Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Endpoint stuck on "Critical VLAN"

Solved
arom
Here to help
‎Feb 17 2024 3:02 AM
‎Feb 17 2024 3:02 AM

Endpoint stuck on "Critical VLAN"

Hi team,

 

We are currently testing out Cisco ISE with Meraki MS120-switches.

When testing out the "Critical VLAN" feature, we noticed that the endpoint/switchport somehow got stuck on the mode.

The test was created as per the following:

1. Disconnected the endpoint from the switchport.

2. Changed the PSK to a faulty PSK on the access policy on the switch (to simulate that the switch cannot communicate towards the ISE server).

3. Connected the endpoint, and the endpoint was successfully put on the Critical VLAN which is good.

4. We changed back the PSK to the correct one in the access policy, and here the switch/switchport never tried to reauthenticate again. We disconnected/connected the device several times to the switchport but every time the endpoint got registered to the Critical VLAN. In ISE, we couldn't see that the endpoint tried to authenticate.

 

To resolve the issue, we reconfigured the switchport from cisco ise policy to "open", and then back to cisco ise policy, and after that the endpoint did a successful authentication again.

 

Is this by design, or a bug? 

0 Kudos
Subscribe
1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal
‎Feb 17 2024 3:30 AM
‎Feb 17 2024 3:30 AM

I think bouncing the port should work. Are you working with support on this?

 

The document also talks about enabling radius monitoring that support can enable. 

 

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)#Other_RADIUS_F...

View solution in original post

Subscribe
3 Replies 3
ww
Kind of a big deal
Kind of a big deal
‎Feb 17 2024 3:30 AM
‎Feb 17 2024 3:30 AM

I think bouncing the port should work. Are you working with support on this?

 

The document also talks about enabling radius monitoring that support can enable. 

 

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)#Other_RADIUS_F...

Subscribe
In response to ww
arom
Here to help
‎Feb 17 2024 3:34 AM
‎Feb 17 2024 3:34 AM

Interesting finding, thank you for the information!

Strange that the setting is not enabled by default. I have reached out to the support now 🙂

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 18 2024 11:47 AM
‎Feb 18 2024 11:47 AM

>We changed back the PSK to the correct one in the access policy, and here the switch/switchport never tried to reauthenticate again

 

I'm guessing it declared all the RADIUS servers dead.  I think the hold down time might be 5 minutes before attempting a dead server again.

How long do you think you waited?

 

It will also definitely require a port transition again to try and re-attempt 802.1x.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.