the workflow.
There are no new local UI changes in this release.
There are no resolved issues in this release.
You can configure guest networks in NAT mode. Clients receive IP addresses and DNS details from the DHCP server on the access point. Clients can only communicate with public IP addresses.
You can view information about the access point's power and connected power sourcing equipment (PSE) on the access point details page in Sophos Central.
You can view information about the access point's power and connected PSE on the System Information page in the AP6 UI.
You can also run the show status power command to view power and PSE information in the CLI.
When you restart an access point, the access point records the reason for the restart in the /tmp/reboot_reason.txt
log file.
| Issue ID | Description |
|---|---|
| WIFIX-7244 | Added configurable options for SNMPv3 encryption and authentication. |
| WIFIX-7141 | When an SSID using WPA3 is configured from Central, it's mandatory that 802.11w is enabled on that SSID. Fixed an issue where, in certain scenarios, Sophos Central wouldn't turn on 802.11w. |
| WIFIX-6752 | Fixed an issue where AP6 access points went offline during deployment of shared infrastructure and didn't recover. |
| WIFIX-6729 | Fixed an issue where AP6 access points didn't receive an IP address from one of the DHCP servers in networks where a load balancer was used to balance DHCP requests. |
| WIFIX-6654 | Fixed an issue where wireless clients that only support WPA2 couldn't roam successfully between access points when the SSID had 802.11r enabled and the encryption was set to WPA2/WPA3 mixed mode. |
| WIFIX-6001 | Fixed an issue where AP6 access points were broadcasting an SSID, but users couldn't connect to the SSID. |
| WIFIX-5343 | Fixed an issue where AP6-420X Rev2 wouldn't start in a frozen -20°C env. |
| WIFIX-5276 | SNMPv3 encryption and authentication items were added to the AP6 GUI. |
| WIFIX-5240 | Fixed an issue where the captive portal wasn't working with Google social login. |
| WIFIX-5218 | Fixed an issue where users couldn't sign in via the captive portal. |
| WIFIX-5212 | Fixed an issue where wireless clients were unable to connect to an SSID with scheduled availability configured after the scheduler turned the SSID back on. |
| WIFIX-5189 | Fixed an issue where the framed IP wasn't sent in either accounting-start or accounting-update requests for RADIUS accounting. |
| WIFIX-5122 | Fixed an LLDP issue with AP6 420E and Aruba switch. |
| WIFIX-5057 | Fixed an issue where, when Enterprise authentication (RADIUS) was enabled, we noticed the session timeout was causing wireless clients to drop from those SSIDs where this user authentication was used. |
| WIFIX-4053 | Fixed an issue where the RTS threshold was out of range (1-1023). |
| WIFIX-3645 | Fixed an issue where an IP address was still displayed in the local GUI of the AP6 after it was removed from the Walled Garden in Sophos Central. |
| WIFIX-3504 | Fixed an issue where the WLAN client table in the local AP6 GUI displayed the vendor's name as unknown for Samsung devices. |
| WIFIX-3189 | Fixed an issue where, if the administrator tried to set the channel bandwidth to 160 MHz on the AP6 804E, Sophos Central returned an error that it was unsupported. |
| WIFIX-2927 | Fixed an issue where RADIUS server re-authentication wasn't working after the wireless user's session timed out. |
For known issues, see Sophos Wireless Known Issues list.
There are no local access point features for this release.
You can download AP6 firmware and SNMP MIB files from the Sophos Central installers page.
For organizations that need to create more than the 100 voucher limit, you can use the Clone button to open the voucher creation dialog with all the details from a selected voucher already filled in.
There are no resolved issues in this release.
For known issues, see Sophos Wireless Known Issues list.
There are no local access point features for this release.
You can add AP6 access points to existing floorplans and create new floorplans for AP6 sites.
There are no resolved issues in this release.
For known issues, see Sophos Wireless Known Issues list.
There are no local access point features for this release.
