Ahh... so it isn't what device is handling DHCP that determines policy application, but what the client is using as its gateway that determines policy application. That means...
- If my Windows AD domain uses the MX IP as its default gateway, then group policy should get applied as expected to all domain workstations.
- If I set up an SSID that uses "NAT Mode: Use Meraki DHCP" for IP assignment, then the MX will act as the gateway for those devices and group policy will be applied as expected to all connected devices.
- If I set up an SSID that uses "Bridge Mode: Make clients part of the LAN" for IP assignment but have my MS320 supply IP addresses, then the 'interface IP' for the relevant VLAN on the MS acts as the gateway for those devices. But group policy should still be applied, because the traffic arrives at the MX from the SVI IP of the MS320, and the MX will apply group policy to all traffic from that IP.
Scenario 1 is exactly the behavior I have witnessed on my network with my domain-joined devices.
Scenario 2 seems to be working as well, but here is where I still have a question... Users connect through an AD splash page and I have different group policies that get applied in this scenario depending on the AD group membership of the user. Those work as expected. However, if I subsequently manually assign a device a different group policy, then BOTH the new custom group policy and the AD group policy seem to be applied simultaneously. Is this expected behavior, or should the manually applied policy be completely overriding the policy assigned during sign-in?
Scenario 3 does not seem to be working in the manner described above. When I set up an SSID in this manner, neither the automatically assigned AD group policy or a manually applied custom policy seem to work as expected. Bandwidth restrictions are still applied, but only port-based Layer-3 firewall rules work. URL/IP-based Layer-3 rules do not work, nor do any Layer-7 firewall rules. Any customization made to the network defaults on the security appliance are also not applied.
I originally had my wireless network set up as described in Scenario 3 so I could VLAN-tag and partition different user groups, but struggled with getting group policy to work properly, so switched to Scenario 2. I got working group policies as a result, but lost the ability to separate different user groups into different VLANs.
Does my problem stem from the fact that my VLANs are set up as interfaces on the MS320 switch? If I configured my VLANs as subnets on my MX100 instead would that allow me to still partition users into different VLANs but have working group policies get applied to them?
And one last (sort of related) question. I work at a 750 student K-12 school and we have an MX100 (advanced security), an MS320, multiple MS2xx and many MR34/42. Is my network over-designed? Do I actually need the Layer-3 switch? How can I leverage the added functionality of the Layer-3 switch if I have to use the MX for all of my routing in order to properly apply group policies?
Sorry for an even longer reply 🙂