Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join now- About ShaunCro
About ShaunCro
ShaunCro
Here to help
Member since May 6, 2025
Wednesday
Community Record
20
Posts
16
Kudos
1
Solution
Badges
The Certificate Authority is no longer trusted by Android, the root cert that confirms the authenticity of the provider of the certificate used to encrypt the Wi-Fi connections has been removed by Android, this means that the device doesn't see the certificate as valid because it has no way of confirming that the authenticity of the certificate chain. Unfortunately we have 3 choices, 1. Host our own based on radius with our own trusted certs 2. Go with a 3rd party solution. 3. Wait for someone at cisco to realize they can use a cert from another provider to encrypt *.network-auth.com.
... View more
Me too, setup certbot, and forget about it. It just works. Love letsencrypt.
... View more
I did. Ticket is pending closure waiting for android or cloudfare to fix it.
... View more
So today I was testing a QR code to all for easier connections to our Guest Wifi, which see's around 3000 users a week. When I connected I got an error that the Network had security issues. So I immediately check on my laptop, no issue, find someone with an apple device, and that is fine too. Go back and check the cert and it looks fine, it hasn't expired, can't see anything of wrong, but android devices are saying that the cert is untrusted. Do a little digging around and find a post on Cloudfares community, seems that Android has decided to remove ssl.com as a trusted CA from the android system. This particular cert is issued by ssl.com, so seems like who ever is as lucky as we are, are going to be suffering till either the cert is renewed with a different CA, or Androids next update includes the ssl.com CA cert again. Because there is no way for us to fix it, and support think that Android possibly fixing it in the next release, which should be around this time next year, is the solution to the ticket I logged earlier. Should be fun. CA cert for the guest wifi. Apparently both Cloudfare and They are aware of it, but can't do anything. So instead of thinking out of the box on this one and issue a letsencrypt cert for the interim, or asking cloudfare to rekey the cert with another provider, anything. Thats the solution. Wait and see. I can't change the wifi connection process till Jan, we in the middle of exams and students use the network to write. And the predominant device that connects to our Guest Wi-Fi is an Android phone. So if you start getting complaints. This is why. https://community.cloudflare.com/t/android-webview-ssl-error-certificate-authority-is-not-trusted-when-using-cloudf/846481
... View more
Oct 22 2025
12:54 AM
So when you consent, it will only apply the consent to what is needed. And I think it being an app means that it has it's own built in connection strings, forgive me if I'm not understanding the question. I take it you setup a user account for the access assuming it needed an api key to do it. As far as I have seen, the SSO integrations don't require api keys or access. I've only recently started playing with SSO, but as far as I know and I could be very wrong here, but the token generated by the logon session carry's with it certain data that is passed to the requesting server via the users interaction. So there is do "direct" call from entra to meraki and vice versa. Everything is done via the browser session and the tokens contain the data that each need to cater for, and checks are done to ensure that the app requesting the access is authorised to. I started uat on my setup yesterday, and it's working so far. I do have to add more groups to the allowed to access for larger adoption, but I'm testing different scenarios at the moment and for security and what the benefit is and what hindrance the users could suffer.
... View more
Oct 19 2025
12:19 PM
@Joewro can you confirm your license level meets the requirements for the feature? I believe the wireless Entra SSO integration needs a minimum license level of Enterprise. https://community.meraki.com/t5/Feature-Announcements/Microsoft-Entra-ID-Integration-with-Splash-Page-is-Now-Available/ba-p/276038 The last screenshot you posted isn't where you enable the sso for the splash page, the sso mentioned there is for the dashboard only, and if you turn it on, please ensure you have a second account that isn't part of your sso to use, as it can lock out existing accounts which have the same email address as both a user in the dash, and and as a sso user. (Just a warning for that one) https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Configuring_SAML_Single_Sign-on_for_Dashboard For wireless SSO integration, go to Wireless> Under the "Configure" Column on the right of the pop out menu, click on "Access Control" In the top left, select your ssid, and under Security set to Open, under splash page, where you see Sign on with, which is typically set to Meraki Cloud Auth, select that option and then click on the drop down and select Entra ID as the logon method. In the doc below there are a number of sites in specific places that need to be configured correctly for the authentication channels to be allowed by the firewall and wifi for users to communicate with meraki and microsoft and pass the token generated by the clients sign in event to the meraki ap's and dash so they are aware of the successful event and provide the client access. https://documentation.meraki.com/MR/Design_and_Configure/Encryption_and_Authentication/Microsoft_Entra_ID_Integration_with_Splash_page When you configure the walled garden, they provide a link to a list of MS sites that you need to add to the walled garden exclusion list to allow the requests through, I went with the top 3 categories, the general would allow way too much for my liking. The 3 category's to reference urls for in the doc below are: Azure Portal Auth Azure portal framework Account data Now we get to the part where you had issues, click on the link to create the application, and follow through to the error https://login.microsoftonline.com/organizations/adminconsent?client_id=d1b29572-1b35-40cc-9152-a8056ab586c4 After you have confirmed and created the app, and ended up with your error... Go into entra ID and find the application Cisco Meraki Network Access under the enterprise applications. Double click on the app and in the left column, click on permissions then click to provide Admin consent on behalf of your company. You will be required to confirm your account and immediately after that, you will see the same page that caused your initial error you logged. Only this time it will be successful. And now the app will have the required consent for you to continue with the single sign on portal setup. Essentially you have to fail to succeed in this case.
... View more
Oct 16 2025
6:56 AM
oh yes. Also, as I discovered yesterday, dynamic ports aren't considered or catered for in rules, so even though traffic is destined for a port and the service typically is available on that port, the MX doesn't pick up that the port could be dynamic from the source, and record the traffic or attempt to do anything because you defined a specific port on both sides. I loathe the use of "Any" in any situation other than a deny. It's just poor management practices.
... View more
Oct 16 2025
5:32 AM
Thanks Alemabrahao, it's actually the biggest failing point of what is a phenomenal solution. But anyone that has worked with a 'Security Appliance" before would know what I mean when I say, the way it's currently expected to be used leaves too much room for mistakes, especially in larger networks, I get the ease of management, I do, but if there is one thing you don't allow room for mistakes, it's the security that sits in between your vlans, and at your perimeter. I'm the only one that has taken the time to learn the equipment out of a team of 3, I've sat most nights running through courses and reading the docs (Sorry RWelch didn't mean to do that) and I'm the only one that has actual experience managing firewalls, so, what happens when I'm away or unavailable and someone else who doesn't understand the intricacies of the system tries to apply a rule? The format is geared for a single vlan configuration, not for something that actually requires a bit thought. We all know how dangerous a bit of knowledge is, now make it look simpler than it is and you have a security incident on your hands. I mean it's cisco, grab an engineer and ask him what he expects on a management page at minimum. The platform is fantastic, and I honestly am loving it. I just want the most dangerous part to have more context and structure.
... View more
Oct 15 2025
9:41 PM
So, on the 53 rule for monitoring. Managed to figure that one out. The trick was to be less specific. So source port any, destination port 53, then vlans in the source by their object names, which were configured already, to destination object names, both dc's. And the hits started rolling. RWelch, I'm dealing purely with firewall rules, no custom group policies or the like. Pure layer 3 inter-vlan firewall rules. Nothing else, because I work methodically, and you can't add more complex things on top until you have the fundamentals working properly. And with all you said, you never actually answered my question, which was on the last line. I wanted a solution that is cleaner than this mess. And whether it's perfect outlined in perfectly listed order or not, I don't like the way it's laid out, and was asking for another solution, something you completely glossed over. Instead it was just suffer like the rest of us. Which I choose not to do. So thought well I'm bored, I'll just roll my own. Because accepting mediocre is not something I do personally.
... View more
Oct 15 2025
12:54 PM
"The hit counter only increments for traffic that matches the rule exactly. If you’re not seeing hits, double-check the source/destination, protocol, and port definitions. DNS traffic (port 53) may be bypassing the MX if clients use external DNS." Just on this one @RWelch That i understand, but I control the dhcp, and it doesn't matter if I put the rule on for my IP with the destination being directly to my DNS servers, and place the rule at number 1 and 2 in the list and then spend the rest of the day browsing the internet, not a single hit that have I seen. For both tcp and udp traffic, it boggles my mind a bit. I just don't see a hit on the rule. I've even tried to give myself a static IP with static dns servers and tried from a few different vlans to ensure that I traverse the firewall, so definitely not intra-vlan, and I will get el squatto. Nada. Zip. Zero. Nothing. Not a single hit. But, I agree, people could be setting external DNS's servers, but if a single staff member wanted to work at all in the day (I do question whether this happens at all sometimes), they would need to have my internal AD servers as DNS in order to successfully authenticate to the internal systems, and that traffic would come from the user vlan, and traverse the firewall, so at least a few hits should be seen. Also, we don't allow staff to edit firewall or network configurations via group policy, so if all 355 staff really did go to the lengths needed to by pass all of that and actually know what a dns server is, I would be both impressed and worried. Our oldest professor makes my grandad look like a spring chicken. And he curses at his phone most the day. I'm pretty sure it's a nokia too, so not overly complicated.
... View more
Oct 15 2025
11:57 AM
2 Kudos
Thanks @PhilipDAth I'll do so in future, but the only reason I use the hit counter is to see whether a rule being applied is being hit before the subsequent rules, it helps to ensure I don't block something, so first I will set it to enabled and see how much traffic is hitting it, from there I'll make the call on whether to flip it over to deny. It's typically used as a gauging tool to measure the level of "entropy" you will introduce to your life before enacting said life changing rule. Sometimes, with the meraki firewall interface, I prepare my CV before starting my change. And tell the wife we might have to cut back on the luxury stuff, like food, for a while.
... View more
Oct 15 2025
10:54 AM
I was hoping that someone could perhaps recommend an app from the app store that could help in this. I mean, there has to be something better, or is my hope akin to that of a child that is yet to experience life?
... View more
Oct 15 2025
8:24 AM
Thanks @RWelch I have done the course you recommended above. And believe me, I'm pretty methodical with the way I do things, I have to be, I come from the finance and insurance industry originally, and believe me they can be pretty.... It's why I'm battling to say the least, I'm used to a more organised and clinical format, and it doesn't help that the company that deployed the initial equipment for us were also still learning the product. So at this point, I'm doing cleanup, but it's hard since we technically operate 24 hours a day, being a campus. I've put my port on a test VLAN and typically add my rules there to test before roll out. I like to group my rule sets together, so by vlan essentially, but the list of everything together get's to me. Even using the search just to narrow it down to a specific vlan and the rules associated to it, has lead to me deploying a rule in the wrong place and it just doesn't work. So I was hoping there was a way or an app or service that would organise the rules in a easier to use manor.
... View more
Oct 15 2025
4:44 AM
1 Kudo
Done and Dusted!
... View more
Oct 15 2025
4:01 AM
Hi All, I work for a Uni in SA, we just moved over our old network to a full meraki deployment and..... I'm loving it. The amount of info available in one place and at the click of a mouse button is just awesome. There is, how ever, one thing that I'm not enjoying and that is the layout of the Meraki firewall rules, coming from a fortigate background where I have always done my inter-vlan routing, they don't make sense to me, just a convoluted list of stuff thrown on a web page with no segregation by vlan or interface, be it virtual or physical, and to be honest, I am battling to get the rules in place that I need. I have 24 vlans that I manage. For instance, I'll add a rule right at the top of the list, just to watch the hit counter, and it will stay on 0, and its not because I am expecting something to hit it too quickly, I can leave the page open for hours and never see anything hit port 53 from any of the vlan's even though the rule is specific to our internal dns servers, as a real example I have attempted a few times. We are running 2 x MX250's in HA (Hot\Warm) spare config with auto failover and it just works, haven't had an issue there, but the rules..... I can add stuff in any order and don't see hits, but others I do, to me it's a mess. Is there something out there that can add some sanity to the entropy? What is everyone using to manage their rules properly and get proper visibility of the rules in place for the different vlans? Thanks ShaunCro
... View more
Aug 7 2025
11:53 PM
2 Kudos
Hi All, Sorry for the radio silence after posting this, had a short break this week. @PhilipDAth Thanks for those, I'll check them out, the CMNA is definitely one I would like to do myself. @KathleenJ This would be awesome, we work through a local partner in SA, does that matter?
... View more
Aug 7 2025
11:50 PM
Hi Darren, Quite a few of them were involved in the deployment of the solution, I want them to get more experience on the interface side of things and also to up skill themselves, and learn proper trouble shooting and information gathering, and it's importance. So from an interface side and technology front, I believe the meraki classes can add benefit, on the troubleshooting and information gathering side, that's more on me, and it's something I plan to focus on in the coming months. But thanks I do agree, there are aspects that can be filled on both fronts. Thanks ShaunCro
... View more
Aug 3 2025
12:54 PM
Hi All, Name is Shaun, and hail from the Southern most tip of Africa, aptly named, South Africa. We just deployed a full Meraki network solution to our uni's campus (I'm loving it by the way), and I want to get our first and second line help desk teams trained up to become wifi ambassadors on the campus, so that instead of passing the calls straight to me, they can start resolving issues at the first and second tier. Also I really want them to see how awesome the product is and actually take ownership of every ticket because they have the visibility and information right in front of them to resolve the issues. I want them all to take training before I give them the rights though, the access should be a reward for making it through, not just another system to look after. Which courses do you think best to get them on this path? I was thinking of the below courses, but I haven't done them all myself, so am unsure which would best suit their role, and benefit them, and just as importantly, our students, staff and visitors the most in this area. Introducing the Meraki Platform. Introducing Cisco Meraki Cloud-First Wireless. Wireless Fundamental Implementation. Troubleshooting with Meraki Are there any modules that deal directly with Guest wifi that we should consider? As this is essentially the main network on campus and is the network that all students sign on to and any visitor to the campus. Thanks in advance. ShaunCro
... View more
Jul 28 2025
11:55 PM
2 Kudos
Congrats to the winners!
... View more
Jul 18 2025
3:47 AM
3 Kudos
Optimizing Meraki-Managed Uplink Helped me finally understand rstp and it's function, which helped me resolve a number of issues plaguing our recent install.
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 928 | Oct 19 2025 12:19 PM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 3 | 2445 | |
| 3 | 16245 | |
| 2 | 2430 | |
| 2 | 905 | |
| 2 | 1236 |
© 2025 Cisco Systems, Inc.
