Hi @Chrisgw , that is a good point.  Likely, most modern IdPs offer methods to dynamically discover changes in the user base, for instance through webhooks and APIs like Microsoft Graph’s "delta" API. In our solution, when a user is deleted from the IdP, their account (or iPSK) is automatically disabled. We also support IdP-based group mapping with most providers (including SAML-based and Shibboleth systems) to assign the correct group policies for different groups. This means that even a change in group membership on the IdP can automatically trigger the termination of WiFi services if needed. In some cases, we've been asked to publish onboarding pages on an SSID via a captive portal. However, using SSO with Entra on CNA browsers may result in an infinite loop when MFA is active. To address this, we also offer a passwordless onboarding process where: The email is looked up in the IdP. A magic link is sent to the user to confirm ownership. When the user clicks the link, their account is created on the fly, and they gain access to their own iPS. For IdPs that lack back-end APIs (like Shibboleth), we provide built-in options to periodically suspend accounts and require re-authentication. Moreover, while the cloud iPSK supports up to 5,000 iPSKs per network, Easy PSK scales to unlimited users—offering cross-branch roaming, comprehensive logs and reporting, and additional AAA-based policy enforcement — and with no need to onboard devices by providing MAC addresses (... no end user should be required to know what a MAC address is...)   ... View more

Hello, Did you make it work ? If yes, would you be able to share some pointers? Currently I am stuck in same  situation. ... View more

In additional to what @PhilipDAth suggested, you can enable client VPN on those vMX to create a secure tunnel from your internet users (assuming those are your corp users). ... View more

I wouldn't consider or use OSPF as the route advertisements are only unidirectional -- From vMX to upstream, and you will need to manually configure the Azure ranges as local subnet in vMX.   BGP is 100% what I would go for, and I would consider Azure Route Server to peer with. I didn't recommend directly peering between vMX and PA because Azure handles routing differently, and the traffic will have to hit the Azure SDN., which means you will still need to configure static routes in Azure route table for the traffic between vMX and PA. ... View more

We have tried all older firmware versions. problem still continues  ... View more

You need to create a transform rule with the below parameters.     ... View more

Congrats @cyberdojoninja  ... View more

We are a 24/7 business that needs 100% connectivity uptime (or as close as you can get) so we run SD-WAN over mainly MPLS circuits, with a few direct internet ones.  We added the SD-WAN layer for load balancing that doesn't drop traffic when one of the circuits goes down for maintenance.   The MPLS has guaranteed latency between sites, whereas the internet connections do not.   ... View more

@WarrenG did you manage to find a workaround? i'm in the same dilemma - blocked access to/from china and need to allow one domain... ... View more

is there any opensource that is acting as radius proxy similar to duo which can be used for 2fa?? ... View more

Hi viksep   You will need to configure the RADIUS server under [radius client] section then under [radius server auto] you will need to input the MX details to act as a client. if you are running this DUO proxy on the same machine as your RADIUS server then please change the port of the proxy from 1812 because that is what I am assuming you are using for your RADIUS server already so DUO proxy has to listen to a different port to authentication users.   Please check my short video of the integration but note that I used direct integration with AD instead of RaDIUS but the concept is the same.   https://www.youtube.com/watch?v=0kmNsun48Wc&t=20s ... View more

Hello,    I have the same problem with a HP 2620 POE+ 48Ports and MR42E.   Did you find another solution without buy a dumb switch?   Thanks in advance ... View more

thanks, I understand. ... View more

Hi Tim   Let me first advise you how the NAT works with APs and then will cover best practice for Guest and Corp traffic on wireless.   If you set one SSID to be in NAT mode, the users will get an IP within 10.0.0.0/8 range which will be generated from the access point itself and these IPs will get NAT-ted out with AP management IP and then it will follow the routing table of the network. When you configure the SSID in Bridge, you will see all Layer 3 decisions will happen by the upstream device to the AP.   To separate the Guest traffic or isolate it, you will need to apply Access Lists or Firewall rules from the upstream devices to avoid the management IP of the AP from talking to the other subnets which can be tricky if you don't manage the routers or firewalls.   The best option to isolate the Guest traffic is to use MX at your DMZ or gateway and tunnel the guest SSID so the traffic will be encrypted all the way from the Access Point to the MX and then breakout from their. You can install centralized MX and get all the Guest traffic tunnels to that box and breakout to internet from there.   Please check this document for more information. https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Tunneling_and_Layer_3_Roaming_-_VPN_Concentration_Configuration_Guide     ... View more