Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Challenge assigning group policy

AlexisM
Comes here often
‎Mar 5 2018 8:08 AM
‎Mar 5 2018 8:08 AM

Challenge assigning group policy

I want to apply a group policy to restrict video and gaming to certain devices.

I created the policy via "Network Wide => Configure => Group Policies."

I created a custom "SSID and Firewall shaping rules"; with a Layer 7 policy to deny Gaming & video, which I then applied to the specific SSID (via Wireless => Configure => Access Control) by Enabling/Applying group policy by device type. I then assigned the policy I created to iOS and Android devices, and after applying the policy, I can see that the policy applies to (in my case) 4 devices which match those criteria. 

However, I am (while connecting to the right SSID) still able to run the application on the device (youtube in this case, on iphoneX running iOS 11.2.6). So essentially the L7 policy was not applied in the end... Any advice or pointers to make it work ? Using an MR18 AP. Thanks.

 

0 Kudos
Subscribe
4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 5 2018 9:50 AM
‎Mar 5 2018 9:50 AM

Layer 7 rules only apply to new flows.  Have you tried disconnecting and reconnecting to the SSID in question?  Sometimes it takes 5 minutes for new group policies to kick in.

0 Kudos
Subscribe
In response to PhilipDAth
AlexisM
Comes here often
‎Mar 5 2018 10:42 AM
‎Mar 5 2018 10:42 AM

Thanks for the reply. I have tried disconnecting & re-connecting but that did not help. Also waiting for a while.

As the standard L3 rule is permit any to any (can not remove it) I added another L3 rule to deny a random IP destination address - since I thought the L3/ L7 precedence and decision making structure kicked in. The outcome remains the same and it did not block the traffic somehow.

0 Kudos
Subscribe
In response to AlexisM
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 5 2018 11:12 AM
‎Mar 5 2018 11:12 AM

Lets simplify this for a test.  If you disable dynamic group policy, and just apply the group policy manually does it work?

0 Kudos
Subscribe
In response to PhilipDAth
AlexisM
Comes here often
‎Mar 5 2018 11:59 PM
‎Mar 5 2018 11:59 PM

I now assigned a static policy (blocked for all iPhone devices), going through Wireless => Configure => Access Control.

I turned wifi on/off on my iphone, I renewed IP address lease on the device, closed all applications/sessions, but still the iPhone has access to web applications on that SSID... So the policy (block all iphone) does not seem to have been applied.
I must say that with renewing the IP lease, the same IP address is assigned, but I guess that is not a reason why the policy should not apply.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.