I'm hoping someone from Meraki can comment on this feature.  It's crazy that it does not exist yet. ... View more

You are looking for SNAT, which Meraki can't do for some reason even though most $100 firewalls can do it.  We are considering leaving Meraki because of this.  It makes it really difficult to do IP allow-listing because your guest network goes out the same IP as your corporate network.  It's embarrassing that this hasn't been implemented yet. ... View more

We have an HA pair of MX95's that are having issues with split tunnel in Any Connect.  We pointed our users to an MX67 with the same firmware an it works fine so I don't know if the issue is specific to the MX95, or the HA setup. ... View more

We have the same problem with our MX95 cluster.  I guess the cluster loses track of who the primary node is and chaos ensues.  We opened a support case and they want to test a new firmware.  Unfortunately, we can't test until the end of September because we can't have our network meltdown again during a 24/7 operation.  The other suggestion they had was to break the cluster and upgrade independently and then rejoin. ... View more

The design spec is solid, but in practicality it doesn't seem work properly which is the problem.  If I turn on "Block all access until sign-on is complete", I will start getting calls from our employees that their personal devices and customer devices can't surf the Internet on guest Wi-Fi.  In theory, the phones should reach out to an HTTP url and redirect to the portal, but some devices just don't behave properly.  So, I either get lots of support tickets, or I allow non-HTTP traffic prior to sign in.  Neither option is good. ... View more

This is slowly becoming a deal breaker for us as well.  With so many services moving from on-prem to the cloud we need the ability to send guest traffic out a separate IP address.  My current work around is to individually block access to all of the cloud services on every guest network.  It's like whack a mole, and I'm sure I'm missing some.  It's becoming a serious liability for us and I'm having difficulty explaining to the board why we continue to use Meraki. Is there anyone from Meraki reading this board who can chime in on this feature? ... View more

I was able to do this in 2001 with a Cisco Pix firewall.  I don't understand why this is so hard for Meraki.  It's one of the most basic features of a firewall.   ... View more

A year later and still nothing.  This is killing me.  Has anyone heard of any updates on this? ... View more

@Craig_Tompkins It's been many years since I used an ASA, but I believe you had to use a dynamic access policy (DAP) that inspects the registry on the local host.  It won't pass the computer name via radius, but rather it communicates directly with the firewall to dynamically assign the policy based on the host posture.   This link may point you in the right direction. https://community.cisco.com/t5/vpn/vpn-for-domain-computers-only/td-p/2730898 ... View more

The only way we could get it to work was to install the Windows Certificate Server web server on our certificate authority.  Each user on a Mac would have to run the certificate wizard in the keychain to create a certificate request and then submit it through the Windows certificate server.   It's not ideal, but it works.   Also, just a heads up that using MacOS certificates and AnyConnect is broken on 17.10.2.  We are working with support and are stuck on 16.16.3 right now. ... View more

Yep, same here.  We use it to monitor our robotic automation rooms and non-IT people need access to the data in CSV format.  I'm working on extracting this data from the API, but I'm having trouble with the JSON paths changing dynamically every time I run it.  It randomizes the JSON paths for each of the metrics.  I've opened a ticket with Meraki to see if they have any advice on how to keep them from changing. ... View more

I'm having the same issue.  I would love to find a way to give regular users access to only the sensors.  As far as I can tell, they need full read_only access to the entire network.  The "monitor-only" role does not seem to give access to the sensors for some reason. ... View more

I hope we finally get source NAT. ... View more

I'm dealing with this right now and I'm not actually sure how to handle this.  We use the splash page on our guest network so the guests can accept the terms of service.  It seems that I have three options.  1) Allow non-HTTP traffic and allow guest users to bypass our network firewall rules.  2) Block all access to the network until the splash page is clicked.  Knowing that half of the guest users will just time out because they are accessing HTTPS.  3) Turn off the splash page and just have an open network with no terms of service I've opened a ticket with Meraki support and I'm not sure they even understand what I'm talking about.  The Meraki documentation clearly states that what we are experiencing is as designed.  https://documentation.meraki.com/MR/MR_Splash_Page/Enabling_Click-through_splash-page   Curious, how are you all handling your guest network portals? ... View more

@Cakes I would be interested to know if you can get access to this feature.  We are considering leaving Meraki because it's becoming impossible to manage all the silly work arounds.  It didn't seem to be a priority with Meraki so we got a little hopeless.  This would be great news if they are actually going to solve this. ... View more

It's unbelievable that we still don't have this basic feature yet.  We have a lot of externally hosted services that utilize IP allow-listing and it's getting extremely difficult to manage all of the content blocking on our guest networks. I currently have to use layer 3/7 Firewall and Traffic Shaping rules to block access from guest networks to the publicly hosted services that need to be unavailable to guest networks. ... View more

We have such a small amount of Macs that I would be ok with a manual process.  Ideally, the ability to do this from the command line would be optimal.  I'm guessing there must be a way to generate a CSR and have it signed by the Windows CA. ... View more

Unfortunately, I'm not running the web enrollment feature so I don't have the web interface.  However, I can export the root CA with the MMC GUI, and also via the certutil command line with no luck.  I'm running a single CA and it seems to be functioning properly otherwise.  I'm not sure what else to do. ... View more

@FlyingDutchman That's great news.  Did you export the CA Root with or without the private key? ... View more

Good call on base 64, but that didn't seem to work either.  Same error. ... View more

I've tested on previous builds, and I'm on 16.11 now with no luck.  It's possible I'm doing something wrong or misunderstanding how this feature should work. ... View more

I'm experiencing the same issue.  I have a Windows AD CA on my local domain.  I exported the root certificate and imported it into AnyConnect.  My laptop has a device certificate signed by the root authority.  Everything looks good, but it won't let me connect and I receive a certificate error. ... View more

I suppose that would solve some of my AWS issues, but I forgot to mention we also have some sites in CloudFlare as well so it's a little more complicated.  I love Meraki, but this little limitation is killing me. ... View more