So when you consent, it will only apply the consent to what is needed. And I think it being an app means that it has it's own built in connection strings, forgive me if I'm not understanding the question. I take it you setup a user account for the access assuming it needed an api key to do it. As far as I have seen, the SSO integrations don't require api keys or access. I've only recently started playing with SSO, but as far as I know and I could be very wrong here, but the token generated by the logon session carry's with it certain data that is passed to the requesting server via the users interaction. So there is do "direct" call from entra to meraki and vice versa.  Everything is done via the browser session and the tokens contain the data that each need to cater for, and checks are done to ensure that the app requesting the access is authorised to.   I started uat on my setup yesterday, and it's working so far. I do have to add more groups to the allowed to access for larger adoption, but I'm testing different scenarios at the moment and for security and what the benefit is and what hindrance the users could suffer. ... View more

@Joewro can you confirm your license level meets the requirements for the feature? I believe the wireless Entra SSO integration needs a minimum license level of Enterprise. https://community.meraki.com/t5/Feature-Announcements/Microsoft-Entra-ID-Integration-with-Splash-Page-is-Now-Available/ba-p/276038   The last screenshot you posted isn't where you enable the sso for the splash page, the sso mentioned there is for the dashboard only, and if you turn it on, please ensure you have a second account that isn't part of your sso to use, as it can lock out existing accounts which have the same email address as both a user in the dash, and and as a sso user. (Just a warning for that one) https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Configuring_SAML_Single_Sign-on_for_Dashboard   For wireless SSO integration, go to Wireless> Under the "Configure" Column on the right of the pop out menu, click on "Access Control" In the top left, select your ssid, and under Security set to Open, under splash page, where you see Sign on with, which is typically set to Meraki Cloud Auth, select that option and then click on the drop down and select Entra ID as the logon method. In the doc below there are a number of sites in specific places that need to be configured correctly for the authentication channels to be allowed by the firewall and wifi for users to communicate with meraki and microsoft and pass the token generated by the clients sign in event to the meraki ap's and dash so they are aware of the successful event and provide the client access.   https://documentation.meraki.com/MR/Design_and_Configure/Encryption_and_Authentication/Microsoft_Entra_ID_Integration_with_Splash_page When you configure the walled garden, they provide a link to a list of MS sites that you need to add to the walled garden exclusion list to allow the requests through, I went with the top 3 categories, the general would allow way too much for my liking.   The 3 category's to reference urls for in the doc below are: Azure Portal Auth Azure portal framework Account data Now we get to the part where you had issues, click on the link to create the application, and follow through to the error https://login.microsoftonline.com/organizations/adminconsent?client_id=d1b29572-1b35-40cc-9152-a8056ab586c4 After you have confirmed and created the app, and ended up with your error...   Go into entra ID and find the application Cisco Meraki Network Access under the enterprise applications. Double click on the app and in the left column, click on permissions then click to provide Admin consent on behalf of your company.   You will be required to confirm your account and immediately after that, you will see the same page that caused your initial error you logged. Only this time it will be successful. And now the app will have the required consent for you to continue with the single sign on portal setup. Essentially you have to fail to succeed in this case.  ... View more

oh yes. Also, as I discovered yesterday, dynamic ports aren't considered or catered for in rules, so even though traffic is destined for a port and the service typically is available on that port, the MX doesn't pick up that the port could be dynamic from the source, and record the traffic or attempt to do anything because you defined a specific port on both sides. I loathe the use of "Any" in any situation other than a deny. It's just poor management practices.  ... View more

Thanks Alemabrahao, it's actually the biggest failing point of what is a phenomenal solution. But anyone that has worked with a 'Security Appliance" before would know what I mean when I say, the way it's currently expected to be used leaves too much room for mistakes, especially in larger networks, I get the ease of management, I do, but if there is one thing you don't allow room for mistakes, it's the security that sits in between your vlans, and at your perimeter. I'm the only one that has taken the time to learn the equipment out of a team of 3, I've sat most nights running through courses and reading the docs (Sorry RWelch didn't mean to do that) and I'm the only one that has actual experience managing firewalls, so, what happens when I'm away or unavailable and someone else who doesn't understand the intricacies of the system tries to apply a rule? The format is geared for a single vlan configuration, not for something that actually requires a bit thought. We all know how dangerous a bit of knowledge is, now make it look simpler than it is and you have a security incident on your hands. I mean it's cisco, grab an engineer and ask him what he expects on a management page at minimum. The platform is fantastic, and I honestly am loving it. I just want the most dangerous part to have more context and structure. ... View more