Sophos AP6 access points registered with Sophos Central with a valid support services license can access the Active Threat Response (ATR) feature. The ATR API ingests threat feed data allowing MDR analysts and network administrators to quickly isolate malicious hosts across the network.
From Sophos Central, an administrator can view an Active Threat Response page and turn the Active Threat Response on or off for Sophos access points. The ATR page also lists the isolated hosts across all Sophos switches and AP6 access points managed in Sophos Central.
The Active Threat Response APIs are available on Sophos Central. For information on how to access and use APIs from Sophos Central, see Sophos Central APIs. The APIs can enable third-party integrations and workflows to swiftly isolate malicious activity at the network access layer. We're always interested in how third-party integrations are deployed, so please send us feedback regarding your custom integrations.
To view the Wi-Fi Management APIs, see Wi-Fi Management API.
There are no resolved issues in this release.
For known issues, see Sophos Wireless Known Issues list.
AP6 Series access points now offer a wireless guest network. A guest network allows wireless clients to connect to the SSID and access the internet but restricts access to local network resources.
For more information on how to turn on guest networks for AP6 series access points from Sophos Central, see Create a guest network.
| Issue ID | Description |
|---|---|
| WIFIX-4926 | Fixed an issue where enabling client isolation didn't allow wireless users to connect to an SSID and receive an IP address. This happened when any mesh node AP6 had an SSID synchronized from the root AP6 with client isolation turned on. |
| WIFIX-4730 | Fixed a display issue where the AP6 CLI showed the wrong authentication mode when an SSID was configured to use WPA3-EAP Enterprise. |
| WIFIX-3272 | Fixed an issue in the local AP6 GUI where deleted SSID entries weren't removed from the traffic shaping list. |
| WIFIX-3201 | Fixed an issue where the AP6 restarted multiple times when 802.11r fast roaming was turned on with a DD/WW/MM password SSID. |
| WIFIX-3119 | Fixed an intermittent issue with the auto-reboot feature after a firmware upgrade when more than five SSIDs were configured on an AP6. |
| WIFIX-2980 | Fixed an issue where the local GUI was accessible from non-management interfaces when the captive portal was set on an SSID using a tagged VLAN assignment. |
| WIFIX-2935 | Fixed an issue when setting the channel bandwidth explicitly to Auto on the 2.4 GHz radio, where wireless clients would only negotiate on the 20 MHz frequency and not the 40 Mhz frequency. |
| WIFIX-2716 | Fixed an issue when enabling the Proxy ARP feature from Central. The underlying functionality was working as expected,
and the Proxy ARP setting was turned on successfully, but the output of the SSH command showed the status network
proxyarp as ProxyArp Disable. |
| WIFIX-2691 | Fixed an issue where the SSID policy wasn't applied to the AP6 access point correctly and the captive portal didn't work correctly if the AP6 SSID name had special characters (!@#$%^&*) and had captive portal turned on. |
| WIFIX-5125 | Fixed an issue on the AP6 840E where the access point rebooted when proxy ARP was turned on. |
For known issues, see Sophos Wireless Known Issues list.
There are no new features for this release.
| Issue ID | Description |
|---|---|
| WIFIX-4586 | Fixed an issue where the VLAN interface set up for Captive Portal doesn't receive an IP address after editing an existing SSID and adding a new Captive Portal configuration. This is seen both from Central and the local AP6 GUI. This issue doesn't seem to happen if you edit other parameters within the SSID, for example, Captive portal vouchers, passphrase, and encryption. |
For known issues, see Sophos Wireless Known Issues list.
AP6 Series access points can be configured in a wireless mesh mode. A wireless mesh allows the AP6s to create a private SSID only visible to other AP6 access points configured to take part within the mesh network. The access points function as a wireless bridge for different wireless network segments. Wireless mesh is used for deployments where physical cabling may not be available for all access points deployed within a location. The feature can be managed from Sophos Central or using the local user interface for each AP6 access point.
