Meraki

Community

Hierarchy for Applying Policies by Device Type

Solved
FlyingFrames
Building a reputation
‎Oct 11 2021 12:00 PM
‎Oct 11 2021 12:00 PM

Hierarchy for Applying Policies by Device Type

If mac auth is being used and the RADIUS server returns, "group policy X" for "client A".

 

But the SSID has "group policy by device type" set to "group policy Y" for "client A".

 

Which group policy finally takes precedence for client A? Is it X or Y?

 

Is there a CoA involved in this?

 

Ref: https://documentation.meraki.com/MR/Group_Policies_and_Block_Lists/Applying_Policies_by_Device_Type

0 Kudos
1 Accepted Solution
GiacomoS
Meraki Employee
Meraki Employee
‎Oct 15 2021 1:10 AM
‎Oct 15 2021 1:10 AM

Hey @FlyingFrames !

 

Great question this one!

 

A policy by device type will override a RADIUS policy. 


The policy by device type reads the HTTP GET packet that is sent by a client, to then apply the policy. This cannot happen until RADIUS authentication has completed, so the client would likely receive a RADIUS policy first, and once we read the HTTP GET, we'll then be able to apply the by device type policy. 

 

There is no CoA, as the prioritisation of the policies is handled within the AP. 

 

Hope this helps!

 

Giac

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!

View solution in original post

1 Reply 1
GiacomoS
Meraki Employee
Meraki Employee
‎Oct 15 2021 1:10 AM
‎Oct 15 2021 1:10 AM

Hey @FlyingFrames !

 

Great question this one!

 

A policy by device type will override a RADIUS policy. 


The policy by device type reads the HTTP GET packet that is sent by a client, to then apply the policy. This cannot happen until RADIUS authentication has completed, so the client would likely receive a RADIUS policy first, and once we read the HTTP GET, we'll then be able to apply the by device type policy. 

 

There is no CoA, as the prioritisation of the policies is handled within the AP. 

 

Hope this helps!

 

Giac

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.