Why you want to nat vlan 50.   Make vlan 10 native on the trunk to the ap and assign the ap management a ip in vlan 10, then run the guest ssid in nat mode.   Tag vlan 50 or for example 100 on the trunk to the ap.   Then set internal ssid to bridge mode and tag this ssid with vlan 50 or 100.   Fw must then have a vlan 50 or 100 with ip 172.16.100.1     ... View more

@ww, yep, it’s a nice new way to do LDAP auth. Discovered it a little while ago, and can see where it fits into the mix, but the ‘standard’ RADIUS is going to provide more flexibility as you can return a Filter-ID to apply a group policy. But the Local Auth option should be good where the link back to the user identity store isn’t reliable since it’s designed to cache credentials.   Hopefully Meraki can find a way to extend this using some other protocol (ROPC?) to Azure AD, for those people who use native Azure only. ... View more