Sounds like a bug, I'd contact with Meraki Support. ... View more

That's the error that comes up when you select the "with ANY of the following tags" but you don't actually specify any tags (in device tags or policy tags). The way you have it in the screenshot it shouldn't show up. ... View more

While the connection to the VPN registry is easily added to a firewall, in default settings (it's a UDP connection to 2 known IP addresses with dest port 9350), the actual VPN tunnels will be established using random outgoing ports, so it's impossible to limit these in the Sophos firewall.   Therefore you'll be better off manually configuring the NAT traversal so you can add the necessary port forwarding and firewall rules to your Sophos.   See here: https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MX_Security_and_SD-WAN/Meraki_Auto_VPN_General_Best_Practices   Use manual NAT traversal when: There is an unfriendly NAT upstream Stringent firewall rules are in place to control what traffic is allowed to ingress or egress the datacenter It is important to know which port remote sites will use to communicate with the VPN concentrator   Some other interesting links: https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_VPN_Registration_for_Meraki_Auto_VPN https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_IPsec_Tunneling_between_Cisco_Meraki_Peers ... View more

This will be an interesting topic for you.   https://community.meraki.com/t5/Security-SD-WAN/How-to-cable-MX-amp-MS-for-HA/td-p/22765 ... View more

I think that is it. If I give myself "None" in organization and "Full" for the specific network then I can list my orgs, but can't actually fetch the networks. ... View more

They should stop doing that as soon as you connect them to the cloud. The reason they have the DHCP server when fresh out of the box is to allow easy configuration of the default gateway and proxy settings if they're necessary to connect to the cloud. ... View more

The dashboard should be reporting which DHCP servers it detected in "Switch/DHCP servers & ARP". You could check what is handing out those addresses.   One reason I could think of is, if you have the MR53's connected with two wires, that the APs might be handing out those 10.X.X.X IP-addresses to the wired network. I've seen this happen. In that case check that you're aggregating the correct ports and that the switches have correctly gotten their configuration from the dashboard. ... View more

@PhilipDAth wrote: Some Apple devices (and Android for that matter) use MAC address randomization to make them more anonymous.  Devices with this feature enabled will cause issues like this.   Are you able to change to using something authenticated, and perhaps a RADIUS server? If so, then you could apply the policy dynamically based on who the user is. It would be interesting to find out if a MAC address change actually took place actually caused this issue.   I was under the impression that MAC randomization only took place while not actually connected to networks and in some cases once upon connecting to a new network? ... View more

Ever thought about doing RADIUS accounting in combination with (Meraki) group policies?   No need for any separate SSID like that.   More info: https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Policies https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Using_RADIUS_Attributes_to_Apply_Group_Policies ... View more

Basically the VPN registry detects which port was chosen by the non-Meraki firewall when it receives the connection. So in other words, the blue arrow originates from the MX, goes through the non-Meraki firewall and arrives at the VPN registry. So the registry only sees the actual chosen port by the non-Meraki firewall. More or less the same thing happens with the IP-address, the registry registers the public IP address of the non-Meraki firewall, not the actual WAN-address of the MX (unless there's no NAT and it has its own public IP, but then this whole hole-punching technique becomes irrelevant anyway).    ... View more

You could tag the networks you actually want to monitor with "in_production" and then in your overview filter on "in_production". Then you could add a bookmark to a slightly edited url in your browser favorites so you don't have to manually type in the filter every time.   https://nXXX.meraki.com/XXXX/n/XXXX/manage/organization/overview#t=network&q=(tag%253A%2522in_production%2522)   It's a workaround but may be feasible for you.   But it would make for a good make a wish I guess. ... View more

That's indeed a limitation.   Can you share a bit more info about the reasons for having a specific SSID per-site? ... View more

I don't think you can locally override that setting.   What you could do is define all the SSIDs you need in the template, and then limit SSID availability based on tags. Then just add a different tag to your MR's per site. ... View more

