What software do you use here to get the data? I am pretty sure the client software messes something up here. How does it look in Postman or called by the python-SDK? ... View more

something like this?   ... View more

In this case he only knows this for his own machines. But unless *all* devices support EAP-TLS (I haven't seen this on any network) he can't make sure that the user connects with domain-credentials from his personal PC. But I am completely with you that relaxing the requirements is the right way. Really achieving *this* goal is one of the hardest in the .1X implementation. ... View more

Not sure if NPS supports it. This is for Cisco ISE, perhaps you can adopt it:   https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html ... View more

The already suggested EAP-TLS is sadly not enough to solve this as the machine- and user authentication is decoupled. There are some workarounds but the only real way is to use TEAP (or the previous version EAP-FAST) as the EAP method because  here we can do EAP-Chaining which couples the user-authentication to the already done machine-authentication. ... View more

The behaviour on the MX is also explained in the following document: https://documentation.meraki.com/MX/Access_Control_and_Splash_Page/MX_Access_Policies_(802.1X)#MX_and_Z3_Source_IP_for_RADIUS_Authentication ... View more

No, the AP and the Sentry client need to be in the same org. With that it would work for the clients still on the legacy SM but not for new new "regular" clients. ... View more

No, the main purpose is to act as a VPN-concentrator and not as a "real" firewall. ... View more

If you do a complete relicense, the old 200 days are gone and the new license is what is used. Better buy the new devices and the following licenses: 1 x MX95 - Adv Sec. 5 x MR-ENT 1 x MS225-24P And then add these licenses for new devices. Now the new licenses will merge into the old licenses. Ok, you now have licenses for the old and the new MX, but the old MX could be used as a cold spare or for a different purpose. ... View more

The “prevent” option would be to implement 802.1X in single host mode. It would not act on an unmanaged switch alone, but on the second device on it. Another and more easy step would be to enable BPDU guard on all user facing ports. Again, not for the cheap unmanaged switches. A “detection” method would be to look for ports with more than one MAC address. I didn’t look but would assume that this should also be possible with the API. ... View more

The best feature is the adding of pictures to document the placement of the APs. ... View more

Oh, back in the fantastic four group …. Congratulation to all who have their names listed here!  😀 ... View more

Sometimes you want that also the branch offices send the internet traffic first to the Hub and from there into the internet. One reason could be that your MXes only have the Enterprise license without any NGFW security. But on the headquarter you have an additional NGFW to protect the traffic. Here it could be useful to use the headquarter as the central internet break out. ... View more

If you want to connect remote users, AnyConnect is the way to go. After establishing a connection to your VPN-gateway (whichever this is) the users can use the AutoVPN connection on the gateway to connect to other sites if your access-control and routing allows this. ... View more

If both are in the same dashboard organisation, you can use AutoVPN to connect them. ... View more

You say the SSID is broadcasted but you also say you get no signal. But that is contradictory.  Have you checked with a WLAN scanner? And in the dashboard, what does the individual AP list?   ... View more

I am pretty sure there is no deny message. To deliver this message the AP or MX had to intercept the TLS connection which these devices don’t do. Cisco Firerpower could do that but I would better look into Umbrella SIG if this block page is needed. ... View more

At a customer location we have quite a few MR57 that we run with 40MHz width and dual 5GHz as there are so little 6GHz clients at the moment. The Access layer are mainly MS225, so no MGig. The uplink rate is far away from 1 Gig and also new floors don’t get equipped with MGig switches. Our main thought is that we (in Germany) won’t use 80MHz channels for quite some time. And even with 80 on 6 GHz and 40 on 5 GHz, we will only hit the 1Gig uplink from time to time. And for that it is not financially useful to invest in MGig switches already. And with the MR57 having dual uplinks (which we don’t have at all AP locations) I am pretty sure we are fine with that for quite some time. ... View more

There is soooo much that needs to be considered here that you really should look for a Cisco partner to support you. But in general: The MX is typically "only" the firewall and doesn't care if the network has APs from vendor A or vendor B. With Meraki APs, the MX can take the role that is known as an anchor controller in the traditional Cisco wireless world. It is not possible to mix traditional Cisco and Meraki for this function. If you buy Catalyst 9100 APs, you need a compatible controller which could be any of the c9800-series. Your older Aironet 1832 can still run on this controller. ... View more

The firewall rules are stateful. You only have to allow the initial packet for a traffic flow and the return traffic is allowed automatically. My way to make sure that not too much traffic is allowed is described at the beginning of this discussion. ... View more

I was referring to overlapping subnets *inside* your own controlled infrastructure (which is DMZ to internal communication). For Extranet S2S, yes, that is a different story, but with that the MX falls behind anyhow. ... View more

The VMX is a license-only "device". Of course there has to be a cloud instance to run the VMX on that will have an additional cost, but in regards of the dashboard licenses, only the VMX license of the appropriate size is needed. ... View more

Usage plays certainly an important role here. Although an AP doesn't do into sleep as a client does, when there is nothing to transmit, the power consumption has to be lower than with an active transmission. Same is for the usage of the radio chains. When the AP only sends beacons to advertise its existence less power has to be consumed compared to a 4 SS transmission where all radio chains are active and the DSP has to calculate a lot. ... View more

But keep in mind that you shouldn't be in an area where "Winter" is available unless you have a temperature controlled enclosure: Operating temperature: 32 °F to 104 °F (0 °C to 40 °C)    ... View more