- About jcottage
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Community Record
14
Posts
7
Kudos
0
Solutions
Badges
Can you share the contents of the Authorization Profile sent from ISE to the switch. It should match whats in this KB: https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Dynamic_VLAN_assignment_via_802.1X_(RADIUS)_for_MS_Switches
... View more
At this point I would reach out to support. This is defiantly not working as intended.
... View more
Session time out and idle time out are 2 different timers. I found a good description of the timers on this MR KB. Are you doing MAB auth or 802.1x for the devices down stream of the phones, because when the re-auth timer hits 802.1x auth should fail but MAB may still stick. https://documentation.meraki.com/MR/Splash_Page/Configuring_RADIUS_Authentication_with_a_Sign-on_Splash_Page I haven't been able to find a KB that lists supportes radius vars for the MS side.
... View more
Hey bigben386, What radius server are you using? I have seen similar behavior in traditional Cisco(Catalyst) with IP phones. The IP Phone keeps the session active even if the device is disconnected from the phone. We added an idle timeout to the session on the radius server. I'm not sure if the MS devices support that setting.
... View more
11-01-2018
05:28 AM
Hey Tom42, The MRs will work with all sorts of radius based solutions for NAC. The support matrix you really need to look at is the NAC to OS. The MRs just pass the radius traffic. Can you provide a link to the doc you are looking at? This article refers to using Cisco ISE as as the NAC solution: https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_WPA2_Enterprise_with_RADIUS_using_Cisco_ISE
... View more
10-27-2018
07:59 AM
1 Kudo
Updating old thread. You can now do layer 3 in templates https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MS_Switching/Templates_for_Switching_Best_Practices#Layer_3_Routing_.26_DHCP
... View more
10-26-2018
07:29 PM
Hey AKR, To mimic open monitor mode I believe we would assign an "Access Policy" to the port that was configured to have "URL redirect walled garden" enabled and allow access to 0.0.0.0/0.
... View more
10-23-2018
12:38 PM
2 Kudos
Hello all, Name is John Cottage. I work for a Cisco VAR in the NYC tri-state area. My main focus is Cisco's security portfolio(ISE, SteathWatch, Firepower, AMP). As there is now alot of integration and overlap with the Meraki offerings, I do alot of Meraki installs as well. From the Meraki cert side I have both the CMNO and CMNA
... View more
10-23-2018
12:23 PM
1 Kudo
Make sure you have captive portal strength set to "Block all access untill sign-on is complete". Windows should notice it can't get to the internet and detect the splash page and prompt you to "log in to wifi". When you click the prompt Windows will then launch the default browser(Chrome, Firefox,....why would using anything else..) to the following URL: http://www.msftconnecttest.com/redirect This is obviously the ideal scenario and works 80-90% of the time. For the other uses cases I have used http://neverssl.com. Web site owner made it for this exact use case.
... View more
10-23-2018
05:52 AM
I don't believe you can use a group policy to change the " Client IP assignment" mode from VPN to bridge. This is set at the SSID not at the host. You can however use a group policy to change a vlan and add ACLs to host.
... View more
10-23-2018
05:40 AM
VS, Adding the airspace ACL/group policy is not a requirement after the user is authenticated. The COA sent from ISE will start a new session with the new information. However adding a group policy that only allows access to the internet is a great defense in depth strategy in case something else happens.
... View more
10-15-2018
02:53 PM
Hey TonyBoy, With out knowing more about your topology I personally cant give you a 100% answer however I can tell you that as long and the MX and the 3750 have IP interfaces on the same vlan you will be able to route between them. Side Note: using vlan 1 is against best practice in Cisco world but not necessarily in the Meraki world
... View more
10-15-2018
02:43 PM
2 Kudos
Based on my historical work with HP switches the untagged vlan is the same thing as the "native" vlan in cisco speak
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 5146 | |
| 2 | 639 | |
| 1 | 506 | |
| 1 | 570 | |
| 1 | 1015 |
