Issues with Identity Pre-Shared Key (IPSK) without RADIUS on MR44 and MR46 APs

TokyoKevin
Here to help

Issues with Identity Pre-Shared Key (IPSK) without RADIUS on MR44 and MR46 APs

Hi guys.

 

Running into an issue on our APs.

We have Identity Pre-Shared Key (IPSK) without RADIUS configured on our SSIDs, but most devices are having issues connecting.

The reason we are using IPSK is because we want to limit the number of SSIDs on the network.

 

We are in a high-density AP deployment environment, and all APs are on MR 28.5 firmware.

We are running mostly MR44 and MR46 APs.

 

The issue is that Windows machines seem to connect fine [authenticates and gets a DHCP address], but other devices (iPhones, iPads, Android) cannot connect to the network due to DHCP failure (each Identity-PSK is assigned a group policy in which the VLAN is set for wireless). DHCP is running on our MX, and APs are connected with our MS switches.

We have checked all the trunk port settings, which seem to be fine (all VLANs are allowed).

 

The other strange thing is that Macbooks are showing "bad_password" in the Dashboard logs, and are failing to authenticate.

Have tried other things like removing splash page settings, rebooting the devices, but nothing works.

 

Has anyone experienced anything like this?

 

 

 

MCSE, MCTIP, VCP6-DV, CCNP, CWNA, Cisco Meraki Solutions Specialist
7 Replies 7
ww
Kind of a big deal
Kind of a big deal

I have tested  ipsk on 27.x and that worked for me. I dont know about 28.x

 

Did you also try with 27.x firmware?

Ryan_Miles
Meraki Employee
Meraki Employee

Which SSID is having the problem? Looking at your org I see 4 SSID's all using IPSK. In most cases the configured IPSK groups are bound to Group Policies that assign VLANs. However, I don't find most of those VLANs on the MX or MS as L3 interfaces or DHCP.

 

Example, your first SSID maps 3 IPSK groups to Catering, Staff, and Students GP's. Those GP's are configured to place clients on VLANs 211, 201, 101. But I don't see any of those VLANs on the MX or MS's?

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
TokyoKevin
Here to help

@ww I have not tried to downgrade back to 27.x firmware. Is that something to try?

 

@Ryan_Miles We removed the VLANs from most of the SSIDs since I was troubleshooting. The one I wanted to focus on mainly was the Guest SSID which has an Guest-PSK ISPK. That should be assigned VLAN 51 for the Guest-GPO, which is defined on the MX.

We originally had these VLANs on the MS switches, but we read that the GPs don't really work unless the VLANs are defined on the MX (MX being the gateway). Not sure if this official or not, but thought to try it anyway.

MCSE, MCTIP, VCP6-DV, CCNP, CWNA, Cisco Meraki Solutions Specialist
Ryan_Miles
Meraki Employee
Meraki Employee

i think your switch ACL rule #1 is the problem

 

Screen Shot 2021-11-22 at 6.30.29 PM.png

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
TokyoKevin
Here to help

Will try to remove that and see what happens.

 

The other issue is that on all the switch ports where APs are connected, it's showing STP errors in the logs constantly.

 

  Port STP changePort 35 disabled→designated
Nov 23 11:51:22  Port status changeport: 35, old: down, new: 1Gfdx
MCSE, MCTIP, VCP6-DV, CCNP, CWNA, Cisco Meraki Solutions Specialist
Ryan_Miles
Meraki Employee
Meraki Employee

on which switch? i see plenty of those events in your log for various ports connecting to workstations, printers, etc. all normal behavior. i'm not seeing these happen on ports connected to ap's.

 

also most of your ap's say they're having trouble communicating with the cloud. make sure the proper IPs and ports are allowed from the AP's. upper right of dashboard help > firewall info.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
TokyoKevin
Here to help

@Ryan_Miles N2F-08-R1-MS355-48-A-1 port 42 for example.

As for the APs, I am not sure why they are having issue communicating with the cloud. There are no rules preventing this, and I can ping and resolve hostnames from the tool in the dashboard on the APs.

MCSE, MCTIP, VCP6-DV, CCNP, CWNA, Cisco Meraki Solutions Specialist
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels