Controllerless Networks

Reply
Highlighted
Contributor I

IAP 314 on meraksi MS120 vlan assignment

We just changed switches from a Nortel 450 to a Meraki MS120.

 

I have an SSID with dynamic VLAN assignment as follows :

DaveSpencer_0-1584107685093.png

 

For some reason vlan 1800 isn't being assigned, and I'm getting the following error:

DaveSpencer_1-1584107721061.png

 

 

Devices that are being assigned to vlan 2370 are getting through.

 

I've verified the trunk port on the Meraki is correctly set up, and it's uplink is setup with the appropriate vlans being allowed on the trunks. This is occurring on all the access points we have connected to Meraki switches. Working perfectly fine on our avaya/extreme/cisco switches. Anyone know if there is something specific about the Meraki switches that needs to be configured for dynamic vlan assignment to work?

 


Accepted Solutions
Highlighted
Contributor I

Re: IAP 314 on meraksi MS120 vlan assignment

I ended up changing the pvid of the switch port to a different vlan, and had the uplink vlan on the IAPs defined as it's mgmt. that ended up getting it to work.

 

the iap was still joining the cluster when the pvid and t he uplink vlan matched, so I'm unsure why this happened. I know pvid on avaya/nortel switches is different than meraki, so that might have something to do with it.

View solution in original post


All Replies
Highlighted
Guru Elite

Re: IAP 314 on meraksi MS120 vlan assignment

Your rule will only work if you are returning an Aruba VSA for "Named VLAN".  Do you have that defined on your radius server?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor I

Re: IAP 314 on meraksi MS120 vlan assignment

@cjoseph

Any device that receives the 'Mobile" named vlan is able to connect and authenticate.

It is the devices that do not receive a named vlan, and should be defaulted to 1800 do not authenticate.

 

I'm using the same Service with Same enforcement policy I've been using. I do not suspect anything in the service to be the issue.

Here's the profile:

DaveSpencer_0-1584112333096.png

Enforcement:

 

DaveSpencer_0-1584112774438.png

 

 

 

This same profile works when I move the IAP back to any other make of switch in the same cluster. Just doesn't work for IAPs on Meraki switches. I still have it working on all our IAPs connected to Avaya/Cisco/Nortel/Baystack/Extreme switches.

 

Highlighted
Guru Elite

Re: IAP 314 on meraksi MS120 vlan assignment

We need to see what the access tracker is saying that it is sending to the Instant AP, to understand what is going on.  Showing the enforcement policies shows what should be sent.  Showing the access tracker under the output tab shows what IS being sent. 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor I

Re: IAP 314 on meraksi MS120 vlan assignment

Here's the access tracker output:

 

 

DaveSpencer_1-1584120429395.png

Alert:

DaveSpencer_0-1584120415279.png

 

Highlighted
Guru Elite

Re: IAP 314 on meraksi MS120 vlan assignment

At the top, you can see that it is sending the deny access profile.  You need to find out why.

 

EDIT, the second message says that the client timed out.  That is typical for a client that needs to accept a new radius server certificate.  There are other reasons, but this one exists on the client.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor I

Re: IAP 314 on meraksi MS120 vlan assignment

Here's the same client when he roams to another access point connected to a Cisco switch with the same device.

 

DaveSpencer_0-1584120757198.png

same SSID and same cluster, but different results.

 

Highlighted
Guru Elite

Re: IAP 314 on meraksi MS120 vlan assignment

I don't know enough about your setup to determine what is wrong.  ClearPass is saying that it is not receiving a response from the client.  Hopefully you only have trunking enabled on that switchport and not 802.1x.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor I

Re: IAP 314 on meraksi MS120 vlan assignment

What other reasons could exist for the 9002 error?
I've verified that the client has the appropriate radius cert, not expiring until october.

 

802.1x isn't configured on  these meraki switches, no ACL setup either. Trunk for the IAP setup the same as every other IAP, uplink on the switches are trunk and tagged with the correct vlans.

Highlighted
Contributor I

Re: IAP 314 on meraksi MS120 vlan assignment

Not sure if it would be related at all, but I am seeing some unusual Swap usage:

DaveSpencer_0-1584122753826.png

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: