@Uberseehandel I think marketing handles the whitepaper, but perhaps @CameronMoody knows who exactly.  ... View more

See here for Meraki hosted authentication: https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Cloud_Hosted_Authentication ... View more

If this is a new install, you'd be better off with the MX250 or MX450 as those are the new MX platform. The MX450 is higher performance than the MX600 and rated for up to 6Gbps.  ... View more

It sounds like you don't have a RADIUS server set up if you don't know the host/port/secret. You'll need to run your own RADIUS server such as NPS on Windows Server. See here for documentation from Meraki: https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Microsoft_NPS_-_MR_Access_Points   You could alternatively use Meraki hosted RADIUS if you are okay with doing user auth instead of MAC based auth. Keep in mind that MAC's are very easy to spoof.  ... View more

You'll need a router in front of the MX to run BGP. Or you could just allow the ISP's to do the BGP as @PhilipDAth suggested.  ... View more

@PhilipDAth CMNO isn't for partners.  ... View more

The MS220 series is not a Layer 3 switch so it will not do routing for you.  ... View more

There is no noted user limit when using Meraki hosted auth. See here for the documentation: https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Cloud_Hosted_Authentication ... View more

@JoeTG I saw the same issues with the random refresh. No fix that I could find. Probably something in Dashboard we can't control.  ... View more

I think the HPE/Aruba DAC would probably work fine on the MS250, but would obviously not be supported by Meraki if you needed assistance. Same for using a Meraki/Cisco DAC with support from HPE/Aruba. Meraki doesn't block the use of 3rd party transceivers in firmware, however I have seen some rumblings that HPE/Aruba is beginning to do this in recent firmware revs.    You could also use SFP+ SR transceivers on both sides with a multimode fiber patch cable in between. This would be fully supported by both vendors assuming you had an HPE transceiver on the 2920 side and a Meraki transceiver on the MS250 side.  ... View more

This is definitely a Windows issue. I have seen this happen only a handful of times and only after the Win 10 build was upgraded (1607 -> 1709 for example). I'd suggest opening a case with Microsoft.    We have a few hundred Win 10 users (all Win 10 Enterprise 1607 or 1703) connecting to Meraki MX VPN without a problem.  ... View more

Do you have a paid G Suite account? ActiveSync is only enabled on paid accounts (or EDU accounts).  ... View more

All MS225 units will continue to run the blower fan at a very high level all the time. This will not be changing and in fact was recently increased again in a firmware update.  ... View more

Your best bet is to open a case with Support and see if they can complete the unenrollment process for you since you've deleted the network.  ... View more

Why don't you use Meraki hosted auth? This will allow you to implement 802.1x auth on the SSID without needing to use MAC based auth and not need an external RADIUS server. See here for how this is set up in Dashboard: https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Cloud_Hosted_Authentication ... View more

I don't believe Support was correct when you initially called. As @PhilipDAth mentioned, when that file originally passed through the MX a hash was created. At the time, the file was not known to be malicious so it was allowed. The original event log entry is accurate.    The alert you later received is a change in classification of the file (hence the retrospect mention). If the same file is downloaded again today, it will be blocked now that AMP knows it's malicious.  ... View more

@PhilipDAthwrote: The 10.x code has had control plane policing added to prevent this from happening.   So (IMHO) on 9.x switches it is often better to disable IGMP snooping to prevent the CPU issue, and turn it on in 10.x it on to stop flooding. This does not appear to be working currently, at least on the MS425 platform. The support engineers were all surprised after I applied 10.16 and it made the problem worse (to the point the 425's couldn't even stay booted for very long before crashing).  ... View more

@Adamwrote: Aren't the helper/relays usually on downstream switches to help there know where to look for the DHCP server? I think typically you'd put the helper IP's on the L3 switch for the network. The edge switches don't need to know about them.  ... View more

I know you mentioned MS not wanting to use options 66/67, but have you tried this? I'm not sure there is any real reason why it wouldn't work.  ... View more

@KayouMT Your understanding of 802.1x is correct here. The confusion in this thread is from your original title - "MAC-Based" - as you are not actually trying to do MAC based auth here.    You could use MAC based auth for non-AD devices however, or use AD user auth (instead of computer auth as you mentioned). We typically implement AD user based auth for WiFi so BYOD can be supported and devices can be joined that are not bound to our domain.  ... View more

Engineering has confirmed there is a bug with multicast traffic (perhaps specific to the MS425 line). Enabling multicast routing (even without a rendezvous point) can be used as a workaround until updated firmware is available.  ... View more

This should be the guide you're looking for: https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Access_Policies_on_MS_Switches_using_Windows_2008_NPS   This may also help for the user side config: https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Wired_Authentication_on_a_Windows_7_Client ... View more

The example you posted is for switch admin auth with RADIUS, which isn't relevant to MS switches as there is no SSH function available to users.    Are you trying to do MAC based authentication (where you are authorizing the computer's MAC address) or user authentication where you want to use the AD credentials of the user or computer?  ... View more

@Adam When using Windows NPS for MAC based auth, you actually create AD users for each MAC. The username & password are both set to the MAC address. It's a really odd setup, but it makes sense because NPS uses AD as its auth DB.  ... View more

I think this is expected behavior. If you remove a client from Dashboard without first removing all of the tags and then later re-enroll that same client (even if it has a new hostname), it will be detected as the same client because the serial/MAC hasn't changed. At least this is what I see with iOS and Mac devices.  ... View more