I have a complete Meraki ecosystem from end-to-end (MX, MS, MR) and I have been experimenting with applying Group Policies to wireless devices connecting through a single SSID. This is the behavior I have noticed, and I just need some confirmation that my observations match how things are "supposed to" happen. If my SSID uses a splash page that authenticates with Active Directory, I use Nat Mode for IP assignment, and in Security & SD-WAN --> Configure --> Active Directory I set things up so different AD groups have different policies applied to their devices, then... After a device connects and the user signs in, the Dashboard client page for that device will show its policy as "normal", but the group policy based on AD membership appears to have actually been applied to the device and the rules in the AD policy are being followed correctly. On the Network-wide --> Configure --> Group Policies page, it always states that there are zero affected clients in the policies based on AD membership regardless of how many devices may actually be connected. If I subsequently manually apply a different group policy to one of these devices via its client page in the Dashboard, rules from this new policy are followed, but the rules in the policy assigned based on AD membership are also ALSO still being followed. It is as if the device is now affected by TWO group policies. Now, let's switch things up. If I change the SSID to use a WPA-2 password instead of a splash page, set the IP assignment method to Bridge Mode, tag the devices with a VLAN, and have a server on that VLAN handle DHCP, then the behavior of group policies changes. If a user on a domain-joined workstation logs into that device, then the appropriate AD assigned group policy is applied during that user's session. If a different user subsequently signs in, then the AD assigned policy for the new user gets applied instead. But the group policy seems to be only partially applied. Layer 3 and Layer 7 rules are inconsistently applied, and none of the overrides or appends in the 'Security Appliance' section of the group policy seem to have any effect whatsoever. However, if a user signs into the device with a local account, then no custom group policy is applied and the device is given a "normal" status. If I create a new group policy and tag it with the correct VLAN, then this policy gets applied to the non-domain computer instead. But like before, only some of the policy seems to be applied. Layer 3 & 7 rules are inconsistent and the 'security appliance' customization is ignored. Finally, if I tweak things so the Layer-3 MS switch handles DHCP for the VLAN, domain workstations are out of luck entirely, but things get a little bit better for the non-domain computers... Now if I set a custom policy and tag it with the appropriate VLAN, then it will be applied to the devices that connect and the Layer-3 rules will work properly. Layer-7 is still spotty, and any security appliance customization is still ignored. My assessment of these observations is that if I want a group policy to be completely and reliably applied to a device, then I need to let the MX handle DHCP. If I let the MS Layer-3 switch handle DHCP, I lose the ability to customize content filtering and threat protection on the MX. If I let my WIndows domain controller handle DHCP then all I am left with is the ability to regulate bandwidth and scheduling. Thanks for taking the time to read my lengthy post. Am I understanding group policy behavior correctly?
... View more