  So, on the 53 rule for monitoring. Managed to figure that one out. The trick was to be less specific. So source port any, destination port 53, then vlans in the source by their object names, which were configured already, to destination object names, both dc's. And the hits started rolling.  RWelch, I'm dealing purely with firewall rules, no custom group policies or the like. Pure layer 3 inter-vlan firewall rules. Nothing else, because I work methodically, and you can't add more complex things on top until you have the fundamentals working properly. And with all you said, you never actually answered my question, which was on the last line. I wanted a solution that is cleaner than this mess. And whether it's perfect outlined in perfectly listed order or not, I don't like the way it's laid out, and was asking for another solution, something you completely glossed over. Instead it was just suffer like the rest of us. Which I choose not to do.    So thought well I'm bored, I'll just roll my own. Because accepting mediocre is not something I do personally. ... View more

  "The hit counter only increments for traffic that matches the rule exactly. If you’re not seeing hits, double-check the source/destination, protocol, and port definitions. DNS traffic (port 53) may be bypassing the MX if clients use external DNS." Just on this one @RWelch That i understand, but I control the dhcp, and it doesn't matter if I put the rule on for my IP with the destination being directly to my DNS servers, and place the rule at number 1 and 2 in the list and then spend the rest of the day browsing the internet, not a single hit that have I seen. For both tcp and udp traffic, it boggles my mind a bit. I just don't see a hit on the rule. I've even tried to give myself a static IP with static dns servers and tried from a few different vlans to ensure that I traverse the firewall, so definitely not intra-vlan, and I will get el squatto. Nada. Zip. Zero. Nothing. Not a single hit. But, I agree, people could be setting external DNS's servers, but if a single staff member wanted to work at all in the day (I do question whether this happens at all sometimes), they would need to have my internal AD servers as DNS in order to successfully authenticate to the internal systems, and that traffic would come from the user vlan, and traverse the firewall, so at least a few hits should be seen. Also, we don't allow staff to edit firewall or network configurations via group policy, so if all 355 staff really did go to the lengths needed to by pass all of that and actually know what a dns server is, I would be both impressed and worried. Our oldest professor makes my grandad look like a spring chicken. And he curses at his phone most the day. I'm pretty sure it's a nokia too, so not overly complicated. ... View more

Thanks @PhilipDAth I'll do so in future, but the only reason I use the hit counter is to see whether a rule being applied is being hit before the subsequent rules, it helps to ensure I don't block something, so first I will set it to enabled and see how much traffic is hitting it, from there I'll make the call on whether to flip it over to deny. It's typically used as a gauging tool to measure the level of "entropy" you will introduce to your life before enacting said life changing rule. Sometimes, with the meraki firewall interface, I prepare my CV before starting my change. And tell the wife we might have to cut back on the luxury stuff, like food, for a while. ... View more

I was hoping that someone could perhaps recommend an app from the app store that could help in this. I mean, there has to be something better, or is my hope akin to that of a child that is yet to experience life? ... View more

Thanks @RWelch I have done the course you recommended above. And believe me, I'm pretty methodical with the way I do things, I have to be, I come from the finance and insurance industry originally, and believe me they can be pretty....  It's why I'm battling to say the least, I'm used to a more organised and clinical format, and it doesn't help that the company that deployed the initial equipment for us were also still learning the product. So at this point, I'm doing cleanup, but it's hard since we technically operate 24 hours a day, being a campus. I've put my port on a test VLAN and typically add my rules there to test before roll out. I like to group my rule sets together, so by vlan essentially, but the list of everything together get's to me. Even using the search just to narrow it down to a specific vlan and the rules associated to it, has lead to me deploying a rule in the wrong place and it just doesn't work. So I was hoping there was a way or an app or service that would organise the rules in a easier to use manor.  ... View more

Done and Dusted! ... View more

Hi All,   Sorry for the radio silence after posting this, had a short break this week. @PhilipDAth Thanks for those, I'll check them out, the CMNA is definitely one I would like to do myself. @KathleenJ This would be awesome, we work through a local partner in SA, does that matter? ... View more

Hi Darren, Quite a few of them were involved in the deployment of the solution, I want them to get more experience on the interface side of things and also to up skill themselves, and learn proper trouble shooting and information gathering, and it's importance. So from an interface side and technology front, I believe the meraki classes can add benefit, on the troubleshooting and information gathering side, that's more on me, and it's something I plan to focus on in the coming months. But thanks I do agree, there are aspects that can be filled on both fronts.   Thanks   ShaunCro ... View more

Congrats to the winners! ... View more

Optimizing Meraki-Managed Uplink   Helped me finally understand rstp and it's function, which helped me resolve a number of issues plaguing our recent install. ... View more