Group Policy via Sentry Tag not working

soomeGUy
Here to help

Group Policy via Sentry Tag not working

I have some wifi clients i need to block internet access to so they can only access a few URLS.  I created a group policy, set the blacklist to * and the whitelist to the urls they need.  I then used a sentry policy and apply this group policy to devices with specific tags.

 

I then tagged the devices and it shows 3 clients are affected by the group policy, the 3 i tagged.  when the client connects, it shows that the correct group policy is being applied.  (PS. I only have 1 group policy in my entire network, so its not like there are multiples with one taking precedence).  However it doesnt apply.

 

I have a MX64, MR42 and MS225-8.  

 

I changed my network config and instead of using NAT mode on the MR42, I changed it to layer 3 roaming, tagged the SSID to a VLAN, created a VLAN in the MX64 and applied the same group policy to the VLAN on the MX64.  Now the blocking works perfectly.

 

Is this normal?  Am I doing something wrong?  It clearly says the policy is being applied to the client in the networkwide->client view but it doesnt block anything.

 

I guess there is no reason I cant leave it this way, however it should work the other way too with tags according to the documentation. 

3 REPLIES 3
PhilipDAth
Kind of a big deal

Re: Group Policy via Sentry Tag not working

I haven't used the original method you said (Sentry based tags) but I think it should work.  Note that the policy is usually applied when the client connects - not to a current connection.  So perhaps you need to wait a bit longer?

MRCUR
Kind of a big deal

Re: Group Policy via Sentry Tag not working

This is a known issue with Sentry policies. I've had a case open on this since June 2016 with no resolution to date. 

MRCUR | CMNO #12
soomeGUy
Here to help

Re: Group Policy via Sentry Tag not working


@MRCUR wrote:

This is a known issue with Sentry policies. I've had a case open on this since June 2016 with no resolution to date. 


Thanks, at least now i know i wasnt doing it wrong.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.