Group Policies with Identity Without PSK

Solved
MrRoboto2338
Here to help

Group Policies with Identity Without PSK

So, trying to figure this out. I have 6 Different  Identity PSK without Radius Group Policies and If I say set the "iot" PSK Group Policy to be disabled on Fridays, but the Parent SSID "Production" is set to be working from 8 AM to 10 PM. 

 

It doesn't appear the sub group policies schedule have any effect on the parent SSID Access Control settings.

 

MrRoboto2338_0-1674839239924.png

 

MrRoboto2338_1-1674839783282.png

 

The above has no affect and the iot PSK still works.

 

 

 

 

 

 

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

Nope,  you are not scheduling when the SSID will work or not. GP schedule is not for this function.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

17 Replies 17
MrRoboto2338
Here to help

Does the Group Policy overwrite the SSID Policy?

alemabrahao
Kind of a big deal
Kind of a big deal

In fact, I don't understand your configuration, where is the configuration of the Parent SSID "Production"? Apparently, your configuration is correct.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
MrRoboto2338
Here to help

MrRoboto2338_0-1674840780902.png

Production SSID, it seems to override my Group Policy Settings

 

alemabrahao
Kind of a big deal
Kind of a big deal

I don't think it will work the way you're hoping. You're stating that you're going to disable the group policy on Fridays for 24 hours, but what do you really intend to disable? The SSID? Or a policy defined in the group policy? Could you explain it a little better, please?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
MrRoboto2338
Here to help

If I have 6 different PSK and one of them I want to modify the Group Policy associated with the PSK, why won't that work?

alemabrahao
Kind of a big deal
Kind of a big deal

The schedule will work for these options:

 

alemabrahao_0-1674841740126.png

 

What exactly are you trying to disable?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
MrRoboto2338
Here to help

What is the order of priority for Group Policies? Is the SSID Policy overriding the Group Policy Identity Without PSK?

alemabrahao
Kind of a big deal
Kind of a big deal

When scheduling is enabled, clock icons next to policies indicate that the respective policy will only be enforced according to the schedule configured below. Outside of the scheduled hours of enforcement, the network default policy will be used.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
MrRoboto2338
Here to help

Actually, I have some IOT devices, along with some other devices on an Identity without Radius SSID that I want to run 24/7. The other 5 PSK on that SSID scheduled to run 8 AM to 5 PM. So basically I want a policy for the IOT that is different than the rest of the SSID.

alemabrahao
Kind of a big deal
Kind of a big deal

Ok, but I don't understand what policies you are testing, Layer 3, Layer 7, bandwidth? 

 

As I understand it, you must create a different group policy for each iPSK, according to what you want to apply for each one.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
MrRoboto2338
Here to help

Just want a different  availably schedule on specific Group Policy than the SSID Policy above.

alemabrahao
Kind of a big deal
Kind of a big deal

As @RaphaelL said In your example, you removed Friday from the schedule. The PSK will still be active, but without the GP.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RaphaelL
Kind of a big deal
Kind of a big deal

How are you testing this ? 

 

In theory it should work.  https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

Setting a schedule will enforce or not settings during that period. 

 

In your example , you removed Friday from the schedule. The PSK will still be active , but without the GP.

 

The example from the documentation is pretty clear.

Edit : Look at 'Scheduling Examples'

MrRoboto2338
Here to help

So I have the IOT Group Policy disabled on Friday, the SSID Policy above it is still available and on during work day. However, when I type in the IOT PSK on a device, I get on no problem. Shouldn't it simply not work?

alemabrahao
Kind of a big deal
Kind of a big deal

Nope,  you are not scheduling when the SSID will work or not. GP schedule is not for this function.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

However, you can create a policy like this, as mentioned by @RaphaelL 

 

alemabrahao_0-1674844141767.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RaphaelL
Kind of a big deal
Kind of a big deal

That will work. You have to schedule a L3 firewall rule to block trafic. This will prevent IOT from using the SSID on friday. Look at the examples provided.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels