The other option would be, to have Local Dashboard accounts.. isn't it? I think local Dashboard accounts are allowed regardless other authentication options are enabled for the organization.  ... View more

You know what, a setting that's often ignored: Go in the Radio profiles and disable Client Balancing which is enabled by default.  I have experienced a lot of problems because of Client Balancing, and that should not be enabled if one wants to have a stable environment. ... View more

Option 150 is not predefined DHCP option, but you always can configure any custom options with values type String, HEX or IP.   So, the answer is - yes, you can configure option 150, either on L3 switch or on MX appliance.     ... View more

I would connect the Internet Port of the MX to the router via a L2 switch. I would connect with a PC to the same VLAN and start the Wireshark to see the DORA process.  Also, make sure that the configuration in Internet Port 1 for VLAN Tagging says "Don't use vlan tagging". ... View more

Hi,   1. you need to know if this is Single Mode or Multi mode fiber. Since you say this is OM4, then it must be Multimode.  For multimode:  MA-SFP-10GB-SR MS420 does not support 40Gb QSFP modules.   2. same as in the first point. ... View more

@rhbirkelund it only works like this if you have you housekeeping in Excel  😂 ... View more

Maybe I've not understood you correctly, but for site-2-site vpn you can either have a default route checked if your MX is in Spoke mode or Exit Hub if it is in Hub mode.    If that is what you are trying to accomplish then the /networks/{networkId}/appliance/vpn/siteToSiteVpn should help you do the changes. ... View more

There is no trick for this.  Most probably you are trying to access the shared folders via name which cannot be resolved.  You can try to access them via IP address, or make sure you access them via FQDN which can be resolved. Also, worth looking if there are any group policies/firewall rules which will block port 445.     ... View more

The Meraki world is not different than normal Cisco world. Having that vlan100 on both MX and core switch and acting as management vlan for switches doesn't sound good for me. That's the only thing that I want to point.   We have similar setup in our location.  I have the management vlan on MX which is a native vlan on the MX port and acting as management for switches, then another vlan on the switch core for management of the access points. I need another vlan just because S2S VPN, but in your case another vlan for AP's is not needed.   ... View more

I don't have the full picture of your network but assuming you only have Mx, switch and Client VPN, and everything is behind the switches then: what is the Management VLAN all about? Is it the management for the switches only? Then it does not make any sense to have the vlan100 interface on the stack. It is better just to have that as native vlan on the MX port.  If it is for some other purposes, then again... what's the purpose? ... View more

Have you checked the RADIUS logs from which IP the requests are coming from?  If my memory serves me well, when I was testing the Client-VPN the request to Radius were coming with the source IP of the highest vlan id.  Now, that you moved the VLANs to the switch, the IP from which the requests are going out to RADIUS have also, probably, changed.  Can you verify that? ... View more

I do two three different things: 1. either store in the environment variable  2. either store in the database in the setting table (usually using this when the scripts run on Django) 3. either way - I have an encryption/decryption algorithm, so the key is not stored in plain text. It does not mean that the key is fully safe, as long as one will have access to the algorithms, but at least having the encrypted API key does not make much sense for some .... ... View more

Hello,   it is possible, of course. It is possible to create/update almost any settings from from dashboard, but this requires you to be familiar with some programming/scripting language.   Assuming that by "blocking IP" you mean that you want a L3 firewall rule or an inbound firewall rule, here are the Endpoint descriptions. https://developer.cisco.com/meraki/api-v1/#!update-network-appliance-firewall-l-3-firewall-rules https://developer.cisco.com/meraki/api-v1/#!update-network-appliance-firewall-inbound-firewall-rules     ... View more

NBAR2 will not disturb the clients at all, but NBAR2 will not be available in a mixed environment. I have just discovered this hard way few days ago when my script had trouble adding one AP to a network.   You want to read "Disabling NBAR" paragraph. https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Network-Based_Application_Recognition_(NBAR)_integration_with_MR_access_points ... View more

