Hi guys.
Running into an issue on our APs.
We have Identity Pre-Shared Key (IPSK) without RADIUS configured on our SSIDs, but most devices are having issues connecting.
The reason we are using IPSK is because we want to limit the number of SSIDs on the network.
We are in a high-density AP deployment environment, and all APs are on MR 28.5 firmware.
We are running mostly MR44 and MR46 APs.
The issue is that Windows machines seem to connect fine [authenticates and gets a DHCP address], but other devices (iPhones, iPads, Android) cannot connect to the network due to DHCP failure (each Identity-PSK is assigned a group policy in which the VLAN is set for wireless). DHCP is running on our MX, and APs are connected with our MS switches.
We have checked all the trunk port settings, which seem to be fine (all VLANs are allowed).
The other strange thing is that Macbooks are showing "bad_password" in the Dashboard logs, and are failing to authenticate.
Have tried other things like removing splash page settings, rebooting the devices, but nothing works.
Has anyone experienced anything like this?
I have tested ipsk on 27.x and that worked for me. I dont know about 28.x
Did you also try with 27.x firmware?
Which SSID is having the problem? Looking at your org I see 4 SSID's all using IPSK. In most cases the configured IPSK groups are bound to Group Policies that assign VLANs. However, I don't find most of those VLANs on the MX or MS as L3 interfaces or DHCP.
Example, your first SSID maps 3 IPSK groups to Catering, Staff, and Students GP's. Those GP's are configured to place clients on VLANs 211, 201, 101. But I don't see any of those VLANs on the MX or MS's?
@ww I have not tried to downgrade back to 27.x firmware. Is that something to try?
@Ryan_Miles We removed the VLANs from most of the SSIDs since I was troubleshooting. The one I wanted to focus on mainly was the Guest SSID which has an Guest-PSK ISPK. That should be assigned VLAN 51 for the Guest-GPO, which is defined on the MX.
We originally had these VLANs on the MS switches, but we read that the GPs don't really work unless the VLANs are defined on the MX (MX being the gateway). Not sure if this official or not, but thought to try it anyway.
i think your switch ACL rule #1 is the problem
Will try to remove that and see what happens.
The other issue is that on all the switch ports where APs are connected, it's showing STP errors in the logs constantly.
Port STP change | Port 35 disabled→designated | |||
Nov 23 11:51:22 | Port status change | port: 35, old: down, new: 1Gfdx |
on which switch? i see plenty of those events in your log for various ports connecting to workstations, printers, etc. all normal behavior. i'm not seeing these happen on ports connected to ap's.
also most of your ap's say they're having trouble communicating with the cloud. make sure the proper IPs and ports are allowed from the AP's. upper right of dashboard help > firewall info.
@Ryan_Miles N2F-08-R1-MS355-48-A-1 port 42 for example.
As for the APs, I am not sure why they are having issue communicating with the cloud. There are no rules preventing this, and I can ping and resolve hostnames from the tool in the dashboard on the APs.