I know this is an old thread, but since so many have asked and with a recent development on this front, it is pertinent to share that IPSK with NPS is now supported on MR 30.1 and higher firmware when using both the RADIUS standard AVP Tunnel-Password AND Cisco AVPs "psk" and "psk-mode=ascii". Please see the updated documentation here: https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication#Microsoft_NPS_Configuration   Cheers, Geoff ... View more

26.7 which has the fix for the issue isn't yet released. 26.6.1 was released but it does not contain the fix. 26.7 should be ready soon. ... View more

Hi,   NAT mode 'breaks' roaming and isn't recommended if you need to roam. See https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/NAT_Mode_with_Meraki_DHCP#Common_Problems. It hearkens back to the early Meraki days and was designed for guest Wi-Fi in hotels and coffee shops, etc. since it's an easy setup that provides DHCP (no server on the LAN needed) and client isolation (security). Fun fact: This used to be the ONLY mode of IP addressing available in the Pro days, before Enterprise licensing was a thing and introduced bridge mode. There's nothing wrong with it per se, whether or not to use it just depends on the requirements at hand and what's available on your network (i.e. a DHCP server, VLAN aware switches).   If you need seamless roaming, it's best to use bridge mode. If you're using the latest MR 26.X firmware (I wouldn't recommend using L2 isolation on 25.13 due to some known issues), you can use the Layer 2 LAN isolation feature with bridge mode on the Wireless > Configure > Firewall & traffic shaping page for your guest SSID in order to prevent the wireless clients from talking to each other, just like in NAT mode. You can also add a "Deny Local LAN" rule to deny those guest clients access to the LAN resources and only allow them to the Internet.   Are the APs on different VLANs between the floors? You might need to tag the SSID with a VLAN and make sure that VLAN is trunked between the floors. ... View more

Hi,   Probably just the problematic one for now. One other thing to note about disabling 11ax is that currently it doesn't work when using the "Per SSID" band selection setting on the RF profile. If you're using the "Per AP" setting, then it'll work on 26.4 (all the time), 26.5 and 26.6 (until a reboot). ... View more

Hi,   I would confirm with Support in your case that all the APs are indeed running 26.6. There might also be something else going on with that one AP which they can take a look at if it's online. The AX HE advertising issue doesn't exist in 26.4 (I just tested this on my MR55 to confirm) so if this is a pressing issue for you, 26.4 could serve as a workaround until 26.7 is released.   Regarding the layer 3 roaming point in your original post, there is only one use case for that and that's if your APs' management IPs are on different subnets. If your APs are all on the same subnet then there's no need for L3 roaming. There is a bit of a performance hit in using it due to the overhead in maintaining the tunnel to the anchor AP you initially connect to. How it works is you connect to the original (anchor) AP, then as you roam around the environment all your client's traffic is tunneled back to the original anchor AP and spit out there. The best roaming performance will be observed using bridge mode.   For example, if AP1's management IP is 10.0.0.10/24 and AP2's management IP is 10.0.0.11/24, use bridge mode. However if AP1 is 192.168.50.10/24 and AP2 is 10.0.0.11/24 and you need your clients to maintain IP connectivity as they roam from one part of the infrastructure to another (another floor in a building, another building, etc.), use layer 3 roaming. ... View more

Hi,   If Meraki Support disabled 802.11ax on the backend, then it actually won't matter what you do with the UI toggle since what they've done overrides the UI option. If you're running 26.6 and they've disabled it and the AP has since rebooted, you'll hit the condition for the bug which is 11ax being disabled in the config upon boot. If it's only affecting one AP it could be that this one rebooted after disabling 11ax but the others haven't rebooted after Support applied the config. ... View more

Hi there,   That is actually the expected behavior if your devices have mDNS enabled. The names on the Dashboard are displayed based on whichever of the following exists, in order.   1. User-specified 2. mDNS hostname 3. NetBIOS hostname 4. DHCP hostname   Source: https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Rename_a_Client's_Hostname   To use the DHCP hostname instead of the mDNS name, on Windows for example you can disable mDNS: https://www.blackhillsinfosec.com/how-to-disable-llmnr-why-you-want-to/ ... View more

Hi,   Which model MR and what firmware are you running? I am not able to reproduce that with my MR26 on 26.6 with a sign-on splash, "Block all access until sign-on is complete", and a layer 7 rule to block Netflix. On my Android phone, I can open the app but not search anything. On my laptop, netflix.com never loads. ... View more

Hi there,   Your scenario is covered in this KB: https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Extending_the_LAN_with_a_Wireless_Mesh_Link. As others have mentioned, keep in mind that only 1 VLAN can be carried across the mesh link. So if you want to carry additional VLANs, you'll need a layer 3 switch on the repeater side to segment the VLAN that the repeater is on from the wired clients behind the L3 switch on the remote site. ... View more

Hi there,   Since you mentioned this is for your guest SSID, are you using a click-through splash page with it? If so, there is an option on Wireless > Configure > Access control > Captive portal strength. It is either "Allow non-HTTP traffic prior to sign-on" or "Block all access until sign-on is complete". If you selected "Allow non-HTTP traffic prior to sign-on", clients will most likely not hit the splash page and thus not be subject to any of your firewall rules. Most of the Internet is HTTPS (aka "non-HTTP"), so guests will simply bypass the splash if that option is selected. The better and more secure option is to use "Block all access until sign-on is complete". ... View more

Hi there,   The Z3 is really meant to be used as a teleworker gateway device at home or when traveling so you can connect to it and have a VPN tunnel back to a VPN head-end at a datacenter and access company resources. It is meant for up to 5 clients - your phone, laptop, maybe a tablet. It's not meant to be an edge device or firewall for a substantial network. Depending on how many client devices you're needing to support on the network, you'd be better off with an MX64/65/67/68 (up to 50 clients) or MX84 (up to 200 clients) if you're planning for growth. The MXs are more expensive than the Z3, but are 100% better suited to be an edge firewall. It sounds like you have over 100 devices so an MX84 should be the ticket. ... View more

Hi there,   It looks like that PoE injector is 802.3at capable according to the Cisco website: https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-antennas-accessories/eos-eol-notice-c51-737338.html. The MR34 requires 802.3at PoE+ to fully work, so this one will be fine to use with it. ... View more

Hi there,   What firmware version is running on your MR? If it's on 26.5 or 26.6, try toggling the "Disable 802.11ax" back on, wait a minute, then off again and see if it resolves the issue. If it does, then to workaround this you can either have Meraki Support roll you back to 26.4 or wait for 26.7 which will have a fix for this.   The problem is if the AP running 26.5 or 26.6 has the config to disable 802.11ax when it boots up, it will ignore that config. However if the MR45/55 is online and you modify the config to disable 802.11ax, it will take effect. If the AP reboots though, you will have the same problem again. A factory reset or RMA should not be required. ... View more

Hi there,   It may not be enough to just have LLDP enabled. See this KB and make sure the port is configured as is recommended as well: https://documentation.meraki.com/MR/Other_Topics/Low_Power_Mode_on_Cisco_Switches.   Also, it is not recommended to use an AC power adapter while PoE is enabled on the switch port. It should be either PoE or AC adapter. ... View more

Hi there,   If you upgraded to 25.14 and after a short while your WPA2-PSK or WPA2-Enterprise SSIDs 'disappear', then upgrade to 26.6. ... View more

Hi John,   What are your requirements? The main benefit of Wi-Fi 6 is efficiency in high density deployments. Being a 4x4:4 wave 2 AP, the MR52 is more than capable, but it's understandable wanting to future-proof yourself. There are not many Wi-Fi 6 clients out there yet so the benefits won't be realized for probably another year.   There were some issues with certain clients when the MR45/55 first came out because users hadn't updated their NIC drivers to support the new 802.11ax information elements, but the same thing happened when 802.11ac and 802.11n came out. It takes two radios to tango and with any new infrastructure technology, the clients will often times need updates too. At this point, most modern devices have updates available and it's not an issue. If you go for the MR45 and do have clients that have trouble with 802.11ax though, the option does exist to disable it on the Wireless > Configure > Radio settings > RF profiles. ... View more