Hey Miles, I am 1+ Phil's answer here. one right way to do this would be to get it on the ISP line, and prevent it before it gets to you. We have Colt IP Access, and I am persuing their IP Guardian.  I know Colt services are quite globally wide spread,  If you are high up on the risk model, or your fallout risk is damaging, maybe you might want to look into Colt's solutions.  here is there info page on it.  https://www.colt.net/wp-content/uploads/2019/07/IP_Guardian_Datasheet-English.pdf   ... View more

Hi Kushan, So - Following the three data center outages which manage Meraki Radius, ( I know, different topic) I stepped back from waiting for (1) Azure Auth and for (2) Meraki Radius to be (1) implemented, and (2) fixed. And set up instead ID-PSKs with group policies and am still using the local Merak user base. Yes it is still a pain, but it at least lets me kind of manage the users in groups as i can see the groups based on the group policies enforced via ID Psk. its not a solution but it is keeping me floating for the moment while we continue to wait.    That said, the latest Microsoft outtage has highlighted an issue and has raised concerns over "should we federate with Azure" if Microsoft has another outtage like this, not only will users have a depreciated experiance with MS tools. but it could knock them off from having an internet connection.   We more or less survived this outtage and ops were not disrupted too much. But man, If they got kicked from using the network, it would have been a really busy day.     ... View more

Hi there LakesideLion, Maybe reach out to me, Daniel.Kritikos@obs.school We are also a fully cloud operational school using Meraki. I have tested the waters with Meraki's own cloud based radius auth, Back then it was not reliable, I switched to identity psk and baked the wifi connection and psk into a jamf mdm config which is pushed out to our devices. this seems to be working well for us.  R.Dan ... View more

I too have DNS issues with meraki. From my testing it is related to the option "use upstream DNS",   ISP DNS = pages load instantly google or any other dns = pages load instantly.   Use upstream which broadcasts the gateway ip as the dns server and then sends the traffic upstreme to the ISP,s dns is where the issue lies.   If you are fortunate enough to not have any configs that are sec dependent on DNS, just change the dropdown on DHCP dns settings from Upstream to anything else. you can manually enter in one or I just selected use Googles Public Problem solved.   But the actual problem is not really solved, there is still an issue with Meraki, case has been escalated.   Hope this helps R Dan ... View more

This is exactly what Meraki has. when you Ent in a network’s settings, you can select where the auth happens in a drop down, this list has Meraki Radius as a selection. When selected, the auth occurs off site in the DC where your installation is hosted. in my case Frankfurt serving Switzerland. Two problems with this, 1. which i have experienced three times now, when their DC goes down, your entire org cannot get on to the network. 2. managing users. just an all-round nightmare, due to their lack of functionality in the user’s section. As mentioned, a few times, they already have SAML functionality setup. When I want to access the dashboard, I need to use my Azure Credentials and Azure MFA to log in. works a charm. What I want is the already present functionality to be extended to the "Meraki Radius" so that we do not have to manage users in Meraki, they simply sign into the network using their "SSO" in my case Microsoft Email address and Password. I just don’t understand why they do not do this as they seem to already have the system in place. ... View more

Hi Adimizil, thank you for your message. Would you deply a beta into a live environment? seems risky, especially givin this topic is about authenticating users.   If anything goes wrong, you will be dealing with a very large number of unhappy employees. Then, should you contact support to explain something is not working as expected with the open beta. I doubt you would get support on a Beta. ... View more

@SAtech  Hi SAtech, thanks for pointing this out. In my case this will not work as it is dependent upon having  AWS account  vMX license ISE instance (v3.1) Azure AD Since Meraki can be SSO connected directly to Azure for Admin portal access.  I am waiting and hoping that they will adopt this configuration and extend it to users to allow for access into the network with out the use of an ISE.   Meraki installations already cost a fair ammount, These PreReqs are an added cost for a functionality that Meraki could implement into their existing environment.   R Dan   ... View more

😔So true, a lesson I learned the hard way.  ... View more

@MerakiHell  Your input is unproductive and is off point. Please stay on topic. Your mentioned social media does not provide cloud based sd wan to hardware services. @NovaNinja Good point but sidetracked, my recommendation searves as a base for all environments, such as those that do not use a device managment platform.  @Robert_H Agreed, some form of acknologment that this is even on their radar, with a roadmap would be good. I am quite frustrated with their own cloud based 802.11x radius soultion. on paper its brilliant, no need for an on prem ISE. But we have experianced three times where their Radus services at their datacenter have failed, preventing our entire org from authenticating into the configured ssid. We have had to downgrade to a psk to counter this issue. I also have alot of struggle managing users, ie who i can remove and who is current. with these two major issues on my hands, having an user authenticate via SSO off a cloud AD "like azure in our case" would be epic. @MerakiHell back to your point on MS vs Meraki, also not accurate, I can SSO from AAD to the dashboard for admin control, just not to the wireless network as they are seperated systems.  ... View more

