Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join now- About pematthe
About pematthe
pematthe
Here to help
Member since Jul 12, 2024
Feb 28 2025
Community Record
10
Posts
2
Kudos
1
Solution
Badges
Feb 28 2025
1:51 AM
2 Kudos
UPDATE. A bug or undocumented feature. The backend SAML was stuck and would not allow a user to be created in the UI. Either VPN or as an administrator. SOLUTION. Disable SAML for 5 minutes. Recreate the user in either VPN or Administrator UI and re-enable SAML. It seems to reset the SAML 'remembered' accounts and allowed the user to be in SAML for admin access and also a local account for VPN.
... View more
Feb 24 2025
1:26 AM
A name, not an email. Apparently, from the support engineer, the backend and fronted UI are out of sync and cannot reconcile the account between local and SAML - a proper bug / issue / problem. It is also not possible to access, clear, reset and remove a SAML ID by an administrator to clear issues like this. The recommendation is to disable SAML, leave for 10 minutes and then re-enable. I will be doing that today sometime and update the thread here with the result.
... View more
Feb 20 2025
9:14 AM
Thanks for the idea, but I have already changed that SAML parameter. I have opened a support ticket, maybe they can suggest something.
... View more
Feb 20 2025
2:00 AM
Were migrating our dashboard admins to SSO and have found that deleting the local admin account to force the use of SSO, also deletes their VPN user account - didn't expect that! The work around is to create a new user 'guest' account for the MX VPN service and email new credentials to the user. One has worked OK, the next one failed "A user with the email 'xxxxxxxxxxx' already exists". We cannot find that account anywhere. It is not in the dashboard admins or existing VPN users. It was used for SSO so we have tried with the account in the M365 SSO user list and without. Neither makes a difference. I have seen other threads on the forum that once dashboard knows about an account in SSO, it doesn't let it go, there's no option to remove the record of it. Strange as another user SSO account allowed us to create a guest VPN without issue. Anybody else seen this when migrating to dashboard SSO?
... View more
Jan 22 2025
5:50 AM
Thanks for the replies. As I suspected. For info for others, we are going with the dedicated local API accounts and converting actual dashboard users to SAML/SSO I had already come up against the issue with changing the "username" attribute after converting our first user to SSO. Very useful to know.
... View more
Jan 16 2025
3:04 AM
We are trying to transition our local account users to M365 (EntraID) SSO SAML accounts. The set up is easy enough can I cannot find clear answers to a couple of questions. I assume that it is not possible to transfer an existing user's account to SSO/SAML? As the login URL is different so it is either One or the Other or leave both accounts active? To do a full transition, the local account should be deleted - is that correct? API Keys. As per the documentation, API keys cannot be created by SAML users. What have others do for a solution to this? Have a local api-account which everyone with an existing API key now uses Do not transition these users to SSO? Get meraki to add API key support for SAML/SSO users. Any additional guidelines other than the stands documents?
... View more
Labels:
- Labels:
-
Administrators
-
Other
802.1x gives me two options - certs or userID. I was thinking that UserID might be simpler as the onus is on the user to log in and uses a single source - Office365/EntraID. Certs has a complicated, additional management overhead to distribute and revoke. I will take a look as the project progresses. Thanks for the advice.
... View more
I have found that there are public RADIUS services (https://idblender.com/pricing) which can backend to O365. So that might be an option. We don't have AWS / Azure facilities as we are a non-technical events company - So that option is out. Using Meraki auth might be OK, if we could import or sync the user accounts from O365. The point is password and user tied to a single source of truth. If they leave, we only have to switch off one thing. It seems Meraki are soooo close but just missing the last piece.
... View more
Interesting idea and seems to fit most scenarios. One issue for me is we don't use / license Intune. We are also a Apple client house. All the references are for WIN clients so not sure how this would apply for MacOS and iOS. Maybe I will test it and see what happens. Thanks for the guidance
... View more
I am looking for a recent design guide or implementation info to convert our WPA-PSK wireless to WPA-Enterprise. Documentation I have seen says an intermediate RADIUS server is required, has this not changed yet? We have given out our PSK so many times we may have posted it on Facebook. Adding more control and linking to userID on Office365 is the objective. We are completely cloud based so do not have the infra or facilities to host a RADIUS server. What are the options? We can do SSO for Meraki dashboard login, what are the options for WPA2-Ent for the wireless connections? Our source of truth for user accounts is EntraID. I would like to link to that. Ideas?
... View more
Labels:
- Labels:
-
Other
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 1246 | Feb 28 2025 1:51 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 1246 |
© 2025 Cisco Systems, Inc.
