Peplink released AP firmware 3.9.8 as a beta on 12 June 2026, and I have been running it in the lab since, having spent time on the 3.9.7 test build before it. I want to be clear about that word at the top: this is Beta 1. It belongs in a lab or a controlled pilot, not on a production estate you cannot afford to disturb. With that said, one change in this build is going to matter to a lot of real installations, and it is worth understanding now rather than when it lands in general release.

The change worth your attention

Access points draw their power down the same cable that carries their data, from the switch they plug into. The higher-end the access point, the more power it wants, and the current crop of enterprise units in this class are built to run flat out on 802.3bt, the newer, higher-power flavour of Power over Ethernet. Plenty of installed switch estates do not deliver 802.3bt. They deliver 802.3at, what most people call PoE+, and nothing more. Until now that gap meant a switch refresh before you could deploy the access point properly.

3.9.8 softens that for the AP One Enterprise. It can now run on 802.3at by automatically easing back its maximum Wi-Fi transmit power to stay inside the lower power budget. In plain terms, you can put the Enterprise onto the PoE+ switches you already own and plan any move to 802.3bt on your own timeline, rather than being forced into it before the access point will even come up.

I am not going to pretend this is free. Easing back transmit power costs you headroom at the edge of the cell, so you trade a little range and a little margin in the awkward corners of a site for the convenience of leaving the switching alone. Run the same unit on full 802.3bt power and it performs exactly as you would hope. The point is not that the lower setting matches it. The point is that you now decide when to spend on switching, instead of the access point deciding for you on day one. For a phased rollout, or a site where the switch budget lands next quarter, that is genuinely useful.

And a way to see what is actually happening

The companion change makes the first one usable. 3.9.8 adds power source reporting on the AP One Enterprise, so the unit tells you which power class it negotiated rather than leaving you to infer it from behaviour. On a site with a mix of switches, that is the difference between knowing an access point is quietly running in its reduced-power mode and finding out the hard way when coverage at the edge does not match the survey. If you deploy this, watch that figure.

What else is in the build

The power change is the headline, but it is not the only thing here worth a look.

RadSec, for logins across links you do not trust

3.9.8 adds RadSec, which is RADIUS authentication wrapped in TLS. If your access points talk to a login server across a link you do not fully control, the old behaviour sent that RADIUS traffic in the open over UDP. RadSec encrypts it. For distributed sites, anything riding public infrastructure, or a deployment where the authentication server sits somewhere other than the local network, that quietly closes a gap that has been there for years. It is the kind of change that never shows up in a demo and matters a great deal in a real security review.

Stronger WPA3 encryption

The build adds the GCMP, GCMP-256 and CCMP-256 cipher suites for WPA3. If you are held to a particular cryptographic standard, or you simply want stronger options on the wireless side, they are now there to select.

Security fixes worth reading

3.9.8 patches a set of wireless vulnerabilities, the AirSnitch issues, that applied when client isolation was enabled on an SSID. Client isolation is the feature that stops devices on the same network from talking to each other, the thing you lean on for guest Wi-Fi and any shared environment. If you rely on it, this is a reason to pay attention to 3.9.8 once it reaches a build you are comfortable deploying. The release notes carry the specific CVE references.

The usual housekeeping

Beyond those, there is the run of fixes you want to see before firmware reaches general release: corrections to channel selection and DFS behaviour, a regulatory addition for Jordan, a fix for a Canada-specific channel display issue, and stability fixes on the Rugged, Mini and Flex hardware. None of it is exciting. All of it is the sort of tidying that tells you a release is maturing.

What I am testing before I would deploy it

A beta earns trust in the lab, not on a customer site. The thing I am watching most closely is the power behaviour: how the AP One Enterprise holds up on 802.3at across a full range of client loads, and whether the reduced transmit power moves coverage enough to matter at the edges of a real cell rather than a bench. I want the power source reporting to agree with what the switch thinks it is delivering, and I want RadSec exercised against a real authentication server rather than a happy-path test. That is the whole point of running a beta early. You find the edges in the lab so the network behaves when it carries something that matters.

If the 802.3at support holds up the way it looks like it will, 3.9.8 changes the order of operations on a lot of upgrades. You deploy the access points onto the infrastructure you already have, prove the design, and schedule the switching when it suits the budget rather than the other way round. For anyone running a large estate, that is a better sequence than the one we have been stuck with.