cancel
Showing results for 
Search instead for 
Did you mean: 

Group Policy via Sentry Tag not working

Here to help

Group Policy via Sentry Tag not working

I have some wifi clients i need to block internet access to so they can only access a few URLS.  I created a group policy, set the blacklist to * and the whitelist to the urls they need.  I then used a sentry policy and apply this group policy to devices with specific tags.

 

I then tagged the devices and it shows 3 clients are affected by the group policy, the 3 i tagged.  when the client connects, it shows that the correct group policy is being applied.  (PS. I only have 1 group policy in my entire network, so its not like there are multiples with one taking precedence).  However it doesnt apply.

 

I have a MX64, MR42 and MS225-8.  

 

I changed my network config and instead of using NAT mode on the MR42, I changed it to layer 3 roaming, tagged the SSID to a VLAN, created a VLAN in the MX64 and applied the same group policy to the VLAN on the MX64.  Now the blocking works perfectly.

 

Is this normal?  Am I doing something wrong?  It clearly says the policy is being applied to the client in the networkwide->client view but it doesnt block anything.

 

I guess there is no reason I cant leave it this way, however it should work the other way too with tags according to the documentation. 

3 REPLIES 3
Kind of a big deal

Re: Group Policy via Sentry Tag not working

I haven't used the original method you said (Sentry based tags) but I think it should work.  Note that the policy is usually applied when the client connects - not to a current connection.  So perhaps you need to wait a bit longer?

Kind of a big deal

Re: Group Policy via Sentry Tag not working

This is a known issue with Sentry policies. I've had a case open on this since June 2016 with no resolution to date. 

MRCUR | CMNO #12
Here to help

Re: Group Policy via Sentry Tag not working


@MRCUR wrote:

This is a known issue with Sentry policies. I've had a case open on this since June 2016 with no resolution to date. 


Thanks, at least now i know i wasnt doing it wrong.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.