Відео

Hi Reza, that is only if you want to do MAC based authentication without user credentials. This option might be a good for non-dot1x capable devices. Check my other video that might help to solve your problem Meraki AP and RADIUS integration

No, you just need the token either the old one or generate a new one from the Meraki dashboard -vMX and attach it to the new application in Azure.

Yes but you can also do range as client if those AP IPs can be summarized.

That is great to hear.

Just wondering if you added the APs subnet/IPs as clients to your NPS server?

Just Power point, nothing fancy :D

forgot to mention - all resources in EU are built on Azure, and we are using ExpressRoute to connect China Telecom.

Hey, so to build a tunnel from outside mainland China to inside is a challenge due to the Chinese firewall, hence i suggested in this video to use alibaba core to route the traffic from China to outside. Can I ask, why you want to build non Meraki VPN?

@@FadyNETDecoratorsHi, thanks for reply! Basically we have a channel from China Telecom (MPLS?) which helps us to bypass Great Firewall. I can ping vmx in China and EU. I suppose we have two different org (China and Global meraki), this is the reason why non-meraki peering is only the option. Or I'm wrong here? I simply see no options for AutoVPN on Meraki dashboard.

If you have a private connection between China and global, then you can use routing to advertise your global subnets to China and vice versa. Here is what I mean: - China MX connects to your MPLS and configure the local subnets (with all your global IPs) so your Chinese network can route the traffic to and of course make sure the return traffic is configured - Global MX also need to be connected to MPLS and configure the local subnets with all your Chinese routes. We won't use any tunnels to connect both orgs, we will just use routing. You can configure BGP with the MXs in China & global and your MPLS, you just need to make sure that those MXs are in concentrator mode.

It can be achieved now by using NAT feature on the vMX so remote subnets of your MXs can be NAT-ted with vMX IP which is known within your Azure environment.

Thanks, If you are talking about the DUO cfg file, the IP there is the RADIUS server IP not the MX. if you want to add the MX as a client to your RADIUS server then the answer is yes, the IP is the WAN IP of the MX.

@@FadyNETDecorators Thanks for responding Fady. In the AuthProxy.cfg file, the ad_client host is the radius IP. What about for the radius_IP_1= what should I put?

@@graciesager Thanks Gracie, radius_IP_1 would be the MX WAN ip address, sorry I missed that part

@@FadyNETDecorators That's what I've been using all along Fady but keeps timing out. Seems not hitting AD at all. Validation is good though. Any ideas? Thanks

@@graciesager That is interesting, is it possible to check the routing at least to confirm the traffic is hitting the AD?

Hey Bmuvi, Dot1x needs certificate to encrypt the traffic and you should manage CA to issue and control those certificates but that has nothing to do with Meraki, its more of the way Dot1x works.

Hi Ravi, My colleague Yuji has written really fantastic blog about the use case of using LDAP directly with AP using the local Auth feature, please check the blog post here. apicli.com/2021/12/13/meraki-mr-802-1x-with-azure-active-directory/

@@FadyNETDecorators i will go through. Thanks for quick response.

Hi Tariq, one thing to note, Azure might not allow you to DNAT the remote subnets from the branches as they are not defined as Azure VNET, hence I am having this Cisco virtual router to NAT the branch subnets.

Hi Erick, Please check this video that I created sometime back for that use case ua-cam.com/video/LzsNZW-NpP4/v-deo.html

Sorry about that

Hi Eddie, I wouldn't recommend connecting the MPLS to both the LAN and the WAN of the same MX, but if you want to split your MPLS link into 2, you can use a switch and ask your MPLS provider to at least give you /29. Normally ISP will provide you /30 with a single interface.

Thanks Aung

That will happen if the MXs loose the heartbeat from the LAN side. If you run packet capture on the LAN and check if the heartbeat messages are received, if so I would recommend to open case with Meraki support as you might have faulty hardware.

@@FadyNETDecorators Thanks for quick reply. Is a cable to each MX250 the recommended configuration for heartbeat?

No direct cable is required. You just need the two MXs to share the same LAN, the heartbeat is happening over multicast address

Hey Ali, currently, there is no native integration between Meraki wireless and Azure AAD. You will still need a RADIUS server to be the man-in-the-middle, something like Cisco ISE or Windows NPS would work.

@@FadyNETDecorators can i do this with a windows server between azure add and meraki?

@@alisanchez3291 You should be able to use Windows NPS as a RADIUS server and connect it to your Azure AD

Will do my best, anything specific you feel will be good to address on MS and MR?

Thanks, I have built a splash page with validating the credentials on local database. Its not dot1x but if you can build the logic, it will work without the need to go to have the DB public ua-cam.com/video/LtmaSYwjaP4/v-deo.html

Thanks mate, happy it helped.

@@FadyNETDecorators very much helped

Yuan, API is an admin key you can generate in your dashboard. Here is the steps for you to enable it documentation.meraki.com/General_Administration/Other_Topics/Cisco_Meraki_Dashboard_API#:~:text=test%20API%20calls.%C2%A0-,Enable%C2%A0API%20Access,-For%20access%20to

In this video, the MX is MX250

@@FadyNETDecorators will any meraki router model able to implement this? or you need MX router series?

@@migy220 You actually don't need Meraki MX or router for this implementation.

Thanks Ian. I did another training (not as detailed) but it covers MX and MS and you can access it here netdecorators.thinkific.com/courses/meraki-the-platform-of-the-future

Thanks Robert, I am also coming from the same background. I feel the right balance between Physical and virtual appliances is the winner.

Hi Glenn, thanks for your kindness. Meraki has different license tiers for vMX (Depends on the size of the deployment). vMX-S / vMX-M / vMX-L (Currently not available in Azure). Below link has the specs to choose which license is suitable for your project. meraki.cisco.com/product-collateral/mx-family-datasheet/?file

Thanks Roseria for your feedback. I will make video for direct LDAP with the AP. Stay tuned :D

Hey, yes, you can do client vpn over 4g, make sure if there is no public ip on the mx to do port forwarding on the 4g modem. Also you can use the dns of the MX to make it easy when the public ip changes

@@FadyNETDecorators I am already getting General public IP from 4G modem. Can i make client VPN with that public IP?

@@shehryarsarwar3109 yes, you should be able to use that public IP. Check the IP on the MX, if its private IP then you will need to perform port forwarding on that modem, otherwise, it should just work.

Hey Roby, you might need to follow this link documentation.meraki.com/MR/MR_Splash_Page/Configuring_Splash_Page_Authentication_with_an_LDAP_Server

you might need to check the VLANs between the AP and the MX. If you have switch in between, you might need to check the native VLANs as well.

@@FadyNETDecorators kewl! thanks for the reply, my VLAN is just the default VLAN 1, tried moving the AP (MR76) to a trunk port but still not getting an IP, my switch by the way is Cisco C1000 in between my AP and the MX.

@@kewlheadkewlhead4038 Try to have the MX trunk port facing the switch with native VLAN 1. Hope that would work.

@@FadyNETDecorators Oppss! my switch (C1000) port connected to my MX is on dynamic (desirable/auto), if i change it to trunk (vlan 1/native) whole network goes down, port turns BLK status

Thanks Rahul

Hi Erie, your assumption is right and the vASA will do the exact same function as the CSR1000V. No caveats out there.. You can use vMX_RG is just a name so you can use it or change it to ASA_RG.

There is no option to use DUO with Meraki credentials. You will need to use RADIUS.

Hi Philip, SecureX is, of course, a great value if you have more Cisco security products in the environment and it will be your command centre from a security standpoint. But if you are looking to perform SSO with AzureAD, that would be possible without the need for SecureX. I am planning to a video about AzureAD SSO and JumpCloud to help the audience to see the process across on-prem as well as Cloud-based AD solutions. Any other platforms that you think will help, just let me know.

Hi Joey, thanks for your question. We can use BGP to inject the routes instead of using static for sure, but please note that we still need a router to perform NAT as Azure won't perform the NAT for non-VPC subnets. In terms of High Availability, you will need to consider Azure Route Server and some scripting for the failover. Here is great info about the deployment githubmemory.com/repo/MitchellGulledge/Azure_Route_Server_Meraki_vMX

Nevermind, I figured out my IP scheme on default was not 10.1.1.0 but 10.0.1.0.

oh great, let me know if you have any questions.