cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Group policy not applying to end user devices after reboot

Getting noticed

Group policy not applying to end user devices after reboot

I have several group policies attached to various wireless clients in my network. There's a single SSID that has a VLAN tag of 20. The group policy is tagging certain devices with VLAN10. This works great, until the access point reboots (say a power outage, or software upgrade), then, when the AP is booting back up the group policy isn't applied and devices that should be in VLAN10 are getting IP addresses from VLAN20. This is a problem because eventually the group policy DOES get applied but the clients have already gotten IP addresses from the wrong VLAN and thus cannot communicate out.

 

I'm running an MR42, I've tried both the latest stable and the latest beta release and the results were the same. VLAN tags not applied to group policy clients immediately after reboot.

 

Am I missing something? Is there some "wait until everything is ready before turning on the radios" option that will make the group policy apply after rebooting an access point?

10 REPLIES 10
Kind of a big deal

Re: Group policy not applying to end user devices after reboot

What VLAN is your AP under? 

 

Capture.PNG

Getting noticed

Re: Group policy not applying to end user devices after reboot

Not sure why that matters? It's in VLAN 1, native VLAN, for management only.

Kind of a big deal

Re: Group policy not applying to end user devices after reboot

Reason I ask is because I believe there was some type of similar issue for me way back when. What happens when you leave the AP on blank instead of VLAN1 just for giggles. Let me know @Adam2104 

Highlighted
Getting noticed

Re: Group policy not applying to end user devices after reboot

I actually reconfigured it for blank this morning after I factory reset all the APs. They're were griping about a bad IP configuration, even though they were configured for static.

 

I find it odd that that switches require the VLAN to be configured when you set a static IP. The access points do not.

 

edit: I'll have to recreate my group policy configuration to try again with the blank VLAN. I'll do that and report back.

Getting noticed

Re: Group policy not applying to end user devices after reboot

So I tried again, I created a new group policy that assigns a different VLAN than the SSID's base VLAN tag (50 vs 10). Sadly, traffic from those clients still shows up in the SSID's VLAN tag immediately following a reboot of the access point, they are then later pushed into the group policy VLAN, but only after they've managed to get an IP address from the wrong subnet.
Getting noticed

Re: Group policy not applying to end user devices after reboot

I've done some more testing, this time not with VLAN assignment but with Layer3 firewall rules. The same behavior occurs. It takes over 70 seconds for the group policy to be applied to a client, during which time any L3 firewall rules that are specific to that client ARE NOT ACTIVE. Also, it seems that once the policy actually applies any connections/streams that were up during this period of no firewall enforcement will remain up until terminated (I tested with ping).

 

So, it seems to me, that if you're using group policies with WPA PSK to do any kind of policy enforcement you've got a major security hole every single time your access point reboots. There's a large window of time, over a minute, where the client is not filtered. I guess I will have to completely rework my approach to L3 firewall group policies to try to workaround this.

Meraki Employee

Re: Group policy not applying to end user devices after reboot

Can I suggest you raise a case with Support for this?

Getting noticed

Re: Group policy not applying to end user devices after reboot

I have, I'm waiting for a response. I figured I'd reach out to the community to see if anyone else has seen the same thing.

Kind of a big deal

Re: Group policy not applying to end user devices after reboot

Keep us posted @Adam2104 on what they find.

Getting noticed

Re: Group policy not applying to end user devices after reboot

I opened the case and it was confirmed that this looks to be broken. Now we're waiting on a fix to which there is no ETA.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.