For additional information on how to set up a mesh network with the AP6 Series access points. See the following links:
We recently started shipping a 60W PoE++ injector (802.3bt). This provides sufficient power for an individual AP6 840E and is backward compatible, so it could be used for an access point that requires less power.
For additional power information, see Sophos Wireless: AP6 Series Wi-Fi 6/6E Access Point power requirements.
| Issue ID | Description |
|---|---|
| WIFIX-3715 | The Mesh configuration isn't synchronized between the Root node and Mesh nodes when the Mesh ID contains a space. |
| WIFIX-3489 | MacBook wireless devices can't connect to a mesh network when OWE authentication is selected. |
| WIFIX-3478 | The client load balancing setting isn't displayed on wireless mesh nodes that aren't the root node. |
| WIFIX-3387 | We have seen the Mesh backhaul connection get disconnected every 30-40 seconds when auto-channel is configured on that radio. |
| WIFIX-3821 | The SSID used for the Mesh backhaul is broadcast when using the 2.4 GHz band. Wireless clients may be able to connect to this SSID if they know the Mesh password. |
| WIFIX-3387 | If you enable auto-channel on the backhaul SSID, you may notice instability with the Mesh network. We recommend manually setting the channels to use with the backhaul SSID. |
| WIFIX-3798 | A Mesh Node's radio parameters can be changed from Sophos Central. Any radio changes should be done through the Root Node. |
| Issue ID | Summary | Workaround |
|---|---|---|
| WIFIX-4530 | If the default management VLAN is changed on the AP6 Root Node, that configuration change doesn't currently get synchronized with the AP6 nodes taking part in the mesh network. | From Sophos Central, navigate to the Access Point page and manually set the correct management VLAN for each node taking part in the mesh network. Go to the local GUI of the AP6 nodes and manually change the management VLAN ID. This can be done from the Network Settings > VLAN page in the local GUI on the node access points. |
| WIFIX-4297 | In certain scenarios, we've seen that using more than a single hop (2-hop or more) for a node to create a mesh network doesn't work properly. Any nodes try to connect through an intermediary node and then the root doesn't create a mesh connection. The nodes currently will only connect with the root node in the mesh network. | Locate the node access points closer to the root node so all nodes in the mesh connect to the root node. |
| WIFIX-4586 | The VLAN interface set up for Captive Portal doesn't receive an IP address after editing an existing SSID and adding a new Captive Portal configuration. This is seen both from Central and the local AP6 GUI. This issue doesn't seem to happen if you edit other parameters within the SSID, for example, Captive portal vouchers, passphrase, and encryption. | From Sophos Central, update the existing Captive Portal SSID and save the configuration to re-apply the changes to the access point. From the local AP6 GUI, ensure that you click Apply after completing all the Captive Portal changes. Rebooting the access point from Sophos Central or the local AP6 GUI resolves the issue. |
For known issues, see Sophos Wireless Known Issues list.
There are no new features for this release.
| Issue ID | Description |
|---|---|
| WIFIX-3231 | Walled Garden can't be enabled from Central Wireless. |
| WIFIX-3215 | No error message is provided in Central when a voucher is set with the same start time and end time. |
| WIFIX-3196 | Central Wireless doesn't provide an option to enable 802.11r fast roaming for AP6. |
| WIFIX-3186 | Central Wireless shows MU-MIMO as disabled for newly registered AP6 access points. |
| WIFIX-2896 | The administrator can't edit any sites in Central Wireless if the site is created with the country location set as UAE. |
| WIFIX-2880 | When the AP6 SSID is configured to use WPA3-Enterprise with the Internal RADIUS server, the authentication doesn't work properly. |
For known issues, see Sophos Wireless Known Issues list.
For known issues, see Sophos Wireless Known Issues list.
You can find technical support for Sophos products in any of these ways:
Copyright © 2024 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.