At this point I would reach out to support. This is defiantly not working as intended. ... View more

Session time out and idle time out are 2 different timers. I found a good description of the timers on this MR KB. Are you doing MAB auth or 802.1x for the devices down stream of the phones, because when the re-auth timer hits 802.1x auth should fail but MAB may still stick.   https://documentation.meraki.com/MR/Splash_Page/Configuring_RADIUS_Authentication_with_a_Sign-on_Splash_Page   I haven't been able to find a KB that lists supportes radius vars for the MS side.  ... View more

Hey bigben386,   What radius server are you using?   I have seen similar behavior in traditional Cisco(Catalyst) with IP phones. The IP Phone keeps the session active even if the device is disconnected from the phone. We added an idle timeout to the session on the radius server. I'm not sure if the MS devices support that setting.  ... View more

Hey Tom42,   The MRs will work with all sorts of radius based solutions for NAC. The support matrix you really need to look at is the NAC to OS. The MRs just pass the radius traffic. Can you provide a link to the doc you are looking at?   This article refers to using Cisco ISE as as the NAC solution: https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_WPA2_Enterprise_with_RADIUS_using_Cisco_ISE     ... View more

Hey AKR,   To mimic open monitor mode I believe we would assign an "Access Policy" to the port that was configured to have "URL redirect walled garden" enabled and allow access to 0.0.0.0/0.       ... View more

Hello all,   Name is John Cottage. I work for a Cisco VAR in the NYC tri-state area. My main focus is Cisco's security portfolio(ISE, SteathWatch, Firepower, AMP). As there is now alot of integration and overlap with the Meraki offerings, I do alot of Meraki installs as well.    From the Meraki cert side I have both the CMNO and CMNA ... View more

Make sure you have captive portal strength set to "Block all access untill sign-on is complete".   Windows should notice it can't get to the internet and detect the splash page and prompt you to "log in to wifi". When you click the prompt Windows will then launch the default browser(Chrome, Firefox,....why would using anything else..) to the following URL: http://www.msftconnecttest.com/redirect    This is obviously the ideal scenario and works 80-90% of the time. For the other uses cases I have used http://neverssl.com. Web site owner made it for this exact use case.      ... View more

I don't believe you can use a group policy to change the " Client IP assignment" mode from VPN to bridge. This is set at the SSID not at the host.   You can however use a group policy to change a vlan and add ACLs to host.   ... View more

VS,   Adding the airspace ACL/group policy is not a requirement after the user is authenticated. The COA sent from ISE will start a new session with the new information. However adding a group policy that only allows access to the internet is a great defense in depth strategy in case something else happens.   ... View more

Hey Tony,   Is the goal to replace the ASA? ... View more

Hey TonyBoy,   With out knowing more about your topology I personally cant give you a 100% answer however I can tell you that as long and the MX and the 3750 have IP interfaces on the same vlan you will be able to route between them.    Side Note: using vlan 1 is against best practice in Cisco world but not necessarily in the Meraki world ... View more

Based on my historical work with HP switches the untagged vlan is the same thing as the "native" vlan in cisco speak  ... View more