I have some wifi clients i need to block internet access to so they can only access a few URLS. I created a group policy, set the blacklist to * and the whitelist to the urls they need. I then used a sentry policy and apply this group policy to devices with specific tags.
I then tagged the devices and it shows 3 clients are affected by the group policy, the 3 i tagged. when the client connects, it shows that the correct group policy is being applied. (PS. I only have 1 group policy in my entire network, so its not like there are multiples with one taking precedence). However it doesnt apply.
I have a MX64, MR42 and MS225-8.
I changed my network config and instead of using NAT mode on the MR42, I changed it to layer 3 roaming, tagged the SSID to a VLAN, created a VLAN in the MX64 and applied the same group policy to the VLAN on the MX64. Now the blocking works perfectly.
Is this normal? Am I doing something wrong? It clearly says the policy is being applied to the client in the networkwide->client view but it doesnt block anything.
I guess there is no reason I cant leave it this way, however it should work the other way too with tags according to the documentation.
I haven't used the original method you said (Sentry based tags) but I think it should work. Note that the policy is usually applied when the client connects - not to a current connection. So perhaps you need to wait a bit longer?