MS250 14.32 access policy

SOLVED
bmarms
Getting noticed

MS250 14.32 access policy

Anyone have any issues with access policies on release 14?  I upgraded an MS250 stack from 12.28.1 to 14.32 at the request of meraki support.  Since the upgrade, we've had a number of user's ethernet nics showing as "unauthenticated" and the switch port not passing any traffic.  switch/radius server/and computer Wired-AutoConfig logs all show successful .1x authentication yet the switchport does not pass traffic. 

the only way I've been able to solve is to remove my nic and re-add it to my machine.  once i reboot though, it returns to an unauthenticated state.  I've had to remove the access policy from the switch ports altogether or move user's over to WiFi.  

 

I'm rolling back to 12.28.1 to see if the issue is resolved.

1 ACCEPTED SOLUTION
bmarms
Getting noticed

Meraki was able to identify that STP being disabled on ports was causing the 802.1x issue as the switch was not able to maintain an accurate mac table.  I enabled STP on all ports where it was disabled and upgraded switches to 14.32 and am having no issues.  Dev is reviewing the access policy not working on STP disabled ports in 14.32 as its not an expected behavior

View solution in original post

15 REPLIES 15
JacekJ
Just browsing

I have seen this issue recently, and directly after upgrading from the 12.28.1 to 14.32 version, but with a small twist.

We are using Yealink VoIP phones and at some places a PC is connected via the phone to the MS225 switch.

Now only in these setups the VoIP phone seems to loose connectivity with the SIP server on the Voice VLAN.

The PC connection seems to remain in tact, I started looking into this issue.

Also - no issues found when an PC is connected directly to the switch, or the VoIP phone is connected "solo" to the port.

Did the rollback fix the issue for you?

bmarms
Getting noticed

the rollback fixed it.  Meraki was able to identify that STP being disabled on ports was causing the 802.1x issue as the switch was not able to maintain an accurate mac table.  I enabled STP on all ports where it was disabled and upgraded switches to 14.32 and am having no issues.  Dev is reviewing the access policy not working on STP disabled ports in 14.32 as its no an expected behavior

cmr
Kind of a big deal
Kind of a big deal

In the 15.4 release notes there is this note that I think relates to your issue:

 

Known issues

  • If the voice VLAN authenticates before the data VLAN, the voice VLAN will stop working after the data VLAN authenticates (present since MS 14.28)
JacekJ
Just browsing

Exactly, I'm just in a call with support and I found that.

Now I don't understand why this note isn't present in ALL versions between 14.28 and 15.4 - this is madness... 😕

At least the Engineer is very helpful and trying to find an workaround not requiring rollback to 12.28.1.

JacekJ
Just browsing

Yup, at this point there is no other option than an rollback to 12.28.1.

There is also no workarounds.

bmarms
Getting noticed

Meraki was able to identify that STP being disabled on ports was causing the 802.1x issue as the switch was not able to maintain an accurate mac table.  I enabled STP on all ports where it was disabled and upgraded switches to 14.32 and am having no issues.  Dev is reviewing the access policy not working on STP disabled ports in 14.32 as its not an expected behavior

View solution in original post

I am running into a similar issue after upgrading to 14.32. I do have BPDU guard enabled on the ports, so shouldn't that address the issue?

 

bmarms
Getting noticed

does your port config look like this?

 

bmarms_0-1638469709889.png

 

Yep

 

bmarms
Getting noticed

does your port config look like this?

 

bmarms_0-1638469654102.png

 

mcvosi
Here to help

Is only solution at this time to downgrade? I would be moving back to 12.28.

 

bmarms
Getting noticed

yes, you would have to roll back

So how do you perform a rollback?

bmarms
Getting noticed

go to "organization-firmware upgrades" and you should see the upgrade event. there's an icon to rollback that looks like this:

bmarms_0-1638540754455.png

click that and you can then schedule your rollback as long as its been 14 days or less since your upgrade

mcvosi
Here to help

I rolled back, but unfortunately I'm back on a 11.x release. I'm sure there are fixed security vulnerabilities in later versions, and would at least like to upgrade to a 12.x release that has no issues with voice VLANs, but that doesn't appear to be an option. At least my voice VLANs are working now though.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels