Meraki

Mr_IT_Guy · ‎Mar 6 2019

I typically use 1812 as that's the default, but if you used 1645 you would want to match that in the Meraki. As for the vLAN, vLAN 4 would be correct.

Mr_IT_Guy · ‎Mar 5 2019

This is a great step towards the more in-depth training that many of us have been asking for! Hopefully the ECMS2 comes to my area soon as I don't think the company will fly me out to Meraki HQ as much as I would love to go!

Mr_IT_Guy · ‎Mar 1 2019

That is correct.

Mr_IT_Guy · ‎Feb 28 2019

Correct, you use AD logins even if using RADIUS. RADIUS is used ALONG WITH AD. AD will be where it looks for the users you assign to the policy, but RADIUS is the one that enforces it. Think of it like this: RADIUS is the bouncer outside the VIP room of a club. It has to look at the exclusive list (AD) to see who gets in and who doesn't (i.e. your policy). Just because you can get into the club (i.e you have AD credentials) doesn't mean you can get into the VIP room (you don't match the policy) As for the Meraki IP you put as the RADIUS client, you would use the private IP. Keep in mind that if you have to go through a VPN tunnel to reach the RADIUS server, your MX IP would be the gateway of your HIGHEST numbered vLAN participating in site-to-site. For example, if you have vLAN setup: vLAN 10 - gateway 192.168.10.1 vLAN 17 - gateway 192.168.17.1 vLAN 20 - gateway 192.168.20.1 vLAN 35 - gateway 192.168.35.1 vLAN 52 - gateway 192.168.52.1 and all vLANs are participating in site-to-site, the MX IP would be 192.168.52.1 as that is the highest numbered vLAN. IF vLANs 35 and 52 were NOT participating in site-to-site, then the MX IP would be 192.168.20.1 as vLAN 20 is the highest numbered vLAN.

Mr_IT_Guy · ‎Feb 28 2019

Hi @tantony , With AD authentication, you will point to one of your DCs for authentication purposes. As long as there is an AD account, the user will be able to connect to the VPN. (Active Directory Integration) With RADIUS, you will point to a RADIUS server for authentication, which allows you to provide a bit more security. You can setup a policy so that only people belonging to a certain AD group (which RADIUS will be pointed to) will be able to connect to VPN. (Configuring RADIUS Authentication with Client VPN) As far as 2FA is concerned, you can use RSA and DUO with the built-in Windows client, although it is limited to the Push or Biometric authentication methods as there is no way to input a code at this time. If you are using Meraki Cloud authentication, you can create multiple accounts for users to use with the VPN. (Managing User Accounts using Meraki Authentication)They do not have to have dashboard access in order to be setup as a VPN user. You should absolutely have individual accounts for each user accessing VPN.

Mr_IT_Guy · ‎Feb 26 2019

Glad to help out! I believe you are correct about the Auth Proxy checking the AD group membership, though I think that's based on what level of DUO you have. Your AD groups will sync with the DUO admin console You can keep RADIUS for the wifi and as a backup. We demo'd DUO and I really like the product. Ultimately we ended up going with RSA.

Mr_IT_Guy · ‎Feb 26 2019

Hey @DSchn , The DUO Access Gateway (DAG) and the Duo Authentication Proxy (DAP) are two different tools. The DAG acts as a kind of application portal for SSO. Users can log into the DAG and then click on company applications that you have protected using DUO. The DAG has 2FA enabled for login purposes. Additionally, you can have redirects happen on those websites you are protecting so that if someone were to navigate straight to the website without first going through the DAG, they would be redirected to the DAG for sign-in. The Authentication Proxy is what actually makes the 2FA happen. Instead of pointing your pointing to your VPN to the RADIUS server, you would instead point to the DAP. When a user attempts to connect to the VPN, they will hit the DAP which contacts AD to verify username and password. If that part is correct, they will then receive a PUSH notification to their DUO app. You will have to contact Meraki to adjust the time out on the back end for the push notification so that users don't experience a timeout. As of right now, the only way you can use 2FA with the Windows VPN Connection is with the PUSH notification or Biometrics as there is not place to put in an authentication code. This part is very frustrating. I wish support for Cisco AnyConnect would come soon!!

