SLO would be expected to be initiated by the IDP, instantly revoking access via the Meraki. It's up to the implementation to correctly support it, which Meraki seems disinterested (as evidenced by this very long, very old, and very ignored forum thread)
... View more
In additional to what @PhilipDAth suggested, you can enable client VPN on those vMX to create a secure tunnel from your internet users (assuming those are your corp users).
... View more
I wouldn't consider or use OSPF as the route advertisements are only unidirectional -- From vMX to upstream, and you will need to manually configure the Azure ranges as local subnet in vMX. BGP is 100% what I would go for, and I would consider Azure Route Server to peer with. I didn't recommend directly peering between vMX and PA because Azure handles routing differently, and the traffic will have to hit the Azure SDN., which means you will still need to configure static routes in Azure route table for the traffic between vMX and PA.
... View more
We are a 24/7 business that needs 100% connectivity uptime (or as close as you can get) so we run SD-WAN over mainly MPLS circuits, with a few direct internet ones. We added the SD-WAN layer for load balancing that doesn't drop traffic when one of the circuits goes down for maintenance. The MPLS has guaranteed latency between sites, whereas the internet connections do not.
... View more
SAML support is available, but you need to call Meraki support to have them enable it for the client VPN. That allows you to Auth straight to Duo, Okta, AzureAD, etc, without the RADIUS server. https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication I'm still not sure of what kind of policy control you'd be able to apply, though.
... View more
Hi viksep You will need to configure the RADIUS server under [radius client] section then under [radius server auto] you will need to input the MX details to act as a client. if you are running this DUO proxy on the same machine as your RADIUS server then please change the port of the proxy from 1812 because that is what I am assuming you are using for your RADIUS server already so DUO proxy has to listen to a different port to authentication users. Please check my short video of the integration but note that I used direct integration with AD instead of RaDIUS but the concept is the same. https://www.youtube.com/watch?v=0kmNsun48Wc&t=20s
... View more
Hello, I have the same problem with a HP 2620 POE+ 48Ports and MR42E. Did you find another solution without buy a dumb switch? Thanks in advance
... View more
Hi @Philip The best way to have public IP behind the MX100 is to perform 1:1 NAT --> (Double NAT-ting) so the LAN and Public IP should be the same on the NAT rule so when the traffic leaves the MX it will have the same public IP to the ISP. You need to make sure the public IP is route-able via the internet. https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX Please make sure to allow the remote IPs to allow the incoming traffic if you need these public IPs to be reachable from the internet.
... View more
Rebooted everyting in the net, APs, switches, router. That helped. I guess some caching issue somewhere, and not sure exactly where in the net the issue where. But it helped.
... View more
Hi Tim Let me first advise you how the NAT works with APs and then will cover best practice for Guest and Corp traffic on wireless. If you set one SSID to be in NAT mode, the users will get an IP within 10.0.0.0/8 range which will be generated from the access point itself and these IPs will get NAT-ted out with AP management IP and then it will follow the routing table of the network. When you configure the SSID in Bridge, you will see all Layer 3 decisions will happen by the upstream device to the AP. To separate the Guest traffic or isolate it, you will need to apply Access Lists or Firewall rules from the upstream devices to avoid the management IP of the AP from talking to the other subnets which can be tricky if you don't manage the routers or firewalls. The best option to isolate the Guest traffic is to use MX at your DMZ or gateway and tunnel the guest SSID so the traffic will be encrypted all the way from the Access Point to the MX and then breakout from their. You can install centralized MX and get all the Guest traffic tunnels to that box and breakout to internet from there. Please check this document for more information. https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Tunneling_and_Layer_3_Roaming_-_VPN_Concentration_Configuration_Guide
... View more
I am not sure if this video will help to show different authentication methods. https://www.youtube.com/watch?v=TQNgh5m5ehU Let me know if that helps
... View more
Hi I have created video to show step by step guide that you can view below https://www.youtube.com/watch?v=mMSSfy_mIlQ&t=646s https://www.youtube.com/watch?v=TQNgh5m5ehU
... View more
//
//
LITHIUM.InformationBox({"updateFeedbackEvent":"LITHIUM:updateAjaxFeedback","componentSelector":"#informationbox_66eeedaa7e3f16","feedbackSelector":".InfoMessage"});
LITHIUM.InformationBox({"updateFeedbackEvent":"LITHIUM:updateAjaxFeedback","componentSelector":"#informationbox_66eeedaa7e3f16_0","feedbackSelector":".InfoMessage"});
LITHIUM.InformationBox({"updateFeedbackEvent":"LITHIUM:updateAjaxFeedback","componentSelector":"#informationbox_66eeedaa7e3f16_1","feedbackSelector":".InfoMessage"});
LITHIUM.InformationBox({"updateFeedbackEvent":"LITHIUM:updateAjaxFeedback","componentSelector":"#informationbox_66eeedaa7e3f16_2","feedbackSelector":".InfoMessage"});
LITHIUM.AutoComplete({"options":{"autosuggestionAvailableInstructionText":"Auto-suggestions available. Use Up and Down arrow keys to navigate.","triggerTextLength":4,"autocompleteInstructionsSelector":"#autocompleteInstructionsText_66eeeda8341b47","updateInputOnSelect":true,"loadingText":"Searching...","emptyText":"No Matches","successText":"Results:","defaultText":"Enter a search word","autosuggestionUnavailableInstructionText":"No suggestions available","disabled":false,"footerContent":[{"scripts":"\n\n;(function($){LITHIUM.Link=function(params){var $doc=$(document);function handler(event){var $link=$(this);var token=$link.data('lia-action-token');if($link.data('lia-ajax')!==true&&token!==undefined){if(event.isPropagationStopped()===false&&event.isImmediatePropagationStopped()===false&&event.isDefaultPrevented()===false){event.stop();var $form=$('