Guys dont mix up Systems Centry Manger, Cloud Auth, and Wireless Auth, they are all seperated in the Meraki ecosystem.   @Meraki  Your community is feeling pain here, come on, you need to get this done. Others have achieved SAML based WPA2 Ent Auth, why can you not catch up.   A. Consoladate the user pages into one.  Org / Admins and Network Users should all be on the same page. B. add logic and enrich the new users page. ie + New User = (selection of user types incl Admins) where the logic can tell the difference, provide wireless and network access as well as "user wireless access", have the 2FA options built in to this area. and like on your Org Admins section, incorporate the SSO section. C. upon sso setup, have a cron or something that is securly connected to "i.e" an AAD to check for the list of users.   So when I get my request to set up a new user, I click that +, I check the sso box, I start to type the name and the text box auto recommends the new user pulled from AAD, and atuo enters their name, and their email. I click save, and they get an email saying to sign into the "org" network simply enter in your email address and your password. a simple session cookie can do the rest. and AND; treat the info as 802.11x. win win win.   You already have all of these options scattered around your dashboard. you just need to push them all together on one page, and do a little logic coding to make them all talk to each other and behave seamlessly.    I told you guys this like 6 years ago, and have pushed this upon you frequently, your "make a wish" response is bs,  We pay you guys enough, I am starting to wonder if the cost is worth it, granted the ammount of problems I am having with your Cloud Radius, and lack of response.   You are in a perfect position, we the community are literally handing the work to you.      ... View more

alright, ill look into it, Cheers Uncool ... View more

by the way did anyone else experiance the Meraki Radius server DataCenter going down. has happened to us twice now. they still have not issued a report ... View more

sweet. do you have any clips or docs on your installation? something for me to follow.  ... View more

Can one push a portnox agent onto IOS? ... View more

what os's we have a heavy ios dependency. ... View more

No any PSK on an ent network is a bad idea.  Of course it depends on how much a malitious vector can inflict on your network. but these days cracking a key is a walk in the park.    at least with 802.11x their shot is limited to one user. if you have a psk with attempt rules, if i fail multiple handshakes with one user, i can just move onto the next. at this point in the hands of somone like me, your fairly screwed at this point.  the problem i am faced with is where to balance the level of security over the level of convenience.   we had a temporary situation where i needed to psk out to the org, but we also had an mdm. so i created the most rediculas password somehting like 256 chars long mixing all dictionaries,  saved it to a wifi mdm profie and pushed it out to all devices.    but in any other circumstances, i would never use a psk in an ent or corp. the risks are too high. ... View more

Hey "UnCool",    Lets talk, I am looking for an alt solution to Meraki radius to auth users of meraki on to the network. Id love to hear how you managed it with Portnox.   Please drop me a mail Daniel.Kritikos@obs.school ... View more

Two Years on, I am still waiting for this. Has there been any progress on this yet?   I need my users to be able to connect to the wireless network using their office 365 credentials. I have Meraki SSO set up for admins to access the dashboard, but I really need to see better user managment options. and the golden nugget here would be users using AAD creds to authenticate.   ... View more

I should add that when they loose internet access, it can and mostly does randomly reconnect again after a few mins of trying.   sometimes just switching the iPad wifi off and on again get the connection back. other times however deauthenticating "forgetting ssid" and logging back in is the solution.   but in general, even though it shows an auth issue, it has nothing to do with a user logging in "incorrectly".   R Dan ... View more

How do you solve this issue if you are using Meraki's own radius server.   We a few sites under a template. we are compleatly cloud, nothing in house apart from Meraki.   describing 2 of our sites to try keep it simple ISP fiber 1g up and down on all. 2nd Wan faillover copper 500 500. Site A (modem mx450 ms210 and a few APs MR 55s 442s 33s etc) Site B (modem mx84 ms210 and a few APs MR 55s 442s 33s etc) Site C (modem mx68 ms120 and a few APs MR 55s 442s 33s etc)   the config on these sites is simple and basic, no vlans class c 172.16.0.0/20   and on all 3 of them for years now Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='x' first_time='0.044370560' associated='false' radio='1' vap='0'   the majority of the devices are IOS. the directory is meraki controlled using meraki's own user db and 802.11x Meraki Radius   all the devices are / have logged in, and are/have worked on the single ssid. but often through out the day, they loose internet access and when i look at the wireless health i am seeing  a mid to high %fail to auth. and the log is flooded with  Client failed 802.1X authentication to the RADIUS server.type='802.1X auth fail' num_eap='13' first_time='0.044370560' associated='false' radio='1' vap='0'   Ive been working with a cisco meraki engineer for a few months on this now and were not making any progress. So i thought it cant hurt to share my brick wall of a situation with you guys   any suggestions. Ive done so much trouble shooting that there is no point it trying to remember what ive done. Hit me up with an idea and i will either try it or tell you that i have already tried it.   ps monitor mode pcaps for this situation we are having are not possible.   any advise or help is extreamly appriciated. Regards Dan Daniel.Kritikos@obs.school.ch +41763751768   ... View more