I was thinking about using GP, and ACL, but I think my "problem" would explode in number of ACL's and GPs.

Hi @thomasthomsen , have I read your request correctly, is this what you are after?  Radius and change of authorisation?

https://documentation.meraki.com/MS/Access_Control/Change_of_Authorization_with_RADIUS_(CoA)_on_MS_S...

We are using CoA for other things in this setup, but it cannot solve my "layer2" port isolation problem.

Yeah we could push a GP, but on a layer 2 switch would that be "honoured" at the switch ? or would that only be applied on the MX's layer 3 interface ? - We like port isolation because it blocks all the way down between clients on the same vlan.

We could of course have gone SGT's (Adaptive policy or whatever its called in a Meraki setup), but time and money.

And SGT's do not yet extend all the way across MX's and AutoVPN, so just for this small scenario it was kinda overkill, the day it does (extend across MX's and autovpn), it will be a super solution 🙂 .

- So our quick and dirty solution for now was port isolation, but then we "kinda" ran into this problem with some ports (devices) that might not "need" it.

We use dot1x for everything, so it would have been nice if we could have toggeled that port isolation switch using a radius response.

Thanks for all the suggestions and comments.

@thomasthomsen when you use the Group Policy ACL its enforced on the switch, it uses the capability of the MS devices ACL mechanism and dynamically applies the policy in the Group Policy to that port - its just like any other ACL that you apply on the switch. Remember its only the Layer 3 policy in the Group Policy that is applied (and that's because the MS only does ACLs).

EDIT: Should mention, check the models its supported on too - its not supported on all models. Newer models, MS210 and up only (except MS390). So no support on MS220 or MS120 switches.

Thanks for the info @Bruce .  That is a good feature additional to MS14.