Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About DevOps_RC
DevOps_RC
Getting noticed
Member since Aug 30, 2022
2 weeks ago
Community Record
72
Posts
67
Kudos
1
Solution
Badges
2 weeks ago
2 Kudos
Setup a test user to see if it would show what could be applied to the users/groups, but all I received was the following: So what is the Meraki definition on 'channels' (Out with wireless content)? Curious what the 'Other accesses' are, but suspect these are in relation to SGP. I appreciate that admin users are listed in a separate section, but it would be nice to manage all user based permissions including admin in a single location, and have a little more granularity in what permissions could be assigned (SSID controls potentially).
... View more
Oct 10 2024
7:38 AM
@Ryan_Miles , Don't suppose MR30.7 include radius over DTLS support? Can you confirm that MR APs only support Radius over TLS as @KarstenI has suggested.
... View more
Oct 10 2024
7:36 AM
2 Kudos
Thanks for the information. I appreciate that there are two versions of Rasec, radius over TLS and radius over DTLS. I thought your suggestion couldn't possibly be right, I mean why would Cisco take two different approaches in securing Radius....but I tip my hat to you. All the documentation I can find (https://documentation.meraki.com/MR/Encryption_and_Authentication/MR_RADSec) states that Meraki Radsec uses TLS (Only tcp connections can be seen in the packet captures to prove it), whereas and I'm struggling to find an official Cisco ISE document, I did find this article (https://www.wiresandwi.fi/blog/cisco-radsec-part-1-radius-tls-dtls-overview) and it states 'Throughout this series, we will use RADIUS over DTLS for our RadSec implementation, since this is the only mode available for Cisco ISE.' Oh dear......Anyone from Cisco want to jump in and say, 'Don't worry, upgrade to the latest version of ISE and it will support Radius over TLS'..or someone from Meraki instead want to say 'No worries, MR3X supports Radius over DTLS'??? Please.....
... View more
Oct 10 2024
7:24 AM
Apologies for the delay in responding. I'm just going to upgrade my test lab to that version now, and I'll provide an update hopefully later, if not Monday.
... View more
Oct 8 2024
2:33 AM
Good Morning, Just wondering if anyone has managed to setup radsec between Meraki APs and Cisco ISE. I'm certain I've setup both environments correctly, but authentication (pass or fail) isn't showing with the ISE logs, so suspect it's an issue with the radsec initial connection. When importing the Meraki certificate into ISE, which service should this trusted certificate be used for? (See below) Apart from that, the certificate I have imported into the Meraki dashboard is the Root certificate of the chain that the ISE certificate uses for radsec: ISE Cert>CA Issuing Server Certificate>CA Root Server Certificate. I tried to import the issuing CA certificate (Middle of chain) into Meraki, but it complained that it wasn't a root Certificate, so assume it just wants the root and no other parts of the chain. ISE Network device object is setup to use DTLS on 2083 using it's fixed password radius/dtls Radius setting within Meraki access control is setup to use radsec with that password on port 2083 No acls or firewalls blocking access between APs. Works perfectly well without radsec, but as soon as the config is changed to use radsec it doesn't work. Any thoughts? Logs in the Meraki AP when trying to authenticate via radsec:
... View more
Aug 12 2024
4:42 AM
2 Kudos
Just enabled the Assurance EA feature, and will need to send out an email to the other support staff to stop them panicking about all these alerts/warning that are highlighted...They have always been there, but from this page, they are more visible IMHO. Anyway, again appreciate its still in development, but is anyone else getting alerts/warnings for wireless connections, but it's using the original names for the SSIDs? I suspect it's due to my networks linked to network templates, rather than configuration directly applied at the network level, but curious if anyone else has spotted this. I have feedback to Meraki on this in the meantime.
... View more
Thanks for the quick response...I've created additional SSIDs and linked the sensor button to these networks....My issue is that the names of the networks can't be the same as the originals as they are creted at the template level....Maybe I'll feedback asking for the toggle function to have the ability to disable/enable at the template or network level. 🙂
... View more
We've just setup our first MT30 sensor to enable a site to toggle specific SSIDs on/off, and it does toggle the SSIDs....The issue is this site and it's SSIDs are linked to a Network template, and the toggling is performed at the template level, not at the Network SSID level. Apart from configuring duplicate SSIDs at the local site, is there a fix/workaround for this?
... View more
Thanks for the responses and advice on how to make requests. I've submitted my 'feedback' requesting this functionality/feature. I appreciate this wasn't the correct location to make the request, but I was curious to see if anyone else would want it or not, even though I didn't ask if anyone else thought it would be useful. 🙂
... View more
Could we please have the ability to customise the Called-station-ID when configuring access policies on switches, similar to the options we have for wireless policies: At the moment, this is a fixed value: Called-Station-Id: Contains the MAC address of the Meraki MS switch (all caps, octets separated by hyphens) Even if it could include TAGs by default would help when configuring our radius server policies. We currently assign Vlans for wireless endpoints and these are determined depending on which device/site is making the request (TAG identifier) as well as which authenticating AD/Group the endpoint belongs too. We would need to import every switch MAC address into our radius server and then group them into the different site/device types, in order to ensure the correct dynamic vlan is assigned. While this is possible, the on-going maintenance of this will be problematic, whereas if we could include the TAGs of the switch, we wouldn't need to make the changes on our Radius server. I hope this makes sense.
... View more
Apr 17 2024
12:51 AM
Thank you all for your replies. The interfaces/networks on the MX are more complicated than in the diagram, I just simplified it to try to remove any confusion. We have 5 different vlans/subnets, each with their own source-based route as the MX is also used to tunnel some wireless traffic, and the default gateway for each of these subnets is actually the router, which has those 5 interfaces/subnets on them. I think the issue is routing, but on the return of the traffic. If I disable all firewall rules traffic originating from 10.1.0.0/24 can get to 10.112.5.0/24, however traffic originating from 10.112.5.0/24 passes through the MX to 10.1.0.0/24 (As can be seen in packet captures) and I can see the responses, but I suspect it's then following default routes, rather than source based routing for the return traffic. I'll confirm this by running packet captures on the different interfaces on the MX and check for the reply traffic going down a wrong route... The firewall rules are working correctly as the ACL hit count is increasing as I send test data, so not as I originally thought being an issues with L3 firewall rules. Once again, thanks for your responses, hopefully I can figure this out.
... View more
Apr 15 2024
7:46 AM
Good day all, We have the following setup (roughly): I've simplified it in the diagram, as we technically have multiple vlans off the different connections, but basically I want to prevent all traffic from 192.168.0.0/24 getting to 10.1.0.0/24, but allow 10.112.5.0/24 access to 10.1.0.0/24. I can create the rules, and while traffic appears to be blocked, the allow isn't. Is the issue that the subnets that are the sources aren't locally set on the MX appliance as they are routed from the 172.16.0.0/24 subnet? I have a source-based routing enabled on the 10.1.0.0/24 subnet to default route through 172.16.0.0/24? Any help would be appreciated.
... View more
Feb 26 2024
1:21 AM
My apologies for not responding to your query, region is Europe (UK).
... View more
Feb 26 2024
1:20 AM
1 Kudo
Good Morning, I thought I should drop an update on this issue after raising a support ticket with Meraki. In short, the issue I have (Config history not being visible) is due to being logged into the dashboard with a SAML linked account. When I log in with a local Meraki account, I can see the config history tab. Meraki support are aware of the issue, but at present don't have a timeframe for this to be fixed for SAML linked accounts. If I receive any further updates on this issue I'll post it here.
... View more
Feb 12 2024
8:43 AM
Thanks for the clarification Ryan. Looking forward to this function to (hopefully) simplify our update on Catalyst monitored switches.
... View more
Feb 12 2024
1:47 AM
So I missed this announcementhttps://community.meraki.com/t5/Cloud-Monitoring-Resources/Catalyst-Switches-Firmware-Upgrades/ta-p/222885 Looks great, except I don't have the 'cloud monitored' tab in my firmware upgrade section. Is this restricted to only a few regions, I'm Europe for my tenancy. Has anyone seen this yet, or used it? Just wondering how it copes with stacked switches and your thoughts on the function/process please.
... View more
Feb 12 2024
1:43 AM
I've used the feedback button within the switch list page to make my request, as the actual button for use on the the switch page itself is obscured by the 'Help Centre' button: Maybe make the help centre button moveable??
... View more
Feb 7 2024
6:08 AM
1 Kudo
Afternoon. I was wondering if it would be possible to request a feature which I don't think is currently available for catalyst monitored switches. Ideally I would like the log of the switch to be passed to the dashboard, so that we can review the logs within the event log of the switch in the dashboard. Please.
... View more
Feb 1 2024
3:00 AM
1 Kudo
While it's not a perfect tool, the AP neighbour section, might provide evidence as to what is causing the high interference. It's an EA function, so you need to enable it: Once enabled, you can then drill down into each AP to look for overlapping/Interfering APs: Alternatively the RF Spectrum section might provide some evidence, but neither of these tools will identify what would be causing any non-802.11 interference...you'll need some proper kit to determine and identify those issues..... Best advice is the same as @Brash and @alemabrahao , try to get your devices to prefer the 5GHz frequency. I've used band steering and client steering within the Meraki config, but I've had to disable them as it seemed to cause connectivity issues. Good luck, I hope you manage to move your clients towards less cluttered spectrum 🙂
... View more
I was just checking an AP had come back online, when I noticed in the timeframe (Last 2hrs, Last day, etc) had a new entry: I'm guessing this is a bug, and not a new feature of reviewing the last 54 years of connectivity for an AP. 🙂 Unless the 'lifetime support' is going to a new level..;)
... View more
What you are detecting, could that be anything to do with the mesh network, or attempting to create a mesh network on the 6GHz?
... View more
We have very few 6GHz clients, currently one SSID (WPA3 OWE) for public access. We are also testing WPA3 802.1X for migrating our windows clients over, but only a handful of devices which would support the 6GHz range, what I can't figure out is what is causing high utilisation on the 6GHz for a lot of our APs. Starting to think it's a bug on the graph...hoping its a bug 🙂
... View more
Jan 30 2024
2:34 AM
We have a similar setup, two pairs of MX450s in different DCs. It is possible to setup 'secondary concentrators' for tunnelling SSIDs, screenshot below: We split the connections to different HA pairs of MX450s to spread the load, but have secondary concentrators setup in case of DC failure.
... View more
Just wondering if anyone is experiencing the same as myself in relation to the channel utilization on the 6GHz range. A lot of my APs are showing high channel utilisation in the 6GHz range in the graph view, but in the view for the channel that the radio is using itself, it's showing 0% generally, occasionally 1%...But as can be seen from the screenshot, the graph seems to indicate 20%+. This seems to be the case on most of my APs, that the two values don't just not match, but aren't even close.
... View more
I could be wrong with this, but the 2FA settings applied is for the accounts assigned permissions, but not SAML linked accounts, but depending on your external identity source, you should be able to apply MFA to the Meraki application/Enterprise App (Azure terminology) within that identity source.
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 8 | 838 | |
| 6 | 1187 | |
| 4 | 1461 | |
| 4 | 1079 | |
| 3 | 8040 |
© 2024 Cisco Systems, Inc.
