Meraki

Community

About hinewwiner

802.X Access control with NPS (and AD CA for certificates)

by in Switching
‎Feb 26 2018 3:48 PM
‎Feb 26 2018 3:48 PM
Hello   I currently have set up so that my company's both wired and wireless network gets 802.X authentication. I have also set up so that both wired and wireless gets verified on the server's identify by validating the certificate and have Active Directory CA auto-enrollment setup to push out the server's certificate. Everything works great but have a problem with new computers. (or newly OS installed computers)   The problem is that when I join a computer to a domain and reboot, it fails to connect to network saying Error 265 : "The certificate chain was issued by an authority that is not trusted."  I am suspecting that the 802.X policy kicks in before the computer gets a chance to receive certificate via GPO.   Only way to get around this is to connect to company's guest wireless network and run 'gpupdate /force' to force update GPO to receive the certificates then everything works fine.   Is there a better way to get around this?  My AP/SW is setup so that the computer gets on to Guest VLAN in case of 802.X authentication failure but it seems like Windows just blocks network when 802.X auth fails. (or maybe its Meraki doing this per diagram in here (https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X))     Is there a way to fallback to guest Vlan when 802.X fails?  I am also thinking to disable certificate verification on Wired network as I am not sure there is much value to it assuming physical security of our company is decent.   Any help would be appreciated.   (My client computer runs on Windows 10 and AD/ADCA/NPS are running under Windows Server 2016.    ... View more

MX100 - AMP causing WAN link failure?

by in Security & SD-WAN
‎Jan 23 2018 5:13 PM
‎Jan 23 2018 5:13 PM
Hi -    I have MX100 with MX12.26 software.  We had some uplink issue and my tech seems to suspect high resource usage from AMP.  Can AMP cause WAN link to fail?  If so what is preventive action that I can take?  I have purchased the advanced security license for AMP but I am surprised that the device can't handle the processing. (We have about 100 clients connected to the MX100)   Thank you! ... View more

AMP/IDS seems to block file download without logging to security center

by in Security & SD-WAN
‎Jan 23 2018 7:01 AM
‎Jan 23 2018 7:01 AM
Hi -    My users are having problem downloading a file from one of trusted sites. (The site is listed in 'Whitelisted URLs' under AMP section)   When one tries to download a file (related to ActiveX), the download starts but it hangs (it is 4mb file) then fails the download after few minutes.    However, when I look at the Security Center, nothing is logged.  So I can't add the SHA256 to the AMP Whitelisted files.   Has anyone experienced this?  The file can be downloaded from home so I don't think it's their server's problem.     FYI, I currently have AMP enabled and IDS set to prevention and balanced.   Thank you ... View more

Re: Isolating network between AD OUs - Subnetting? or VLAN?

by in Security & SD-WAN
‎Dec 12 2017 4:39 PM
‎Dec 12 2017 4:39 PM
Hi PhilipsDAth,   Thanks for the quick response. You are always helpful!   One quick question.  Could you explain why you don't recommend this?   How would you recommend to properly isolate the traffic?  We have some departments of which require isolated access.    Thank you! ... View more

Isolating network between AD OUs - Subnetting? or VLAN?

by in Security & SD-WAN
‎Dec 12 2017 3:54 PM
‎Dec 12 2017 3:54 PM
Hello, We are setting up a HQ network with MX100 and MS225 switches. We also have multiple remote sites with MX64 and MS225 switches that will be connected to HQ via site-to-site VPN connection.   There will be an Active Directory server running on HQ network and all our employee's computer will be joined to domain.  We would like to establish secure network by isolating traffic between each departments (OU in AD). I saw that I could tag a specific port to a specific VLAN (is MS switches) but would like to avoid this and have a way to dynamically assign either VLAN or subletting based on device's OU.   I also like to have a way so that devices in same OU (like Sales department in HQ and Sales department in remote location) can share resources (file share, etc.) but I am not sure if this is feasible or not.   What would be the best way to accomplish this?  Should VLAN tagging with RADIUS be used?  or should I run a DHCP server in HQ to assign subnet based on computer OU?   Thank you   ... View more

Re: What benefits would I get by having a L3 switch (MS250) for this setup?

by in Switching
‎Oct 21 2017 11:06 PM
‎Oct 21 2017 11:06 PM
Thank you for all your help!! 🙂 ... View more

Re: What benefits would I get by having a L3 switch (MS250) for this setup?

