03-06-2022 10:15 AM
For a while now we have been experiencing an issue where most of our iOS devices are unable to connect back to our 802.1x SSID once woken from sleep.
1) iPad will be connected the SSID and able to connect to the internet, Meraki Dashboard and Cisco ISE shows the connection is active.
2) The iPads will go to sleep and after a period of time Cisco ISE shows the RADIUS session as terminated and the Meraki Dashboard will show client as disconnected.
3) The iPad will be woken up and will show that it is connected to the SSID indicated by the Wi-Fi symbol and also within Wi-Fi setting. However, the device will be unable to connect to the internet or be pinged. After a short period of time the Wi-Fi settings will also show no internet connection status but will still indicates its connected to the SSID. The ISE and Meraki dashboard shows client as disconnected.
4) in order to reconnect the iPads, we either have to turn the Wi-Fi off and on or it will reconnect if the client leaves the coverage area of the AP it thinks is associated with and roams to another AP.
We initially thought this was a iOS & Meraki issue but having had a ticket in with Meraki for a few months now and multiple packet captures in the air and on the uplink the root cause has not need determined. This week we have built a Windows NTP server and the issue isn't there which is now pointing us to look at the ISE or the integration between the ISE and Meraki.
Hoping someone can point us in the direction of next troubleshooting steps and possible fix ?
Solved! Go to Solution.
04-04-2022 08:10 AM
After further troubleshooting, we have disabled the Bonjour forwarding feature on the Meraki SSID and the problem has gone. Still no indication of the exact root cause but its pointing at an interoperability issue between Apple / Meraki / 802.1x with ISE when using Bonjour forwarding.
We still have open tickets with Meraki and Apple and will see what they say but at least we have a workaround for now.
03-07-2022 07:12 PM
This seems an interoperability issue between Meraki and Apple iOS. Please engage Cisco Meraki support team to troubleshoot.
03-09-2022 01:16 AM
@hslai We initially thought it was a interoperability issue between Meraki and Apple iOS and still haven't fully rules this out, however since building a Windows Network Policy Server and replicating the rule sets including Meraki Group Policy selection the issue hasn't been replicated so we are now looking at it from a ISE perspective also.
03-09-2022 07:52 PM
Get some packet captures between Meraki AP and ISE and verify RADIUS auth requests and responses. If requests sent to ISE, we should expect the info showing up in some ISE reports.
03-07-2022 10:44 PM
Let us know what you hear back from Meraki about interoperability issues, do you have reauthentication timer attribute set from ise as part of authorization result, if not you can try setting it up to whatever time you think is convenient and see if the issue continues. I have set it to 8 hours in some cases and it helped with some of the issues.
03-09-2022 01:10 AM
@ammahend thank you for the suggestion to use the reauthentication timer attribute will give this a go and will also keep you updated as and when I here back from Meraki and or TAC.
04-04-2022 08:10 AM
After further troubleshooting, we have disabled the Bonjour forwarding feature on the Meraki SSID and the problem has gone. Still no indication of the exact root cause but its pointing at an interoperability issue between Apple / Meraki / 802.1x with ISE when using Bonjour forwarding.
We still have open tickets with Meraki and Apple and will see what they say but at least we have a workaround for now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide