If you define a 1:1 NAT for inbound access - the MX also uses that same 1:1 NAT for all outbound access as well.   It is a "special exception".  I'm not sure it is even documented. ... View more

A 1:1 static NAT mapping will achieve this. https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX#1:1_NAT   ... View more

>Confirm Data Storage Location Alignment   I want to re-state this one by @RWelch - it is critical. ... View more

What a pain!!! ... View more

There are several ways of solving this.   I think I would use the AnyConnect default group policy option, and put in there any firewall rules to control what just the AnyConnect users can access. https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Client_VPN/AnyConnect_on_the_MX_Appliance#Default_Group_Policy   If you use this approach, you can later extend it to support per-user group policy to control what different groups of users can access. ... View more

Splash Access have an entire portfolio of solutions for precisely this issue. https://www.splashaccess.com/portfolio/education/   ... View more

I have not been able to get username/password authentication to work in any Entra tenant that Microsoft has migrated their authentication methods (and this is a compulsory migration for all tenants).   As a result, I only use certificate-based authentication now.  I like use Microsoft Cloud PKI for my issuing CA, and use Intune to do the certificte deployment. https://learn.microsoft.com/en-us/intune/intune-service/protect/microsoft-cloud-pki-overview  ... View more

I agree with @Mloraditch - it is up to the SAML provider if you are required to log in again or not. ... View more

What I tend to do is create a SAML role naming context like this: <Company Acronym>-Meraki-Administrator <Company Acronym>-Meraki-Observer (would have caused this "Read-Only" previously   e,g.   IFM-Meraki-Administrator   And then create those in every org you manage. ... View more

A general tip, go to "RF Profiles": https://documentation.meraki.com/Wireless/Operate_and_Maintain/User_Guides/Radio_Settings/RF_Profiles   Create a new profile.  The most common one I use is "Open Office Profile".     This uses sensible settings.  Apply this profile to all your APs.   On the RRM tab enable "AI channel planning" and "Busy hour".     ... View more

This is the secret.   You copy the thumbprint to every org where you want your SAML provider used.  And copy the SAML group mapping you wish to use.   Entra only requires a single setup.  You don't touch the Entra config as you add more organisations.       ... View more

Green to 3 through pi. ... View more

Try turning off CDP and enabling LLDP on the C1000 (if it supports this). ... View more

>Temporary changes to MFA, SAML, and security settings affecting some users ... >We are not able to share an exact timeline Scary.  Especially announcing this over the holiday period. ... View more

No.  You'll need to return the co-term licences and get subscription licences. ... View more

You can have per group firewall rules, but everyone has to share the same set of routes. ... View more

For the MR76 it lists these as compatible antennas: https://documentation.meraki.com/Wireless/Product_Information/Overviews_and_Datasheets/MR76_Datasheet "List of compatible antennas: MA-ANT-20/21/23/25/27 "   Out of those options, the MA-ANT-27 (dual band), MA-ANT-21 (5ghz only) and MA-ANT-23 (2.4 ghz only) seem like the best options to choose from. https://meraki.cisco.com/product-collateral/dual-band-sector-antenna-datasheet/?file https://meraki.cisco.com/product-collateral/5-ghz-sector-antenna-datasheet/?file https://meraki.cisco.com/product-collateral/2-4-ghz-sector-antenna-datasheet/?file     Meraki is not the strongest at bridge links.  I would be a bit nervous about this use case.  I would personally use a dedicated bridge solution from another vendor. ... View more

You have to delete the VMX, change the config in the Meraki Dashboard, and re-deploy the VMX. ... View more

These are the settings I am using for machine-based SCEP certificates.       I don't believe the SCEP certificate deploys till you use it in something, like the SSID config. ... View more

You'll need to use the BGP over IPSec VPN option to make this work. https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Site-to-site_VPN/BGP_routing_over_IPsec_VPN   ... View more

I've actually had companies raise this - and then I found they had disabled the alerts by setting them to "none". ... View more

Brilliant! ... View more

It sounds like you are talking about subscription licensing.  An AP subscription licence works with all current APs. https://documentation.meraki.com/Platform_Management/Product_Information/Licensing/Subscription_-_MR_Licensing   ... View more