Mr_IT_Guy · ‎Feb 4 2019

Yes, they have to manually choose to connect to the VPN. As far as MX is concerned, we are using a MX600.

Mr_IT_Guy · ‎Feb 4 2019

We have about 375+ connections daily using the VPN with this setup. Most major issues come from issues with the various ISPs people use to be honest. As far as deployment to users, this is done via PowerShell script so we can easily push out updates as needed. We have users who travel often and have not experienced any issues at airports, hotels, cafe. If they were to experience the issue, they would just tether off their phones.

Mr_IT_Guy · ‎Nov 5 2018

@CarolineS, the current Z1, MX64W, MX65, and MX65W stencils show the back side of the devices (the side with the ports), but not the front of the device (the side with the status light). Conversely, the stencils for new MX models and Z3 only show the front side, but not the back. Could you please pass along that we would like to have both front and back of the security devices?

Mr_IT_Guy · ‎Oct 31 2018

We have people that are constantly travelling for work at my company (myself included). I don't think I've ever encountered an issue where I am unable to connect via VPN.

Mr_IT_Guy · ‎Sep 21 2018

@MacuserJim, exactly what I was going for!

Mr_IT_Guy · ‎Sep 21 2018

This large stock of APs, are they not already claimed in your organization when they've been ordered? If they had been claimed, they would be in your inventory and then you could search your inventory to find the device based on MAC. OR Are you ordering the APs and not adding the order to the dashboard thus not adding the APs to your Meraki inventory?

Mr_IT_Guy · ‎Sep 21 2018

When ordering these devices, are the order numbers Meraki sends not being added to the dashboard? Once the order number is added in, you should be able to find the device via MAC.

Mr_IT_Guy · ‎Sep 20 2018

Have you tried keeping it at DHCP and then giving it a fixed IP assignment from the DHCP page? Since doing that, we've had zero issues getting our devices to the IPs we want. Also, are you trying to set the static IP from the local admin page of the device or from the dashboard?

Mr_IT_Guy · ‎Aug 29 2018

Thanks for the shout out @CarolineS. If anything, the thanks should go to @NFL0NR and my boss for the idea to share the photos in the first place. It's been really fun taking pictures with @Maui_Meraki_Dog and all the Meraki swag, though I have to say my wife is the one responsible for the majority of the fashion shoots.

Mr_IT_Guy · ‎Aug 21 2018

@CarolineS, you've made this community a great place to be and be a part of. Thanks for your hard work and due diligence. To all the community members, thanks for all the posts, discussions, pictures, ideas, etc.

Mr_IT_Guy · ‎Aug 21 2018

Mr_IT_Guy · ‎Aug 16 2018

Hi @DennisSN, Unfortunately the org split and some static routing rules were my only options in this situation.

Mr_IT_Guy · ‎Aug 14 2018

Hi @Philip and welcome to the forums!! Meraki is without a doubt GUI over CLI. In fact, the closest thing you will get to CLI is working with APIs. Meraki is all about "Simplicity" and as you've seen that makes them easier than your typical Cisco router. Many people enjoy that....I personally wish there was a bit more CLI, but oh well. Thanks for the quick answer @AjitKumar!

Mr_IT_Guy · ‎Aug 1 2018

Agree with @BlakeRichardson! @RichG, those were an amazing find. We ordered a few and are doing a mockup for our travel team based on @ArpTableCorrupt's design. This is probably my favorite thread in awhile.

Mr_IT_Guy · ‎Jul 26 2018

Such a great idea. We're working on a mockup for our branches now. Great job!

Mr_IT_Guy · ‎Jul 25 2018

This is FANTASTIC!!! Great to see the Meraki Community grow

Mr_IT_Guy · ‎Jul 20 2018

Yesterday @Maui_Meraki_Dog received a lovely gift in the mail: a Meraki shirt made for pets! The timing of this gift couldn't have been better as this past Sunday, July 15, was Maui's first birthday! Special thanks to Helen over at Meraki for coming up with the design and making the shirt.

Mr_IT_Guy · ‎Jul 11 2018

@cmiarshvac wrote: Did you find a work-around on the device limitation? Public Static with Pass-thru or using Bridged Mode? The ISP had to come out and swap to a different brand model modem.

About Mr_IT_Guy

Mr_IT_Guy

Community Record

Badges