Meraki

PhilipDAth · ‎Aug 22 2019

I'm tending more towards using MFA if it must be publically accessible. Duo even offers it for free for up to 10 users. https://duo.com/ https://duo.com/docs/rdp Note you can also use Duo MFA for local Windows authentication as well if you want.

BBDave · ‎Aug 21 2019

Hi All, Thanks for all the replies. I think I answer my own question. Thanks Dave

DanIsTaken · ‎Aug 20 2019

Yes, to the storage devices for the security cameras

NolanHerring · ‎Aug 19 2019

There isn't any API feature for this from the latest list of available APIs

PhilipDAth · ‎Aug 16 2019

We tend to do a lot of experimenting. We have both Google Authenticator setup (easy), and SAML against Azure AD (difficult to setup) - and we have MFA enabled for Azure AD, so that uses the Microsoft Authenticator. NPS+Azure AD MFA is a pain because of the lack of logs and diagnostics when things go wrong. If you want MFA for client VPN use a third party solution, like the Duo RADIUS server. If you want to enable "global" MFA for the Dashboard use a third party SAML provider like DUO. You can also use AzureAD if you don't mind doing a bit of extra setup work and Googling. We use AzureAD because we already use Office 365, and it was more convenient to have the one system for everything.

Nash · ‎Aug 15 2019

So MS acts a bit like Portfast, just with less risk of loop and a bit more intelligence.

BrechtSchamp · ‎Aug 14 2019

I'm patiently waiting for the mailman each day 🙋‍♂️👨‍✈️!

DillonofAnch17 · ‎Aug 13 2019

Amazing @vassallon! It is always nice to see UAF get a little shout out!

NolanHerring · ‎Aug 12 2019

Thanks for opening the case. The more people that do that, the better the firmware will be for everyone 😃

m_Andrew · ‎Aug 9 2019

Hello, As mentioned you will get a more rich experience and fully featured SD-WAN using an MX. However, if all you’ve got is an MS250, I will note one feature you might be able to leverage, which would be ECMP routing. If both upstream gateways can run OSPF and if they both can advertise a default external route (0.0.0.0/0) to the MS250 with the same cost, the MS250 will load balance traffic to both gateways using ECMP. It is purely active/active and won’t provide as much flexibility as an MX (nor will it do NAT), but it is a possible configuration to use in a pinch.

Nash · ‎Aug 7 2019

No, I totally use Google. Usually when I want to check both the official documentation and the forum at once, and see if maybe Reddit or Server Fault has something useful to say. Usually the answer is in the official docs or here, though. I need to experiment with the baked-in forum search.

MG-Occam · ‎Aug 6 2019

I thought that was going to be the case but was hoping I was wrong :). Thank you!

vassallon · ‎Aug 5 2019

@Hubble Glad to have helped, I know it can be tricky to find those blocked devices until you know the trick of looking for devices with a policy.

Nash · ‎Jul 31 2019

Your VPN traffic won't be sent unencrypted. It'll be encapsulated within the IPSEC tunnel. Setting encryption to optional has to do with how the user name/password is transmitted. Win10 does not support -Encryption Required for PAP or CHAP. So it assumes that -Encryption Required is correct, and will eventually change your password protocol to EAP and MS-CHAPv2. Then you get tickets about "broken" VPN connections. When you created the account with PowerShell using -Encryption Required, you should have seen an error like this: Add-VpnConnection -name Testbob -ServerAddress testbob.com -TunnelType L2tp -EncryptionLevel Required -L2tpPsk testbob -AuthenticationMethod pap Add-VpnConnection : The current encryption selection requires EAP or MS-CHAPv2 logon security methods. PAP and CHAP do not support Encryption settings 'Required' or 'Maximum'. : The parameter is incorrect. At line:1 char:1 + Add-VpnConnection -name Testbob -ServerAddress testbob.com -TunnelTyp ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (AuthenticationMethod:root/Microsoft/...S_VpnConnection) [Add-VpnConnec tion], CimException + FullyQualifiedErrorId : WIN32 87,Add-VpnConnection

Stealth_Network · ‎Jul 30 2019

Awesome! Glad I could help, this was a super hard problem to troubleshoot (for me), so I am glad the ISP took responsibility (they usually don’t) 😄

superfly · ‎Jul 30 2019

Now I feel dumb! I could've sworn it was in the help menu. Anyway, I will make a wish now 😄 Thanks for the headsup!

