The Meraki Community
Register or Sign in
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About Tadpole86
Tadpole86

Tadpole86

Getting noticed

Member since Aug 20, 2020

‎05-06-2021
Kudos from
User Count
Vbrites
Vbrites
1
thomasthomsen
thomasthomsen
1
jake_d
jake_d
1
MiguelN
Meraki Employee MiguelN
1
dr_kellogg
dr_kellogg
1
View All
Kudos given to
User Count
CptnCrnch
Kind of a big deal CptnCrnch
1
divman123
divman123
1
ww
Kind of a big deal ww
1
GiacomoS
Meraki Employee GiacomoS
1
NolanHerring
NolanHerring
1
View All

Community Record

29
Posts
21
Kudos
3
Solutions

Badges

Rising Star
First 5 Posts
First 10 Kudos
First Solution
Lift-Off View All
Latest Contributions by Tadpole86
  • Topics Tadpole86 has Participated In
  • Latest Contributions by Tadpole86

Re: Android 11 - Meraki Authentication - certificate for radius.meraki.com ...

by Tadpole86 in Wireless LAN
‎04-28-2021 02:02 PM
‎04-28-2021 02:02 PM
Thanks @Inderdeep    Meraki Authentication is what I want to use. Having the user database hosted for us in the cloud and a simple username and password has been working great for years. Switching to RADIUS or AD requires alot of heavy lifting to implement, manage and maintain for out small requirement. Trusted Access is not suitable for us yet due to the number of windows devices.    If anyone has anything to add on the specifics of getting Meraki Authentication to work with Andriod 11 that would be great.  ... View more

Android 11 - Meraki Authentication - certificate for radius.meraki.com - N...

by Tadpole86 in Wireless LAN
‎04-28-2021 01:08 PM
‎04-28-2021 01:08 PM
Can anybody help?   Since Android 11 was released I can no longer connect some users to a SSID using Meraki Authentication.   The firmware update from Android essentially removes the users capability of choosing to trust a certificate. This is apparently in line with the WI-FI alliance WPA3 specification. So we are likely to see this issue with other operating systems over time. As I understand, this move is to stop users potentially connecting to a imposter AP and handing over there credentials to a malicious person.   Working with Meraki support I’ve basically been told it’s a device side issue.   Ok, so my devices don’t trust the radius.Meraki.com certificate out of the box. If I look at the untrusted certificate it’s signed by sectigo.   If I navigate to the sectigo site and download the certificates and install them, I am still being blocked. I’ve tried a few https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates   Can anyone enlighten me, my understanding of certificates is high level. I reached the end of my knowledge.   On a second point, why are Meraki using a certificate that is not commonly supported. Both Android and Apple devices are prompted to trust. From my basic understanding I would think that if you went with a provider such as godaddy would this be a problem in the first place.   ... View more

Re: Content Filtering, Filtering

by Tadpole86 in Security / SD-WAN
‎08-21-2020 12:30 PM
1 Kudo
‎08-21-2020 12:30 PM
1 Kudo
The event log cannot be filtered as you desire   The event log can be sent to a Syslog server and filtered there if it's worth the effort.  ... View more

Re: VPN: Which algorithms are chosen?

by Tadpole86 in Security / SD-WAN
‎08-21-2020 09:12 AM
1 Kudo
‎08-21-2020 09:12 AM
1 Kudo
Hi @pdeleuw    IKE is part of the Internet Engineering Task Forces (IETF) defined open standard for the IPSEC VPN framework.   Meraki Auto-VPN is a proprietary technology for creating VPN tunnels.    So the short answer is no, it's not IKE in its truest sense.   They both have the same objective of achieving secure VPN connectivity, there are a lot of similarities but also some differences. Being a cloud platform Meraki can leverage certain elements to reduce CPU load on the MXes. A good example is taking advantage of the secure connection each MX already makes to the dashboard to be cloud-managed. Phase 1 can ultimately be skipped as each peer has already had to authenticate itself to the Meraki dashboard, Similarly, it does not need to negotiate any SA parameters as this can be pushed down to the device from the cloud over the created trusted connection.    How come you ask? Just curiosity or are just trying to answer a specific question         ... View more

Re: L3 Routing migration from 3560-X

by Tadpole86 in Switching
‎08-21-2020 06:53 AM
1 Kudo
‎08-21-2020 06:53 AM
1 Kudo
Yep, that is unique to the Meraki switches and needs a bit of extra thought on deployment.  ... View more

Re: vMX100 monitoing with Solarwinds

by Tadpole86 in Security / SD-WAN
‎08-21-2020 06:21 AM
1 Kudo
‎08-21-2020 06:21 AM
1 Kudo
is there connectivity between solar winds and the switches? Where is solarwinds being hosted? If it is being hosted behind a MX or within the Azure IAAS then the connectivity will be in place for already and you are good to go. ... View more

Re: VPN: Which algorithms are chosen?

by Tadpole86 in Security / SD-WAN
‎08-21-2020 04:43 AM
2 Kudos
‎08-21-2020 04:43 AM
2 Kudos
It uses CBC and MODP today, these will continue to be developed out over time to meet the higher cipher options.    That's correct, there is no option to configure Auto-VPN parameters    Auto-VPN is proprietary technology, some of the details are shared in the following  https://meraki.cisco.com/lib/pdf/meraki_whitepaper_autovpn.pdf ... View more

Re: Poor WLAN Performance when roaming

by Tadpole86 in Wireless LAN
‎08-21-2020 03:25 AM
1 Kudo
‎08-21-2020 03:25 AM
1 Kudo
I would split these two complaints into separate cases, a roaming issue will send you down a totally different troubleshooting track compared to a user who gets kicked off the wifi and cant connect for 5 minutes.    For something like this, I would be continuing to work directly with the support team to narrow down the issue. Is this just one user for example? What do you see if you get the end-user to take a packet capture on their laptop when they cannot connect. Support will be able to help you understand the captures ... View more

Re: Meraki Campus Design with two tier Firewall

by Tadpole86 in Security / SD-WAN
‎08-21-2020 02:01 AM
1 Kudo
‎08-21-2020 02:01 AM
1 Kudo
My recommendation would be to keep the guest gateway on the Meraki core switch for the mentioned reasons.    The Meraki core switch can provide DHCP to the guests, if you are using Meraki wifi too I would look at the following article and use the NAT mode DHCP available on the access points.    https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/NAT_Mode_with_Meraki_DHCP           ... View more

Re: Two SSID's, but some devices need to be seen on the both

by Tadpole86 in Wireless LAN
‎08-21-2020 01:53 AM
‎08-21-2020 01:53 AM
I would go through the blog again with a fresh set of eyes and see if you notice where you have gone wrong. Failing that I would just call into support, its included in the cost of the license and they should be able to work this one through with you.    Ive spent way too long looking at a setup that should work and finally when I've swallowed my pride and called support they have picked it up in 2 minutes. Sometimes you get abit blind looking at the same setup for so long.  ... View more

Re: Meraki Campus Design with two tier Firewall

by Tadpole86 in Security / SD-WAN
‎08-21-2020 01:25 AM
‎08-21-2020 01:25 AM
Are you asking whether the gateway for guests should be on the MX or the core switch?    I have seen both, you can argue the case for either without really having anything to worry about.    Personal preference would be to have a gateway on the core switch to avoid layer 2 broadcast traffic from guest users making it up to the MX. Essentially reducing the load on that device. Also keeping the gateway on the switch makes the setup somewhat cleaner.        On a side note, what value is the internal firewall offering? It looks to just complicate the setup. Can you not push all traffic through the MX and filter there as appropriate?     ... View more

Re: L3 Routing migration from 3560-X

by Tadpole86 in Switching
‎08-20-2020 02:38 PM
1 Kudo
‎08-20-2020 02:38 PM
1 Kudo
I don't fully understand how you are approaching this, the description is somewhat confusing.    I would do this in a maintenance window. Configure the MS250 stack with the same gateway IP's used on the MS3560's. And then swap out the core in one big bang. This will avoid the complexities of running two core stacks side by side.  ... View more

Re: MR32: client not associated

by Tadpole86 in Wireless LAN
‎08-20-2020 02:30 PM
‎08-20-2020 02:30 PM
I can see that this is a single device having issues connecting. Have you tried updateding the client NIC driver?  ... View more

Re: Azure AD authentication on Meraki WiFi

by Tadpole86 in Wireless LAN
‎08-20-2020 02:25 PM
4 Kudos
‎08-20-2020 02:25 PM
4 Kudos
Most of the Cloud Identity providers are just providing simple Username/Password and maybe MFA and masquerading that as full identity management solution. With ZeroTrust, those solutions are missing key components like End-Point posture assessment. O365 offers Intune, but it’s very limited with Macs and has limited end-point capabilities. There are a number of 3rd party offers as well, but now you are operating multiple security policies.   We also have lots of clients moving to cloud, but most realize that moving AD is the last thing they want moved. It’s the security ‘Crown Jewels’ and loosing control of that to a cloud provider should be considered as a major potential issue. Providing 802.1x for NAC from the cloud has many other issues, mostly manifesting with users not getting basic local lan access. 1x can be very chatty in a dynamic environment and any delay above 100ms will cause timeouts resulting with either default guest access for privileged users at best, or no access at all at worst. Both options are sub-optimal. This is a classic ‘Just because you can, doesn’t mean you should’   Buyer beware. Just saving $$ should not be the primary driver when it comes to moving identity completely to the cloud.   Okta, ping, and the rest of the cloud IAM are nothing more than just a unified SSO middleman, with a pretty front end. Execs love it, cause it looks good, but many IT organizations are realizing that they are losing all control of the end-point, and with ZeroTrust, the endpoint is just as important in deciding the correct access policy.     Some interesting points of view https://www.reddit.com/r/networking/comments/dj49s7/cloud_only_identity_providers_getting_rid_of_all/ ... View more

Re: MR33 - DNS Misconfigured & Uplink IP Address conflict with another devi...

by Tadpole86 in Wireless LAN
‎08-20-2020 02:14 PM
1 Kudo
‎08-20-2020 02:14 PM
1 Kudo
If you run a packet capture on the wired side of the AP you will be able to check the packet capture and see if another device with a different make address is using that IP address. Or why don't you change the IP of the access point to another unused IP, does the issue persist   If you change the DNS to 8.8.8.8 do you still see the DNS misconfigured issue? ... View more

Re: MR42 - Getting the Real Time location but it's not accurate using BLE T...

by Tadpole86 in Wireless LAN
‎08-20-2020 02:07 PM
‎08-20-2020 02:07 PM
You cannot accurately predict the location of a client device with a single access point.    You will need a minimum 3 APs to get close to an accurate location, as the technology uses triangulation.  ... View more

Re: Point to Point Bridge Between buildings

by Tadpole86 in Wireless LAN
‎08-20-2020 01:56 PM
‎08-20-2020 01:56 PM
This information from the document is key   VLAN tags are not maintained across wireless mesh links, any VLAN tags applied by wired infrastructure will be stripped before sent across the air.    For the above reason, you need a device that will present all traffic to the mesh AP as untagged. This is achieved by a MX NATing the traffic of potentially multiple VLANs and presenting it as untagged VLAN 1, as shown in the article linked  https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Extending_the_LAN_with_a_Wireless_Mesh_Link#Example_Supported_Topology   So this presents the problem of managing multiple VLANs in building B. The MS range does not have this NAT capability so the short answer to your question is no, this cannot be achieved.   I would speak to your Meraki Sales representative and there Design engineer who will be able to look at workable alternatives.      ... View more

Re: MR30H in Adult Living Center

by Tadpole86 in Wireless LAN
‎08-20-2020 01:30 PM
‎08-20-2020 01:30 PM
I would consider using the individual pre-shared key feature. Sooner or later you are likely to run into issues with the current proposed solution of NAT mode DHCP.    The advantage of Ipsk is that you will have a single SSID with a unique password per tenant. This will give them access to there own bubble of devices. Meaning if someone has a wireless printer, apples TV etc they will be able to access them. At the moment  NAT mode DHCP will not allow this.    https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_Without_RADIUS ... View more

Re: Two SSID's, but some devices need to be seen on the both

by Tadpole86 in Wireless LAN
‎08-20-2020 01:20 PM
1 Kudo
‎08-20-2020 01:20 PM
1 Kudo
This is a nice blog post to help you    Most of it has been covered by previous replies, you will need to configure bonjour forwarding if the SSIDs are on different VLANs     https://meraki.cisco.com/blog/2013/10/watch-apple-tv-over-secure-guest-wifi/#:~:text=A%20common%20requirement%20for%20guest,to%20the%20Apple%20TV%20VLAN.&text=Below%20we%20will%20set%20up%20a%20secure%20guest%20SSID%20with%20bonjour%20forwarding. ... View more

Re: speed test when load balancing is enabled

by Tadpole86 in Security / SD-WAN
‎08-20-2020 01:06 PM
‎08-20-2020 01:06 PM
What do you actually get when you test this?    If you getting 150 Mbps on your speed test because of unique flows then great   From the speed tests I have used previously, I would expect either 100 or 50 Mbps     ... View more

Re: Block Facebook app but allow Facebook Messenger

by Tadpole86 in Security / SD-WAN
‎08-20-2020 12:50 PM
‎08-20-2020 12:50 PM
To achieve this level of granular control you want you will struggle on the Meraki for the reasons previously outlined. You would need a firewall that supports HTTPS inspection, which basically decrypts the traffic to be able to differentiate between facebook messenger and regular Facebook.    If you are having issues with blocking mobile apps it will likely be because of the quic protocol.   a lot of apps use the new-ish QUIC protocol which uses UDP ports 80 and 443 which does not get picked up by the content filtering rules.    Once you have configured the recommended rules the QUIC traffic will get blocked by the Firewall, the app will then fall back to using traditional TLS/SSL which will be blocked by the Meraki content filtering rules.   Bedtime reading 🙂 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC#:~:text=Palo%20Alt... ... View more

Re: speed test when load balancing is enabled

by Tadpole86 in Security / SD-WAN
‎08-20-2020 12:45 PM
2 Kudos
‎08-20-2020 12:45 PM
2 Kudos
Im pretty sure the load balancing is flow-based, meaning that all traffic for the speed test will be sent down one WAN link only.    So I would expect close to 100 or 50 Mbps on the download. Definitely not 150Mbps     ... View more

Re: how to route traffic over non meraki peering links?

by Tadpole86 in Security / SD-WAN
‎08-20-2020 12:38 PM
‎08-20-2020 12:38 PM
Peering directly from MX-B is likely your best option.   What you are trying to do will not work for the already mentioned reason ... View more

Re: CISCO Meraki SD-WAN

by Tadpole86 in Security / SD-WAN
‎08-20-2020 12:34 PM
‎08-20-2020 12:34 PM
There are two firewall engines on the MX, one for site to site traffic and one for the rest.    If you are trying to block traffic between two Meraki MXes you need to configure this under the outbound firewall rules found at the bottom of the site to site VPN page.    It sounds like you are configuring this under the Firewall page which is why it is failing     ... View more

Re: connection becomes down every few days i must restart Merak to come ...

by Tadpole86 in Security / SD-WAN
‎08-20-2020 12:18 PM
1 Kudo
‎08-20-2020 12:18 PM
1 Kudo
What happens if you reboot the 4G internet device instead of the Meraki MX? If the internet comes back online by doing that then it is the device in front of the MX that is likely a problem. I have seen this before with buggy home hubs in front of the MX.   Your question and description is not particularly clear so its not that easy to help you  ... View more
Kudos from
User Count
Vbrites
Vbrites
1
thomasthomsen
thomasthomsen
1
jake_d
jake_d
1
MiguelN
Meraki Employee MiguelN
1
dr_kellogg
dr_kellogg
1
View All
Kudos given to
User Count
CptnCrnch
Kind of a big deal CptnCrnch
1
divman123
divman123
1
ww
Kind of a big deal ww
1
GiacomoS
Meraki Employee GiacomoS
1
NolanHerring
NolanHerring
1
View All
My Accepted Solutions
Subject Views Posted

Re: Meraki Campus Design with two tier Firewall

Security / SD-WAN
1770 ‎08-21-2020 02:01 AM

Re: L3 Routing migration from 3560-X

Switching
1194 ‎08-20-2020 02:38 PM

Re: MR42 - Getting the Real Time location but it's not accurate using BLE T...

Wireless LAN
935 ‎08-20-2020 02:07 PM
View All
My Top Kudoed Posts
Subject Kudos Views

Re: Azure AD authentication on Meraki WiFi

Wireless LAN
4 49390

Re: blocking Youtube completely

Security / SD-WAN
3 5305

Re: VPN: Which algorithms are chosen?

Security / SD-WAN
2 2201

Re: speed test when load balancing is enabled

Security / SD-WAN
2 1721

Re: Content Filtering, Filtering

Security / SD-WAN
1 972
View All
Powered by Khoros
custom.footer.
  • Community Guidelines
  • Cisco Privacy
  • Khoros Privacy
  • Privacy Settings
  • Terms of Use
© 2023 Meraki