MS250 14.32 access policy

SOLVED
bmarms
Getting noticed

MS250 14.32 access policy

Anyone have any issues with access policies on release 14?  I upgraded an MS250 stack from 12.28.1 to 14.32 at the request of meraki support.  Since the upgrade, we've had a number of user's ethernet nics showing as "unauthenticated" and the switch port not passing any traffic.  switch/radius server/and computer Wired-AutoConfig logs all show successful .1x authentication yet the switchport does not pass traffic. 

the only way I've been able to solve is to remove my nic and re-add it to my machine.  once i reboot though, it returns to an unauthenticated state.  I've had to remove the access policy from the switch ports altogether or move user's over to WiFi.  

 

I'm rolling back to 12.28.1 to see if the issue is resolved.

1 ACCEPTED SOLUTION
bmarms
Getting noticed

Meraki was able to identify that STP being disabled on ports was causing the 802.1x issue as the switch was not able to maintain an accurate mac table.  I enabled STP on all ports where it was disabled and upgraded switches to 14.32 and am having no issues.  Dev is reviewing the access policy not working on STP disabled ports in 14.32 as its not an expected behavior

View solution in original post

23 REPLIES 23
JacekJ
Building a reputation

I have seen this issue recently, and directly after upgrading from the 12.28.1 to 14.32 version, but with a small twist.

We are using Yealink VoIP phones and at some places a PC is connected via the phone to the MS225 switch.

Now only in these setups the VoIP phone seems to loose connectivity with the SIP server on the Voice VLAN.

The PC connection seems to remain in tact, I started looking into this issue.

Also - no issues found when an PC is connected directly to the switch, or the VoIP phone is connected "solo" to the port.

Did the rollback fix the issue for you?

bmarms
Getting noticed

the rollback fixed it.  Meraki was able to identify that STP being disabled on ports was causing the 802.1x issue as the switch was not able to maintain an accurate mac table.  I enabled STP on all ports where it was disabled and upgraded switches to 14.32 and am having no issues.  Dev is reviewing the access policy not working on STP disabled ports in 14.32 as its no an expected behavior

cmr
Kind of a big deal
Kind of a big deal

In the 15.4 release notes there is this note that I think relates to your issue:

 

Known issues

  • If the voice VLAN authenticates before the data VLAN, the voice VLAN will stop working after the data VLAN authenticates (present since MS 14.28)
JacekJ
Building a reputation

Exactly, I'm just in a call with support and I found that.

Now I don't understand why this note isn't present in ALL versions between 14.28 and 15.4 - this is madness... 😕

At least the Engineer is very helpful and trying to find an workaround not requiring rollback to 12.28.1.

JacekJ
Building a reputation

Yup, at this point there is no other option than an rollback to 12.28.1.

There is also no workarounds.

bmarms
Getting noticed

Meraki was able to identify that STP being disabled on ports was causing the 802.1x issue as the switch was not able to maintain an accurate mac table.  I enabled STP on all ports where it was disabled and upgraded switches to 14.32 and am having no issues.  Dev is reviewing the access policy not working on STP disabled ports in 14.32 as its not an expected behavior

mcvosi
Getting noticed

I am running into a similar issue after upgrading to 14.32. I do have BPDU guard enabled on the ports, so shouldn't that address the issue?

 

bmarms
Getting noticed

does your port config look like this?

 

bmarms_0-1638469709889.png

 

mcvosi
Getting noticed

Yep

 

i dont think the STP is the issue. we have STP enabled on all MS225 ports and after the 14.32 upgrade we started  having issues on IP-Phones and laptops not authenticating. the "fix" for now is to roll back to 12.28

bmarms
Getting noticed

does your port config look like this?

 

bmarms_0-1638469654102.png

 

mcvosi
Getting noticed

Is only solution at this time to downgrade? I would be moving back to 12.28.

 

bmarms
Getting noticed

yes, you would have to roll back

So how do you perform a rollback?

bmarms
Getting noticed

go to "organization-firmware upgrades" and you should see the upgrade event. there's an icon to rollback that looks like this:

bmarms_0-1638540754455.png

click that and you can then schedule your rollback as long as its been 14 days or less since your upgrade

mcvosi
Getting noticed

I rolled back, but unfortunately I'm back on a 11.x release. I'm sure there are fixed security vulnerabilities in later versions, and would at least like to upgrade to a 12.x release that has no issues with voice VLANs, but that doesn't appear to be an option. At least my voice VLANs are working now though.

 

mcvosi
Getting noticed

With the help of support, I was able to rollback to 14.27, which does not have this issue.

 

I will stay on this version until there's a fix.

 

ZeeBoussaid
Getting noticed

we are experiencing the exact issue with the ip-Phone trying to authenticate on VOice Vlan before the Data Vlan. the phones stop working after the laptop authenticate. i believe we have to roll back to 12.28 until Meraki fix this issue.

Support can get you to 14.27 which does not have this issue. I also see it's resolved in a 15.x beta release per the release notes.

 

i dont think it is resolved, im looking at the latest MS15.9 and it still showing the Voice VLAN issue in the Known Issues:

ZeeBoussaid_0-1643821608136.png

 

OK, yeah I guess I missed that. Anyway, go to 14.27 and you should be good.

 

Support will have to assist with that.

 

JacekJ
Building a reputation

14.33 release candidate seems to have that one fixed:

 

JacekJ_0-1644912111140.png

 

CML_Todd
Getting noticed

Is there an issue if 802.1x isn't running on the voice vlan?  Is this voice vlan issue strictly 802.1x related?  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels