Endpoint stuck on "Critical VLAN"

Solved
arom
Here to help

Endpoint stuck on "Critical VLAN"

Hi team,

 

We are currently testing out Cisco ISE with Meraki MS120-switches.

When testing out the "Critical VLAN" feature, we noticed that the endpoint/switchport somehow got stuck on the mode.

The test was created as per the following:

1. Disconnected the endpoint from the switchport.

2. Changed the PSK to a faulty PSK on the access policy on the switch (to simulate that the switch cannot communicate towards the ISE server).

3. Connected the endpoint, and the endpoint was successfully put on the Critical VLAN which is good.

4. We changed back the PSK to the correct one in the access policy, and here the switch/switchport never tried to reauthenticate again. We disconnected/connected the device several times to the switchport but every time the endpoint got registered to the Critical VLAN. In ISE, we couldn't see that the endpoint tried to authenticate.

 

To resolve the issue, we reconfigured the switchport from cisco ise policy to "open", and then back to cisco ise policy, and after that the endpoint did a successful authentication again.

 

Is this by design, or a bug? 

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

I think bouncing the port should work. Are you working with support on this?

 

The document also talks about enabling radius monitoring that support can enable. 

 

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)#Other_RADIUS_F...

View solution in original post

3 Replies 3
ww
Kind of a big deal
Kind of a big deal

I think bouncing the port should work. Are you working with support on this?

 

The document also talks about enabling radius monitoring that support can enable. 

 

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)#Other_RADIUS_F...

arom
Here to help

Interesting finding, thank you for the information!

Strange that the setting is not enabled by default. I have reached out to the support now 🙂

PhilipDAth
Kind of a big deal
Kind of a big deal

>We changed back the PSK to the correct one in the access policy, and here the switch/switchport never tried to reauthenticate again

 

I'm guessing it declared all the RADIUS servers dead.  I think the hold down time might be 5 minutes before attempting a dead server again.

How long do you think you waited?

 

It will also definitely require a port transition again to try and re-attempt 802.1x.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels