Thanks @Inderdeep    Meraki Authentication is what I want to use. Having the user database hosted for us in the cloud and a simple username and password has been working great for years. Switching to RADIUS or AD requires alot of heavy lifting to implement, manage and maintain for out small requirement. Trusted Access is not suitable for us yet due to the number of windows devices.    If anyone has anything to add on the specifics of getting Meraki Authentication to work with Andriod 11 that would be great.  ... View more

Hi @pdeleuw    IKE is part of the Internet Engineering Task Forces (IETF) defined open standard for the IPSEC VPN framework.   Meraki Auto-VPN is a proprietary technology for creating VPN tunnels.    So the short answer is no, it's not IKE in its truest sense.   They both have the same objective of achieving secure VPN connectivity, there are a lot of similarities but also some differences. Being a cloud platform Meraki can leverage certain elements to reduce CPU load on the MXes. A good example is taking advantage of the secure connection each MX already makes to the dashboard to be cloud-managed. Phase 1 can ultimately be skipped as each peer has already had to authenticate itself to the Meraki dashboard, Similarly, it does not need to negotiate any SA parameters as this can be pushed down to the device from the cloud over the created trusted connection.    How come you ask? Just curiosity or are just trying to answer a specific question         ... View more

Yep, that is unique to the Meraki switches and needs a bit of extra thought on deployment.  ... View more

It uses CBC and MODP today, these will continue to be developed out over time to meet the higher cipher options.    That's correct, there is no option to configure Auto-VPN parameters    Auto-VPN is proprietary technology, some of the details are shared in the following  https://meraki.cisco.com/lib/pdf/meraki_whitepaper_autovpn.pdf ... View more

I would split these two complaints into separate cases, a roaming issue will send you down a totally different troubleshooting track compared to a user who gets kicked off the wifi and cant connect for 5 minutes.    For something like this, I would be continuing to work directly with the support team to narrow down the issue. Is this just one user for example? What do you see if you get the end-user to take a packet capture on their laptop when they cannot connect. Support will be able to help you understand the captures ... View more

I would go through the blog again with a fresh set of eyes and see if you notice where you have gone wrong. Failing that I would just call into support, its included in the cost of the license and they should be able to work this one through with you.    Ive spent way too long looking at a setup that should work and finally when I've swallowed my pride and called support they have picked it up in 2 minutes. Sometimes you get abit blind looking at the same setup for so long.  ... View more

Are you asking whether the gateway for guests should be on the MX or the core switch?    I have seen both, you can argue the case for either without really having anything to worry about.    Personal preference would be to have a gateway on the core switch to avoid layer 2 broadcast traffic from guest users making it up to the MX. Essentially reducing the load on that device. Also keeping the gateway on the switch makes the setup somewhat cleaner.        On a side note, what value is the internal firewall offering? It looks to just complicate the setup. Can you not push all traffic through the MX and filter there as appropriate?     ... View more

I can see that this is a single device having issues connecting. Have you tried updateding the client NIC driver?  ... View more

Most of the Cloud Identity providers are just providing simple Username/Password and maybe MFA and masquerading that as full identity management solution. With ZeroTrust, those solutions are missing key components like End-Point posture assessment. O365 offers Intune, but it’s very limited with Macs and has limited end-point capabilities. There are a number of 3rd party offers as well, but now you are operating multiple security policies.   We also have lots of clients moving to cloud, but most realize that moving AD is the last thing they want moved. It’s the security ‘Crown Jewels’ and loosing control of that to a cloud provider should be considered as a major potential issue. Providing 802.1x for NAC from the cloud has many other issues, mostly manifesting with users not getting basic local lan access. 1x can be very chatty in a dynamic environment and any delay above 100ms will cause timeouts resulting with either default guest access for privileged users at best, or no access at all at worst. Both options are sub-optimal. This is a classic ‘Just because you can, doesn’t mean you should’   Buyer beware. Just saving $$ should not be the primary driver when it comes to moving identity completely to the cloud.   Okta, ping, and the rest of the cloud IAM are nothing more than just a unified SSO middleman, with a pretty front end. Execs love it, cause it looks good, but many IT organizations are realizing that they are losing all control of the end-point, and with ZeroTrust, the endpoint is just as important in deciding the correct access policy.     Some interesting points of view https://www.reddit.com/r/networking/comments/dj49s7/cloud_only_identity_providers_getting_rid_of_all/ ... View more

If you run a packet capture on the wired side of the AP you will be able to check the packet capture and see if another device with a different make address is using that IP address. Or why don't you change the IP of the access point to another unused IP, does the issue persist   If you change the DNS to 8.8.8.8 do you still see the DNS misconfigured issue? ... View more

This information from the document is key   VLAN tags are not maintained across wireless mesh links, any VLAN tags applied by wired infrastructure will be stripped before sent across the air.    For the above reason, you need a device that will present all traffic to the mesh AP as untagged. This is achieved by a MX NATing the traffic of potentially multiple VLANs and presenting it as untagged VLAN 1, as shown in the article linked  https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Extending_the_LAN_with_a_Wireless_Mesh_Link#Example_Supported_Topology   So this presents the problem of managing multiple VLANs in building B. The MS range does not have this NAT capability so the short answer to your question is no, this cannot be achieved.   I would speak to your Meraki Sales representative and there Design engineer who will be able to look at workable alternatives.      ... View more

I would consider using the individual pre-shared key feature. Sooner or later you are likely to run into issues with the current proposed solution of NAT mode DHCP.    The advantage of Ipsk is that you will have a single SSID with a unique password per tenant. This will give them access to there own bubble of devices. Meaning if someone has a wireless printer, apples TV etc they will be able to access them. At the moment  NAT mode DHCP will not allow this.    https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_Without_RADIUS ... View more

This is a nice blog post to help you    Most of it has been covered by previous replies, you will need to configure bonjour forwarding if the SSIDs are on different VLANs     https://meraki.cisco.com/blog/2013/10/watch-apple-tv-over-secure-guest-wifi/#:~:text=A%20common%20requirement%20for%20guest,to%20the%20Apple%20TV%20VLAN.&text=Below%20we%20will%20set%20up%20a%20secure%20guest%20SSID%20with%20bonjour%20forwarding. ... View more

What do you actually get when you test this?    If you getting 150 Mbps on your speed test because of unique flows then great   From the speed tests I have used previously, I would expect either100 or 50 Mbps     ... View more

To achieve this level of granular control you want you will struggle on the Meraki for the reasons previously outlined. You would need a firewall that supports HTTPS inspection, which basically decrypts the traffic to be able to differentiate between facebook messenger and regular Facebook.    If you are having issues with blocking mobile apps it will likely be because of the quic protocol.   a lot of apps use the new-ish QUIC protocol which uses UDP ports 80 and 443 which does not get picked up by the content filtering rules.    Once you have configured the recommended rules the QUIC traffic will get blocked by the Firewall, the app will then fall back to using traditional TLS/SSL which will be blocked by the Meraki content filtering rules.   Bedtime reading 🙂 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC#:~:text=Palo%20Alt... ... View more

Im pretty sure the load balancing is flow-based, meaning that all traffic for the speed test will be sent down one WAN link only.    So I would expect close to 100 or 50 Mbps on the download. Definitely not 150Mbps     ... View more

What happens if you reboot the 4G internet device instead of the Meraki MX? If the internet comes back online by doing that then it is the device in front of the MX that is likely a problem. I have seen this before with buggy home hubs in front of the MX.   Your question and description is not particularly clear so its not that easy to help you  ... View more

As long as there is layer 2 connectivity between the MX100 devices this will work.    However, as you mention the peer link does not forward user traffic. So how are you expecting the heartbeat to reach the other MX? From your description, I don't believe this diagram includes all devices which doesn't help.   I have never worked with VPC technology, however, I have seen this work with VSS which is similar technology.    This looks like a question better answered by Cisco TAC who work with Nexus, as opposed to the Meraki support team.         ... View more

This is the correct answer, a lot of apps use the new-ish QUIC protocol which uses UDP ports 80 and 443 which does not get picked up by the content filtering rules.    Once you have configured the recommended rules the QUIC traffic will get blocked by the Firewall, the app will then fall back to using traditional TLS/SSL which will be blocked by the content filtering rules.   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC#:~:text=Palo%20Alto%20Networks%20recommends%20creating,any%20functionality%20on%20their%20browser.     ... View more