Group Policies with Identity Without PSK

Here to help

Group Policies with Identity Without PSK

So, trying to figure this out. I have 6 Different  Identity PSK without Radius Group Policies and If I say set the "iot" PSK Group Policy to be disabled on Fridays, but the Parent SSID "Production" is set to be working from 8 AM to 10 PM. 


It doesn't appear the sub group policies schedule have any effect on the parent SSID Access Control settings.






The above has no affect and the iot PSK still works.








Nope,  you are not scheduling when the SSID will work or not. GP schedule is not for this function.

View solution in original post

Here to help

Does the Group Policy overwrite the SSID Policy?

Kind of a big deal

In fact, I don't understand your configuration, where is the configuration of the Parent SSID "Production"? Apparently, your configuration is correct.


Production SSID, it seems to override my Group Policy Settings


I don't think it will work the way you're hoping. You're stating that you're going to disable the group policy on Fridays for 24 hours, but what do you really intend to disable? The SSID? Or a policy defined in the group policy? Could you explain it a little better, please?

If I have 6 different PSK and one of them I want to modify the Group Policy associated with the PSK, why won't that work?

The schedule will work for these options:




What exactly are you trying to disable?

Here to help

What is the order of priority for Group Policies? Is the SSID Policy overriding the Group Policy Identity Without PSK?

When scheduling is enabled, clock icons next to policies indicate that the respective policy will only be enforced according to the schedule configured below. Outside of the scheduled hours of enforcement, the network default policy will be used.

Here to help

Actually, I have some IOT devices, along with some other devices on an Identity without Radius SSID that I want to run 24/7. The other 5 PSK on that SSID scheduled to run 8 AM to 5 PM. So basically I want a policy for the IOT that is different than the rest of the SSID.

Ok, but I don't understand what policies you are testing, Layer 3, Layer 7, bandwidth? 


As I understand it, you must create a different group policy for each iPSK, according to what you want to apply for each one.

Just want a different  availably schedule on specific Group Policy than the SSID Policy above.

As @RaphaelL said In your example, you removed Friday from the schedule. The PSK will still be active, but without the GP.

Kind of a big deal

How are you testing this ? 


In theory it should work.


Setting a schedule will enforce or not settings during that period. 


In your example , you removed Friday from the schedule. The PSK will still be active , but without the GP.


The example from the documentation is pretty clear.

Edit : Look at 'Scheduling Examples'

So I have the IOT Group Policy disabled on Friday, the SSID Policy above it is still available and on during work day. However, when I type in the IOT PSK on a device, I get on no problem. Shouldn't it simply not work?

Nope,  you are not scheduling when the SSID will work or not. GP schedule is not for this function.

However, you can create a policy like this, as mentioned by @RaphaelL 




That will work. You have to schedule a L3 firewall rule to block trafic. This will prevent IOT from using the SSID on friday. Look at the examples provided.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.