I am totally with Philip. Don't mix. Either build the environment with MR46 (preferred), either only Wifi5. You will start running into different issues and unavailability of certain features like NBAR2.   When you'll have the env ready and working and later on you will want to add another wifi5 AP, you will have to disable traffic analysis, add new ap, enable traffic analysis. This one problem, and I am not sure which other may appear... ... View more

I have a replication of Cisco WLC controllers infra in few locations and it is exactly like you said. Except, I am doing exactly like WW suggested - on the switch I have a trunk port with native vlan for management, and other vlans to tunnel different type of clients, including Guests. ... View more

I'll agree with the OP. Changing a mode of a device is something important. And since they can offer a double confirmation for s2s route overlap, they can offer also a double confirmation for changing the mode.   I'll disagree with UCert regarding the rights, especially with the lack of access rights granularity (full or readonly only) Meraki offers. ... View more

in Python:  when Radius is enabled on SSID the result dict will have a key "radiusServers" which will contain a list of dicts, for every radius server, however, if the SSID does not have Radius active then the key will not exist and you can't address it via [""]. Use dict get() method to check if the key exists.   {'authMode': '8021x-radius', 'availabilityTags': [], 'availableOnAllAps': True, 'bandSelection': 'Dual band operation with Band Steering', 'concentratorNetworkId': 'N_111111111111111111', 'dot11r': {'adaptive': False, 'enabled': False}, 'dot11w': {'enabled': True, 'required': False}, 'enabled': True, 'encryptionMode': 'wpa-eap', 'ipAssignmentMode': 'VPN', 'mandatoryDhcpEnabled': True, 'minBitrate': 12, 'name': 'thisismyssidname', 'number': 2, 'perClientBandwidthLimitDown': 0, 'perClientBandwidthLimitUp': 0, 'perSsidBandwidthLimitDown': 0, 'perSsidBandwidthLimitUp': 0, 'radiusAccountingEnabled': False, 'radiusAttributeForGroupPolicies': 'Filter-Id', 'radiusAuthenticationNasId': '$NODE_MAC$:$VAP_NUM$', #this seems to be future settings in MR28 'radiusCalledStationId': '$NODE_MAC$:$VAP_NAME$', #this seems to be future settings in MR28 'radiusCoaEnabled': True, 'radiusFailoverPolicy': None, 'radiusLoadBalancingPolicy': None, 'radiusOverride': False, 'radiusProxyEnabled': False, 'radiusServers': [{'host': '10.10.10.10', 'id': 111111111111111111, 'port': 1812}, {'host': '11.11.11.11', 'id': 222222222222222222, 'port': 1812}], 'radiusTestingEnabled': False, 'splashPage': 'None', 'ssidAdminAccessible': False, 'visible': True, 'vlanId': 888, 'wpaEncryptionMode': 'WPA1 and WPA2'}         ssids = dashboard.wireless.getNetworkWirelessSsids(networkId) for ssid in ssids: radius_server_list = [] if ssid.get("radiusServers"): #Only execute if radiusServers key exists for server in ssid.get("radiusServers"): radius_server_list.append(server["host"]) print(radius_server_list)     ... View more

This is my guess, because I don't use PDL licensing: "claimDate" : "2019-08-29T12:40:10Z" , "activationDate" : "2019-09-01T15:01:46Z" , "expirationDate" : "2020-10-30T15:01:46Z"   state : 'active',   --- description ??? -> the license is assigned to a device. This is expected state of the license in the org. 'expired',--- description ??? -> the license is expired. expirationDate is in the past. 'expiring',--- description ??? -> the license expirationDate is less than 30 days from now. 'unused',--- description ??? -> License was claimed in the Organization but was not assigned to any device. 90 days have not passed yet, so activationDate has not yet started. 'unusedActive'--- description ??? -> License is not assigned to any device but activationDate is in the past. or 'recentlyQueued'--- description ??? -> can't imagine what this could be. ... View more

As an admin of more than 10 Meraki Organizations, I've created a scrip using the all-mighty API's, to send me each  morning the Change log for yesterday, so that I can see what my peers or junior admins have changed in the Organizations and to act accordingly. So I start my day by scrolling thru the change log. ... View more