Issues with Identity Pre-Shared Key (IPSK) without RADIUS on MR44 and MR46 APs
Running into an issue on our APs.
We have Identity Pre-Shared Key (IPSK) without RADIUS configured on our SSIDs, but most devices are having issues connecting.
The reason we are using IPSK is because we want to limit the number of SSIDs on the network.
We are in a high-density AP deployment environment, and all APs are on MR 28.5 firmware.
We are running mostly MR44 and MR46 APs.
The issue is that Windows machines seem to connect fine [authenticates and gets a DHCP address], but other devices (iPhones, iPads, Android) cannot connect to the network due to DHCP failure (each Identity-PSK is assigned a group policy in which the VLAN is set for wireless). DHCP is running on our MX, and APs are connected with our MS switches.
We have checked all the trunk port settings, which seem to be fine (all VLANs are allowed).
The other strange thing is that Macbooks are showing "bad_password" in the Dashboard logs, and are failing to authenticate.
Have tried other things like removing splash page settings, rebooting the devices, but nothing works.
Which SSID is having the problem? Looking at your org I see 4 SSID's all using IPSK. In most cases the configured IPSK groups are bound to Group Policies that assign VLANs. However, I don't find most of those VLANs on the MX or MS as L3 interfaces or DHCP.
Example, your first SSID maps 3 IPSK groups to Catering, Staff, and Students GP's. Those GP's are configured to place clients on VLANs 211, 201, 101. But I don't see any of those VLANs on the MX or MS's?
@ww I have not tried to downgrade back to 27.x firmware. Is that something to try?
@Ryan_Miles We removed the VLANs from most of the SSIDs since I was troubleshooting. The one I wanted to focus on mainly was the Guest SSID which has an Guest-PSK ISPK. That should be assigned VLAN 51 for the Guest-GPO, which is defined on the MX.
We originally had these VLANs on the MS switches, but we read that the GPs don't really work unless the VLANs are defined on the MX (MX being the gateway). Not sure if this official or not, but thought to try it anyway.
@Ryan_Miles N2F-08-R1-MS355-48-A-1 port 42 for example.
As for the APs, I am not sure why they are having issue communicating with the cloud. There are no rules preventing this, and I can ping and resolve hostnames from the tool in the dashboard on the APs.