Meraki

KarstenI · ‎Jun 5 2021

Ok, if all devices behind port5 should be in VLAN3, then configure the port as Access with VLAN 3.

KarstenI · ‎Jun 5 2021

Is it your PC on port 5? Then it should be Access in your User-VLAN (probably 3). The Link between MX and SG is trunk on both sides with the same native VLAN and the same allows VLANs. And if you enable the DHCP-server on the MX, your client should get a DHCP-address from the MX.

KarstenI · ‎Jun 5 2021

A couple of things to question here: Why do you put an IP on the Switch-VLANs? It should be either on the MX *or* on the Switch. You only have IPs on both for the transfer-VLAN between them. You show that you have configured Port 5 as Access, but not for which VLAN. You say you get an APIPA-address but can ping the MX-IP. Probably something happened in between these two events as that can not happen.

KarstenI · ‎Jun 5 2021

I am using them on multiple organisations. With a complex firewall rule set, I would not want to work without it any more. Main "problem" is that I have very often display problems in the browser where columns are not filled or the the rules do not show up at all. But after a browser refresh all is ok.

KarstenI · ‎Jun 3 2021

How did you configure the Supplicant through the GPO? It should be mode "Computer Authentication" to only authenticate the machine and not the user.

KarstenI · ‎Jun 3 2021

No, that's not what I tried to say ... 😉 I was talking about how to authenticate your endpoints when entering the network. Your BYOD devices typically get a certificate enrolled and use the Meraki authentication (That is IMO one of the best features of SM). But the domain-PCs do not have a certificate from the Meraki Dashboard like the BYOD devices and have to be authenticated in a different way, for example through your Microsoft NPS. The ISE could authenticate both your BYOD- and domain systems.

KarstenI · ‎Jun 3 2021

It all depends. Do you *send* the traffic to the different destinations directly? Then it will be load balanced (well, if that feature is enabled on the MX). But if you send the stream to a distribution system (like youtube or a website where the stream can be consumed) then again, there will be no load balancing.

KarstenI · ‎Jun 3 2021

If it is one flow or even one IP-address-pair in the communication, it will go over only one ISP. There will be no load balancing.

KarstenI · ‎Jun 2 2021

The MX typically does not play any significant role in the BYOD solution. The onboarding runs through manual enrolment or through the MR access-points and provisions the client into the SM Mobile Device Management. Best to build a test-system for all your intended devices as there are some gotchas that make it less usable compared to an ISE. For example, the BYOD users can automatically get a certificate for WLAN access. But this is not an intended use case for your domain-users which need a different authentication. And these certificates can not be used on all switch ports. If you have an all-wireless, all BYOD environment, then it will be great. But if there are a significant amount of legacy devices you need "something else" for these. And the ISE could give you all at the same time.

KarstenI · ‎May 28 2021

@wfoteping2101 wrote: most likely answer here is A would be nice, but ... No!

KarstenI · ‎May 28 2021

Again one that you just have to know, also for real implementations: 🐝

KarstenI · ‎May 28 2021

I am not aware of any way to achieve this from the dashboard. But you can export all flows with Netflow and analyse the clients traffic on the Netflow collector.

KarstenI · ‎May 28 2021

@RichardChen1 wrote: Since the concentrator has a lan ip address. What kind of port forwarding required for client vpn to work? Just udp500/4500 to lan ip? Yes, UDP/500 and UDP/4500 is enough as with NAT-T, after the initial exchanges on UDP/500 all is encapsulated in UDP/4500.

KarstenI · ‎May 27 2021

@GIdenJoe wrote: I know a Cisco ASA does not support multiple TS with IKEv2. There has to be a different reason if that didn't work somewhere. The ASA supports this and I use it with lots of customers.

KarstenI · ‎May 26 2021

You are probably talking about the local status page. Access to it can be controlled from the dashboard: https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Configuring_the_Local_Status_Page Be aware that this status page is only for initial setup for the cloud connectivity and not to configure the whole device. That is only done on the dashboard.

KarstenI · ‎May 26 2021

But in this case you probably also have a splash-page configured. If you just use the ISE for .1X, you typically still have 802.11r available. With just AAA to the ISE there is no need to CoA.

KarstenI · ‎May 24 2021

That is also easy with the cloud-update. It only runs while the VPN is not connected.

KarstenI · ‎May 22 2021

Licensing ... I am so happy that I don't have to deal with Windows licenses as that is always done by the customer or other companies. It's enough to have to deal with all the Cisco licensing stuff! But for this specific customer, the MAB devices were managed in ISE.

KarstenI · ‎May 22 2021

@PhilipDAth wrote: The last customer that asked me something like this - I said why don't you use WPA2-Enterprise mode on the printer and you won't have to use MAC bypass. Problem solved. Do you remember the customers where every user had their own printer on his desk? I still have one of these. The Admins don't want to go around and configure each of them for dot1x. I think MAB will stay for a very long time (at least for the cabled devices).

KarstenI · ‎May 21 2021

Same here as @CptnCrnch. The AC module behaves really well. What we are having is some trouble with the AD-Connector, but I would go for Umbrella with AnyConnect where possible.

KarstenI · ‎May 21 2021

I had to think twice, but then it is quite obvious: "PUT" updates an entry, but the ID can not be updated as this entry is generated by Meraki. To create an organisation (or a Network) we would need a POST. And with this only "D" can be the answer.

KarstenI · ‎May 21 2021

The easiest (and best 😉 ) way to update AnyConnect is to also have Cisco Umbrella enabled on the client. Not only the security is increased, but AnyConnect can be automatically updated from the cloud. Ok, there have to be inserted some more coins ...

KarstenI · ‎May 21 2021

@AB_LaDigue67 wrote: @SandroZ @DavidLowe @RafaelM Massive thank you to Sandro, David and Rafael. I passed my CMSS 500-220 ECMS Exam earlier today. These practice Q&As, ECMS1/ECMS2 and documentation site really helped!!! Congratulation! Now we only have to wait for the appropriate CMSS badge on the community profile ... 😃

KarstenI · ‎May 20 2021

Are you using "normal" user objects for this? Then it can not work. There is a dedicated object type in Active Directory for MAC addresses: "ieee802Device". This object does not have these password restrictions. EDIT: Just remembered that in the past there were problems in combination with NPS and this object-type and the solution was to have the MACs added as users with different password-requirements for different areas in AD. But I am not sure if this is still the case with actual AD-versions.

KarstenI · ‎May 18 2021

@BrandonS also new to me, great resource!

About KarstenI

KarstenI

Karsten Iwen

Community Record

Badges