While this may be old, Nash also provided a golden nugget when everything else wasn't working because we were so focused on the error code that we forgot to check the basic settings.  There are times when settings don't pass correctly or some profile was made incorrectly.   CHECK THE DARN DIAL-IN FIELD IN ACTIVE DIRECTORY!     Not sure how or why it defaulted to Deny Access for us but it's such a small flag to notice.  Much frustration and sobbing.  But easy to miss.  The dangers of relying too much on third-party services.   Thank you, Nash, for reminding me that the Dial-In tab exists!!   ... View more

I've dealt with this using a workaround for locations without an upstream firewall. Workaround: Apply a traffic shaping rule to limit bandwidth on port 53 and other ports that might be used by a VPN. Users attempting to bypass splash pages to access the internet over VPN will not likely use your network if they only get 100 Kbps. Real Solution: Use an upstream MX or other firewall to block VPN attempts on port 53. Make sure not to block your DNS server such as 8.8.8.8. Root Cause: When client devices connect to the MR they are placed in a captive portal policy and the MR firewall rules (L3 and L7) do not get applied to the client devices until after they authenticate with the captive portal. However the traffic shaping rules are indeed applied to clients, and you can limit the throughput of VPN traffic. Documentation error: In my testing, MR Traffic shaping rules are indeed applied before splash page authentication. "When splash page authentication is configured, captive portal strength settings take precedence over configured traffic shaping and firewall rules. This means traffic shaping and firewall rules will only apply after Splash page authentication has occurred successfully." Documentation Link: https://documentation.meraki.com/MR/MR_Splash_Page/Configuring_Splash_Page_Authentication_with_an_LDAP_Server ... View more

Hi Franck.   Thanks for your time and confirmation.   Have a great day.    Matt ... View more

Does this config allow the MX to inspect the RA-VPN internet-bound traffic? Seems like encryption would terminate on the ASA, but is the MX the gateway for RA-VPN internet bound traffic? Or alternatively do you 1:1 NAT the ASA on the MX? I ask because the ASA uses firepower to inspect RA-VPN tunnel-all. If one were to rip and replace with Meraki MX advanced sec, the ASA no longer does deep packet inspection on RA-VPN traffic (I want to make sure the MX can inspect the RA-VPN tunnell-all traffic, without keeping Firepower active). ... View more

You can have ikev2 activated on your MX and use Azure routebased vpn. I am using same setup but running into a strange issue that both the vpn tunnels at azure are now connected and vpn traffic is not passing. ... View more

Thank you for your information. ... View more

Has anyone successfully put in a different wifi card than what comes in it (Intel 7265)?   From what I understand, chromebooks only have drivers for the original hardware.  Although, sometimes drivers work for multiple cards from a company so wasn't sure if that meant we were stuck with the 7265 or would be able to put in a better one. ... View more

@Yuya After going through this feature (you linked) with an Apple technician I can confirm, that this integration makes only sense if you have BYOD enrollment scenarios for User Enrollment. This will give your organization the ability to prevent your employees to use their company mail as a private Apple ID for purchasing Apps etc. ... View more

@SC  in your dashboard if you go to the Help menu and select "Get Help" at the bottom of that page will be your Meraki account manager who will be able to direct you to a local reseller.  ... View more

We contacted MAXMIND...Have to use the chat feature and they will be updating their records accordingly from the last I text them.....   My chat session with MAXMIND:   Paul: Okay, it looks like Google was using some of the IP addresses near those for Mexican traffic, which is probably why the range including those DNS addresses was moved there. We should have the DNS addresses back in the US in next week's update. Bobby: To confirm the update should happen this weekend? Paul: Our databases update weekly on Tuesdays. Bobby: Ok...to confirm the updates you are performing? Paul: The DNS addresses should be moved back to the US. Not sure if they'll be listing them in Mountain View, CA specifically or just "US" on a country level only. ... View more

There appear to be a couple threads on this so I'm cross posting.  Here is a post I made recently about the latest beta firmware update that seems to restore this feature.   https://community.meraki.com/t5/Security-SD-WAN/MX68-and-802-1x/m-p/73423/highlight/true#M18391     ... View more

@USMC92  If your using Systems manager you can setup a policy that will report this information.   Are the client devices privately owned or are you dealing with a network thats open to the public? ... View more

@hockeydude you are correct that one flow will only use one link but if you have more than one flow going on then both links should be active.  This should be the case in most circumstances. ... View more

I put the MX back in Passthrough mode and made it a hub. After I did this, I reset the OSPF connections and rebooted both the MX and the Palo. Once they were back online they established full adjacency and the MX began advertising routes with the Palo. I did not add any statics for the network behind the Palo as the spoke sites have no need to access those networks.    Thanks to everyone for the assistance on this.    Cole ... View more

Here is the rest of his config on the pfSense:   ... View more

Hi Philip,   I did take a look at the event logs and there was nothing relevant unfortunately. It appears to be sending the SIP packets over UDP.   Thanks for the suggestions-I'll look into them and get onto the support team as well.   Much appreciated. ... View more

Trusted access is not really our cup of tea. We do want to restrict access to prod WiFi to enrolled devices only and WiFi settings payload does a good job as it is. Custom certs, however, provide a flexible way to implement passwordless authentication and I can generate different certs for different subsets of users accessing different SPs. If Meraki ever implements a SRL, that would be great. ... View more

>My understanding was that it was a unique session. So the same device could connect multiple times over a week and that would create multiple sessions on the report.   I can't find anything definitive about this, but that is my expectation on how it would work. ... View more

Aaaand we're done - except some cable management.    Works super well. Really happy with how it turned out.    Always, always, always use cable lube. Life changer.    @PhilipDAth @NolanHerring @SoCalRacer @BrechtSchamp    ... View more

How to restrict client VPN with Layer 3: https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_rules ... View more

@Colm wrote: What is MLSA? The model sounds appealing. Not 100% but I think he meant Managed SLA (Service Level Agreement) 🤷‍♂️ ... View more

good job. was fun to listen to 🙂 ... View more