It's been almost 6 years since this post was created.  How is it possible that we still can't do this?  And buying a second firewall to handle guest traffic is an embarrassing solution for an "enterprise" firewall.  If anyone from Meraki is listening, I beg you to please stop creating dashboards for CTO's and give us real features that engineers can use.  The lack of this single feature has to be the most frustrating experience.  Sorry for the rant.     ... View more

I'm hoping someone from Meraki can comment on this feature.  It's crazy that it does not exist yet. ... View more

You are looking for SNAT, which Meraki can't do for some reason even though most $100 firewalls can do it.  We are considering leaving Meraki because of this.  It makes it really difficult to do IP allow-listing because your guest network goes out the same IP as your corporate network.  It's embarrassing that this hasn't been implemented yet. ... View more

We have an HA pair of MX95's that are having issues with split tunnel in Any Connect.  We pointed our users to an MX67 with the same firmware an it works fine so I don't know if the issue is specific to the MX95, or the HA setup. ... View more

We have the same problem with our MX95 cluster.  I guess the cluster loses track of who the primary node is and chaos ensues.  We opened a support case and they want to test a new firmware.  Unfortunately, we can't test until the end of September because we can't have our network meltdown again during a 24/7 operation.  The other suggestion they had was to break the cluster and upgrade independently and then rejoin. ... View more

The design spec is solid, but in practicality it doesn't seem work properly which is the problem.  If I turn on "Block all access until sign-on is complete", I will start getting calls from our employees that their personal devices and customer devices can't surf the Internet on guest Wi-Fi.  In theory, the phones should reach out to an HTTP url and redirect to the portal, but some devices just don't behave properly.  So, I either get lots of support tickets, or I allow non-HTTP traffic prior to sign in.  Neither option is good. ... View more

This is slowly becoming a deal breaker for us as well.  With so many services moving from on-prem to the cloud we need the ability to send guest traffic out a separate IP address.  My current work around is to individually block access to all of the cloud services on every guest network.  It's like whack a mole, and I'm sure I'm missing some.  It's becoming a serious liability for us and I'm having difficulty explaining to the board why we continue to use Meraki. Is there anyone from Meraki reading this board who can chime in on this feature? ... View more

I was able to do this in 2001 with a Cisco Pix firewall.  I don't understand why this is so hard for Meraki.  It's one of the most basic features of a firewall.   ... View more

A year later and still nothing.  This is killing me.  Has anyone heard of any updates on this? ... View more

Yep, same here.  We use it to monitor our robotic automation rooms and non-IT people need access to the data in CSV format.  I'm working on extracting this data from the API, but I'm having trouble with the JSON paths changing dynamically every time I run it.  It randomizes the JSON paths for each of the metrics.  I've opened a ticket with Meraki to see if they have any advice on how to keep them from changing. ... View more

I'm having the same issue.  I would love to find a way to give regular users access to only the sensors.  As far as I can tell, they need full read_only access to the entire network.  The "monitor-only" role does not seem to give access to the sensors for some reason. ... View more

I'm dealing with this right now and I'm not actually sure how to handle this.  We use the splash page on our guest network so the guests can accept the terms of service.  It seems that I have three options.  1) Allow non-HTTP traffic and allow guest users to bypass our network firewall rules.  2) Block all access to the network until the splash page is clicked.  Knowing that half of the guest users will just time out because they are accessing HTTPS.  3) Turn off the splash page and just have an open network with no terms of service I've opened a ticket with Meraki support and I'm not sure they even understand what I'm talking about.  The Meraki documentation clearly states that what we are experiencing is as designed.  https://documentation.meraki.com/MR/MR_Splash_Page/Enabling_Click-through_splash-page   Curious, how are you all handling your guest network portals? ... View more

Unfortunately, I'm not running the web enrollment feature so I don't have the web interface.  However, I can export the root CA with the MMC GUI, and also via the certutil command line with no luck.  I'm running a single CA and it seems to be functioning properly otherwise.  I'm not sure what else to do. ... View more

@FlyingDutchman That's great news.  Did you export the CA Root with or without the private key? ... View more

Good call on base 64, but that didn't seem to work either.  Same error. ... View more

I've tested on previous builds, and I'm on 16.11 now with no luck.  It's possible I'm doing something wrong or misunderstanding how this feature should work. ... View more

I'm experiencing the same issue.  I have a Windows AD CA on my local domain.  I exported the root certificate and imported it into AnyConnect.  My laptop has a device certificate signed by the root authority.  Everything looks good, but it won't let me connect and I receive a certificate error. ... View more

I think you are right, I missed that.  It looks like it was listed in 16.9 as a known issue. ... View more

16.10 lists this as a known issue.   Due to a regression, MX appliances are not able to properly utilize dashboard auto-enrolled certificates for AnyConnect VPN connections. MX appliances will default to using a self-signed certificate, which will provide users connecting to the AnyConnect VPN service with a warning message about connecting to an untrusted server. ... View more

If you deploy the client with PowerShell you can use the -IdleDisconnectSeconds parameter to set the idle timeout in the client connection settings.  You can also set this in the VPN network adapter settings on the Options tab.  Just set the timeout where it says "Idle time before hanging up.".  This only works on a PC. ... View more

This solution worked, thanks everyone! ... View more

Ahh, I think I missed the part where you can add multiple VLAN's with tags to an SSID.  That might do the trick. I'll be onsite next week to test. ... View more

I always create a "Deny All" rule for my entire local subnet.  This blocks all inter-vlan traffic.  All inter-vlan traffic that I want to permit I put above that line, and everything else goes below it.  In your case, you would put the ICMP rule above the Deny All rule.   Here is an example:     ... View more

Yes, purchasing certs would work, or you can add the Certificate Authority certificate to the trusted root certificate store in both domains by deploying them with group policy.  Then the certificates would be trusted by all computers in both domains. ... View more