User firewall policy is changing automatically

SOLVED
Raigan21
Here to help

User firewall policy is changing automatically

Some times the appliance is changing the firewall policy of some users to custom, i want to know why and where can i see the log of this actions.

1 ACCEPTED SOLUTION

HA !

 

So that is exactly what I was referencing in my first response lol

 

634234.JPG

 

 

So basically that group policy you have on the access control settings for that SSID is going to have false positives as you've clearly seen.

 

I have to deal with this myself, where it thinks that a MacBook Pro is an iPhone and it blocks it. I probably get a client a day for this type of thing.

 

Two solutions:

 

1. remove that feature

2. use EAP-TLS with certificate/machine based authentication and then remove that feature

Nolan Herring | nolanwifi.com
TwitterLinkedIn

View solution in original post

13 REPLIES 13
NolanHerring
Kind of a big deal

Sounds like someone else might be making the changes. Or you might have a group policy that changes it based on OS type for example.

Check the change logs to see if its another admin doing it under Org settings
Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal
Kind of a big deal

This can happen if you have applied a policy against two different connections types (such as MR and MX).  You then end up with "custom" showing, or it changing depending on how the user is connected.

 

When you are viewing the user, there is a little "something" (can't quite remember what it is) to expand by the "custom" showing how the policy is applying by connection type.

Could be i just find some duplicates rules in the traffic shaping for the MX and the MR's, so i disabled the MR rules to see if this solve the issue, Thanks

Sorry guys but no luck, today i just have other 3 users with the same issue and there is not record in the changes log so is not other admin doing this.

When the device changes from NORMAL to CUSTOM, what exactly changes.

When you choose the drop down menu to change it back to Normal, what is it specifically that is different on the policy. Does it move them to Blocked or something? For a specific SSID?

Screenshot if you got it 😃
Nolan Herring | nolanwifi.com
TwitterLinkedIn

So when it change to custom in the title but as restrictions is similar to blocked, all access to internet and internal network is block, the most strange thing is i don't have a custom policy like thattempsnip.png

So when it changes to custom, drop down the menu to see what exactly it changes to.

 

I'm assuming the option in red below is selected and it chooses something?

 

55555.jpg

Nolan Herring | nolanwifi.com
TwitterLinkedIn

Show me those results and that will help determine the root cause.

Also, show us a screenshot if you don't mind, of the access control settings for that specific SSID as well please 😃
Nolan Herring | nolanwifi.com
TwitterLinkedIn

tempsnip2.png

Ok so now that we know which SSID, show a screenshot of how you have the access control page configured for LXRandoCo HQ - wireless WiFi SSID

Also that SSID name is super redundant lol 😃
Nolan Herring | nolanwifi.com
TwitterLinkedIn

well i know that is redundant but is how  the users want it  :s 

 

tempsnip3.pngtempsnip4.png

HA !

 

So that is exactly what I was referencing in my first response lol

 

634234.JPG

 

 

So basically that group policy you have on the access control settings for that SSID is going to have false positives as you've clearly seen.

 

I have to deal with this myself, where it thinks that a MacBook Pro is an iPhone and it blocks it. I probably get a client a day for this type of thing.

 

Two solutions:

 

1. remove that feature

2. use EAP-TLS with certificate/machine based authentication and then remove that feature

Nolan Herring | nolanwifi.com
TwitterLinkedIn

what a pain in the ass, thanks any way i will try with the EAP- TLS

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels