Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About SteenSN
SteenSN
Comes here often
Member since Jun 5, 2018
May 2 2023
Community Record
8
Posts
0
Kudos
0
Solutions
Badges
I have now tried all the settings below 'Security appliance only' and none of them works. I tried to blacklist a single website with no luck. However, all setting work when I manually choose to set the device policy for the client to the same group policy My conclusion is - at least in my setup with WPA2 enterprise and RADIUS - that AD groups mapped to Meraki groups only gives the client part of the group policy (layer 3, layer 7 and traffic shaping rules) and that the last part of the policy (security appliance only) is controlled by device policy that has to be set manually.
... View more
Thanks a lot - I'll try that tomorrow
... View more
Here are my settings: I have blocked every URL pattern (*) only allowing the ones I have whitelisted. This part is only working if I set the device policy to the group policy name manually.
... View more
You are quite right - the trouble however is, that it's precisely what I've done: I have no trouble mapping the AD-group and the Meraki policy - only trouble is, that I only get layer 3, layer 7 and traffic shaping rules - none of the rules listed under "Security appliance only" in the Meraki group policy page are working. There seems to be a difference between 802.1x policy and device policy. My testing shows, that AD groups only control layer 3, layer 7 and traffic shaping rules of the Meraki group policy. The last part (the rules below Security appliance only) has to do with a device policy, that needs to be set manually.
... View more
The part that isn't working is the settings on the image to the right. The image on the left shows a client which received the 802.1x policy "EksamenStrict". Below you se no rules for layer 3, layer 7 and a single traffic shaping rule. These rules work fine (also layer 3 and layer 7 if there were any) But note that the device policy says "normal" If I change the device policy to "group policy" and select the "EksamenStrict" Meraki group policy, then the rules on the above image works. It seems as if 802.1x policy only applies to layer 3, layer 7 and traffic shaping rules - the mapping of AD groups and Meraki groups does not include "security appliance only" rules - unless you manually set the device policy.
... View more
I have already linked AD groups to Meraki groups and it works - for layer 3, layer 7 and traffic shaping rules What I want is to.be able to put students into AD group on the day of their exam, where they are allowed to use their computer but with at lot of restrictions - here I need the security appliance only restrictions so I can limit their internet access only to a few websites. That AD group maps to a Meraki group - let's call it "RestrictedExamAccess". All clients get the right 802.1x policy but it only maps to the layer 3, layer 7 and traffic shaping rules of the Meraki group policy. For the security appliance only rules I have to manually set each device policy to "RestrictedExamAccess" - which is a poor solution when it has to be done for hundreds of students
... View more
Yes I have set up NPS and use 802.1x WPA2 enterprise with RADIUS
... View more
I have followed this guide https://documentation.meraki.com/MX-Z/Group_Policies_and_Blacklisting/Integrating_Active_Directory_with_Group_Policies and it works for layer 3, layer 7 and traffic shaping rules. The wireless client gets the layer 3, layer 7 and traffic sharping rules just fine, but no security appliance only rules. My only option to get the security appliance only rules (i.e. blocked website categories, blocked url patterns and so on) to work is to manually set det clients device policy to the same group policy as the 802.1x policy. Then it works fine. But I don't want to set every clients device policy manually in the dashboard in order to get the security appliance only rules to work. What I would like is to control the group policy including the security appliance only part through active directory group membership. Is the no way to automatically include the security appliance only part of the group policy automatically?
... View more
© 2024 Cisco Systems, Inc.