by in Switching
‎Oct 21 2017 11:02 PM
‎Oct 21 2017 11:02 PM
Ok thanks for the help. You are the best!   One last thing...  if the traffic was for a computer file sharing between two computers in branch A (like windows file share); does the traffic travels to the MX100 router located in the Datacenter?    Thank you! ... View more

Re: What benefits would I get by having a L3 switch (MS250) for this setup?

by in Switching
‎Oct 21 2017 10:29 PM
‎Oct 21 2017 10:29 PM
Thanks for the reply.   Does warm spare MS switch require license too? or can I just have the HW like MX routers?   Also when a video voip call is made between the two devices in branch A, does the traffic go thru the router in the data center? I thought it is handled direct pear to pear.   Thank you very much ... View more

What benefits would I get by having a L3 switch (MS250) for this setup?

by in Switching
‎Oct 21 2017 9:29 AM
‎Oct 21 2017 9:29 AM
Forgive me if this question is horribly misguided. I'm primarily a developer, but my company has asked me to work on setting up a new datacenter (we never had one before and currently use consumer grade ethernet router for internet use.  We would like to start building our own data center to host Active Directory server and ERP systems. ).  (I do have at least a basic understanding of networking).    Attached is my current proposed set-up. As you can see we have many (20) remote locations who will VPN to our datacenter's MX100 over internet.     My questions is... I currently have MS250 (L3 switch) planned in the datacenter.  I want to use VLAN to separate our server networks from other devices and setup QoS for VOIP devices but I believe VLAN is also supported on MS225 (L2 switch).  Also many of our users will be remote and VPN to MX100; I am not sure what kinds of benefit I would get from having MS250 in the data center.   What kinds of benefit would I get by using this MS250 L3 switch in my setup?   Thank you!     ... View more

Re: Would this router setup work?

by in Security & SD-WAN
‎Sep 11 2017 4:53 PM
1 Kudo
‎Sep 11 2017 4:53 PM
1 Kudo
Wow, I wasn't expecting this much of in depth answers. Thank you very much for all who helped me in this.   Does anyone know how much maintenance does Meraki devices require per year? As you can see we have a lot of remote offices (and they move locations a lot due to nature of our business) and they are all over the world and our company can't offered to have IT at each remote site yet. (This is in fact the main driver for us to look in to Meraki as my understanding is that Meraki devices can be managed from HQ thru cloud.). We also looked at Cisco ASA and while it looks very nice, it seems to me that it is for a large company with more structured IT department.   Lastly, we would be also setting up a Microsoft Active Directory on our network and all our machines will be joined to the domain.  Would this setup support RADIUS authentication (even in the remote sites) for WIFI connection? (Can MX64W do the RADIUS authentication with AD in HQ?; assuming the VPN connection is configured correctly)   Thank you very much! This community is one of the best place I've ever been! ... View more

Re: Would this router setup work?

by in Security & SD-WAN
‎Sep 11 2017 2:23 AM
‎Sep 11 2017 2:23 AM
Thanks for the reply.   Each remote sites have less than 15 people so I hope the MX64W could handle the load well.   How is the software VPN client for remote users (with Windows or Mac) outside of office? I have heard some concerns on software VPN client for Meraki firewall. ... View more

Would this router setup work?

by in Security & SD-WAN
‎Sep 10 2017 9:07 PM
‎Sep 10 2017 9:07 PM
Hello, I was wondering if I can get some advice on my company’s network topology plan. (Attached)   Currently we do not have any of these set up yet and would like to validate the design with Meraki before we make decision.   Our setup We have a HQ located in Seoul, South Korea with about 30 people in office. - Planning to use this site as a main where all remote Meraki routers (Site A,B,C,D,E as well as software VPN clients) will be connecting to this site. - This site will host servers for internal application. (including Active Directory) So employers in Site A,B,C,D,E as well as those with software VPN client must be able to access the servers located in this HQ. - We also have VPC (Virtual Private Cloud) set up in Amazon AWS.  Can this HQ make VPN connection to the AWS VPC so that all sites A,B,C,D, E as well as those who use software VPN can access Amazon AWS VPC? (My understanding is that we pay VPN connection per hour for AWS. And it would be very expensive if all sites to make VPN connection directly to AWS.)   Here are the list of equipments we are planning to purchase.     Qty MX84 Cloud managed Router 1 MX64W Router + Wireless 5 MS225-24 Switch 2 MR52 WAP 4     MX84 - 3yr Adv License 1 MX64W - 3yr Adv License 5 MS225-24 - 3yr License 2 MR52 WAP - 3yr License 4   Could you please give us some feedback on this design?     ... View more
My Top Kudoed Posts
© 2024 Cisco Systems, Inc.