I suppose both MX's use a private address on their WAN end and NAT-ing occurs on the non-Meraki firewall. At that point I expect the NAT-step will translate the randomly chosen port to another randomly chosen port. The non-Meraki firewall will make sure it doesn't use the same port twice for translation. So I expect that you wouldn't experience issues there.   Alternatively you could setup manual NAT-traversal in the site-to-site settings of the MX's, in both MX's you'll probably have the same public IP (your non-Meraki firewall's public IP) so naturally you'll need to use two different ports. And then of course you'll need to actually setup that port forwarding in your firewall. Mind you, I haven't tested if the MR's tunnels would also respect that configuration, but I would expect they will. ... View more

Will not be possible via API either. You could just setup a pi-hole and then configure it as your DNS server though.   Edit: Well you could block certain domains via URL filtering, but that would just stop HTTP (and HTTPS requests to a certain extent) to them, not DNS resolutions of them. And I don't seem to see an API call to edit those whitelists either. ... View more

I think the 3 and 4 years you are talking about are probably the license terms of the licenses that were originally bought.   The 54 days is the most important because that's the time you have left before you have to renew your licenses.   You should know that Meraki automatically coterminates licenses (at the moment). Hence the single date, regardless of the 3 and 4 years.   Basically if at Jan 1st 2018 you bought 2 APs with 3 YR licenses, the expiry date would have been Jan 1st 2021. If you buy 1 extra AP with a 3 YR license on Jan 1st 2019, the expiry date would not be Jan 1st 2021, it also wouldn't be Jan 1st 2022. But more something like Apr 1st 2021 because some of the value of the second license will be used to get the first license to co-terminate with the second one.   More info here: https://documentation.meraki.com/zGeneral_Administration/Licensing/Cisco_Meraki_Licensing_Guidelines_and_Limitations   Edit: Wow, HodyCrouch has written about the exact same answer as me at about the same time. I'll leave it as having it twice can't hurt. ... View more

I think it depends on your cell phone whether it can succesfully fetch the WiFi password for your WiFi from it.   On some cell phones it can automagically connect to your WiFi without ever having it connected to your network via wire. For that it connects to an SSID broadcasted by the speaker and sends it the password for your SSID.   If that fails it seems to fall back to the method you described where you have to connect the speaker over wire temporarily. However there again, it depends on the cell phone whether it can fetch the WiFi password or not. For good reason recent cell phones don't allow that these days. So when that fails another wizard again should take over allowing you to enter the PSK of your SSID. Some screenshots of the steps in it below.     If that wizard failed to start, perhaps you can start it manually using the first item in the advanced settings menu (while it's still connected via wire of course):   I hope that helps! ... View more

Sure, but knowing kids they will find their way around it. You're starting a cat 'n mouse game.   But this should do the trick. Create a group policy (Network Wide/Group Policies) with some L7 firewall rules and apply it to the chromebox (through the clients page). After creating and applying it, disconnect and reconnect the chromebox (or your iMac when testing) to the network. Because the policy is only applied to the chromebox, their own iPhones and XBOX's should still have access whenever your existing control system allows them to.   I added ttvnw.net just in case. That seems to be the domain name from which the streams themselves originate.   More background info here: https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Policies ... View more

I can't find any docs about that value being available via API. Make a wish!   Maybe this helps though, you might be able to reuse some of this code: https://github.com/meraki/spark-operations-bot/blob/master/meraki_dashboard_link_parser.py   Seems like the following python function with settingval set to ng_id will get you the value.     def meraki_www_get_settings(strcontent, settingval, settingfull): ''' In the dashboard, there are a large number of settings hidden in the code. This function will parse and retrieve the value of a specific setting :param strcontent: String. Raw HTML of the page. :param settingval: String. If the setting is in the "Mkiconf.setting = " format, pass "setting" here. Otherwise... :param settingfull: String. If the setting is named or punctuated differently, pass the exact string here. :return: String. The value of the requested setting '''   ... View more

I'm not a web designer but checkboxes usually have a standard size tied to the resolution, if it's too small it's more an issue with the used browser than something else.   That being said, yes you can change the size of it.   You can create a copy of the standard "modern" and add some custom CSS to make it bigger:   First create the custom theme: Then edit its CSS, the checkbox's id is gdpr_checkbox: ... View more