Danut · ‎Jul 30 2019

I have Hostname Visibility enabled, but unfortunately it doesn't provide much info. I only see gigs of traffic coming from iTunes without any additional informations. Thank you for tour answer !

BlakeRichardson · ‎Jul 28 2019

Nice one @AjitKumar its always nice to know more about the members of the community.

CBurkhead · ‎Jul 26 2019

Not at the moment. I have wanted access to that information too. I have a script that builds a spreadsheet for each organization that looks a lot like the page you get when you pull up the license information in the dashboard. The data about the license status and the counts you can get from the call I referenced before. The actual license keys displayed under License History is not. I have send multiple wishes for access to this information.

PhilipDAth · ‎Jul 19 2019

It's pretty bad that the remote end can't handle a NAT-T negotiation. There really should be no reason to ever disable this option.

Hak7 · ‎Jul 19 2019

hi guys, the contest is running well and still 2 weeks left to get some points. Lets push it a little bit more and earn some points. Wish all good luck and thanks again for this oppurtunity!! Best Regards

Jason-907 · ‎Jul 18 2019

Thanks for all the help! Here's what I came up with. myvlans = meraki.getvlans(apikey, networkid, suppressprint=False) vlanid = 100 myipassignments = {newmac: {'ip': myip, 'name': name}} for vlan in myvlans: if vlan['id'] == vlanid: vlan['fixedIpAssignments'].pop(oldmac) vlan['fixedIpAssignments'][newmac] ={'name': name, 'ip': myip} meraki.updatevlan(apikey, networkid, vlanid, name=None, subnet=None, mxip=None, fixedipassignments=vlan['fixedIpAssignments'], reservedipranges=None, vpnnatsubnet=None, dnsnameservers=None, suppressprint=False) It works great, but while I was testing I noticed a slight quirk. I was swapping old mac and new mac back and forth, but changing the name so I could be sure things were changing, but the UpdateVLAN function doesn't change the name. It will set the name if it's a new MAC, but if you are recycling a MAC it will retain the name it had originally. You have to use the dashboard to actually change the name. Shouldn't *really* be an issue, but it could be a quirk if you are trying to write a script that adds more description to reservation names. (I like to use CompName-Username, but previous admins didn't follow this method, so I wouldn't be able to write a script to normalize this naming scheme.) Also, it seems like sometimes it will change the name and other times it won't...can't really figure out what the reason is behind it.

Pappaslim · ‎Jul 17 2019

hi Fixed using https://community.meraki.com/t5/Security-SD-WAN/VPN-DNS-Host-name-Not-FQDN/m-p/14512#M3547 this forum is almost as good as the Meraki itself!!

route_map · ‎Jul 17 2019

this is exactly what the setup is like. I have asked the quesion and it turns out that on port 2 of the ISP switch/router is where you get the RFC1918 space address. On port 4 i have a public ip range and i can configure it manually and it is working thank you

SoCalRacer · ‎Jul 15 2019

On the videos I checked they are all using the same CDN. So I would block that. Not sure if that will also change every day, but it is worth a shot. Also it seems like the service won't work without authenticating, when doing that it is doing it via the same primary domain (4kmovies.online) I would assume changing domains daily with DNS propagation and changing the location of the authentication service everyday has to be time consuming. Also IP range they are currently using is 104.31.77.0-104.31.77.255 and located in Chicago behind Cloudflare. I thought maybe you could try a block from a country outside if yours, but looks like that won't work. cdn.4kmovies.online

About Nash

Nash

Nash King

Community Record

Badges