Does the NPS event viewer show that it is now granting the user/machine access?   The certificate being used for PEAP on your NPS server - where did that come from? Your own CA? ... View more

If you have a static IP - no.   Otherwise if you really want to, use a CNAME pointing to the dynamic DNS entry. ... View more

>So I can't even connect with less security. Ultimately I want the AND condition to work, as I only want to allow company-issued computers that a domain user is logged onto, to connect.   Microsoft NPS server does not support this.  You would need to use a more advanced RADIUS server such as Cisco ISE. ... View more

>I can confirm that all of those conditions should match, as the user account is in the MYDOMAIN\Meraki Staff Group, and the laptop in the MYDOMAIN\Meraki Computer Group.   Negative, you missed the point.  A user account is only a member of the "Meraki Staff Group".  It is not a member of the "Meraki Computer Group". Consequently if you create an NPS policy and list each as seperate conditions it can never match, as the user will never be in the "Meraki Staff Group" AND the "Meraki Computer Group" at the same time.   So put both groups in the same condition to convert it to an OR criteria.     Next you said there was a big delay when you had this configuration.  This is another seperate problem.  Is the CA certificate that issued the certificate being used for the PEAP authentication in NPS trusted by the clients as a root authority?  Also this certificate can not be self-signed. If both of these certificate requirements are not met the Windows workstations will not allow the authentication to succeed.  Note it is the workstation and not the NPS server refusing it in this case.   You need to check the event log on both the NPS server and the workstation to see which one is not happy. ... View more

Thanks for the recognition @CarolineS.  It is always nice for the team to be called out. ... View more

Why do you want to change the native VLAN?   Assumptions: You have physical access to all the devices The firewall (or device that provides Internet access) is configured to use a trunk port to the switch. All switches are configured to use trunk ports between themselves. You can have down time until the process is complete.   Change the firewall first to using VLAN10.  Then connect to the Meraki switch that it connects to via the local status page and change the management VLAN to 10.  Repeat for the other Meraki switches.   All switches should now be online.  Change all the access ports from VLAN1 to VLAN10.   Everything should now be back online.     Note you don't actually change the native VLAN at any point.  You leave VLAN1 alone, it just ends up unused, and everything is migrated into VLAN10. ... View more

Note that when using conditions in NPS that all conditions have to be true.  So when you want to match on Windows Groups (and assuming whatever needs access is not in both groups) you have to put both of those groups into a single condition.   So make sure: Condition: User Groups, Value: MYDOMAIN\Meraki Staff Group Condition: Machine Groups, Value: MYDOMAIN\Meraki Computer Group Is actually a single conditon containing both groups (which makes it an OR). ... View more

I don't think I would ever used fixed 100%.  It's not fair on other WiFi users in the area using excessively more power than you need to operate your WiFi network. ... View more

In you want to use Gigabit (as opposed to 10Gbe) on the Internet ports then you'll need to order SFPs to match whatever you want to plug it into (Copper, SX Fibre, etc). ... View more

The cable length is determined using TDR (Time Domain Reflectometry): https://en.wikipedia.org/wiki/Time-domain_reflectometer   It measures the time for a signal to be reflected due to tiny imperfections in the cable termination.  The signal travells at a constant speed, so the length can be calculated.   If you find that a particular kind of device is constantly mis-reporting length it may also be that the device is messing with the impedance of the cable solution as well. ... View more

Another option you could consider is using a single SSID and using per-user VLAN tagging.  You can assign the VLAN via group policy, or via a RADIUS server (typically used with WPA2-Enterprise mode).   https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/VLAN_Tagging ... View more

The other option is to access servers via their FQDN.  For example, rather than accessing \\server used \\server.domain.local.   Note, depending on your DNS setup, you may need to use a trailing "." (which turns it into an absolute DNS lookup rather than a relative lookup). ... View more

I have had the same issue. I have also had it happening on other sites, so thought it must be me.  Only tried in Chrome.   ... View more

I have seen this issue before where the circuit is asymmetric, specifically it has asymmetric timing.  For example, a packet one way takes 10ms and the return packet takes 40ms.   If the server and client are running a modern Windows TCP stack (Windows 7 or better) try running this command on both the server and the client, and repeat the test: netsh int tcp set global timestamps=enabled ... View more

Here is another before and after.  In this case, the customer said thay wanted to be able to "see" where the patched ports plugged into the switch, without having to riffle through the cabling.   ... View more

Truely an impressive effort Adam. ... View more

I have nebver seen Todd so dressed up.     Damm spam filters.  I missed my invite.  🙂 ... View more

At least this feature is publically documented.  🙂 ... View more

FYI, when I do wired 802.1x I make sure the client gets printers with native 802.1x support, so they log in like everything else. It makes life much easier. ... View more

It sounds like you want sponsored guest mode.  Note this is not visible in the dashboard by default.  You have to open a case with support to get it turned on.   https://documentation.meraki.com/MR/Encryption_and_Authentication/Sponsored_Guest ... View more

>But one question, why should this MX run in a different organisation?    You are going to have to make the new MX an AutoVPN hub (it wont have any spokes) to enable the non-Meraki site to site VPN.  You wont be able to add a static route pointing to the AutoVPN spokes via the other proper hub.  It wont allow it to be added. Actually, if you get the supernetting correct it may be possible, but it would be safer to put it into another organisation.   Actually, this article by Aaron Willette explains it really well. http://www.willette.works/merging-meraki-vpns/   ... View more

Another solution is to buy an additional MX to go at the hub site, but place it in a different organisation.  This should go on the same LAN as your existing hub MX.   On the new MX add a static route pointing to your AutoVPN MX that covers all of your subnets.  On your AutoVPN MX add a static route pointing to the remote site to site VPN destination with the new MX as the next hop, and publish this static route into AutoVPN.   Then build the site to site VPN to the new MX.     Voila.  All your spokes now have access. ... View more