Meraki AP Management Changes

I work for a smallish organization and we have a network that is locked down that we use for managing devices, however we don't run a DHCP server on it.  The MR36 unlike the MR32 and MR33 requires a network with a DHCP server for internet access and management of the access points.  Trying to double up using an already established network you are using for wifi clients for example causes connectivity issues for the wifi clients.

In the past we would configure the meraki ap on a network with a DHCP server and change the VLAN and network settings on the AP to match the statically assigned ip we wanted for the device on our management network.  When we did that it worked just fine as shown below on an MR32.

However not so with the MR36, setting the VLAN's for the AP's worked the same but when I switched it back to the network without DHCP server the device became unavailable along with not routing traffic properly.  The AP goes offline.  Shown below VLAN X is a network where devices are statically assigned, and when the meraki switch has that VLAN setup for the AP the AP cannot connect, and the dashboard times out.

Switch Settings

Dashboard

But when I change the VLAN to one with a DHCP Server (VLAN A) the dashboard becomes responsive again.

To resolve the issue what I had to do was create a Management AP network for the Meraki AP's that has a DHCP Server.  So instead of using VLAN X I have it using VLAN Y for the native VLAN.   When I tried to use a network for double duty such as VLAN A, your wifi clients cannot connect and their mobile devices give a connection error.

On my firewall I created a new network (VLAN Y as described above) and I put the VLAN throughout where it is required, and will use that as the native VLAN and management network for the Meraki APs.

Information about Meraki Licensing

 When renewing your Cisco Meraki Licensing, it should be done within a few weeks.  I have gotten conflicting information from the sellers and the technical support at Meraki.  According to the Meraki support rep, the license is active from the date of the invoice.

Hello Trevor,

As a reminder, the license key is active from date of invoice complete which was xx/xx/2022. When the license is added to the organization it will have a license start date from xx/xx/2022. If the license is added as a renewal today, the co-termination date would be xxx xx, 2025 (the organization will absorb the current remaining 88 days). I would suggest to add the license as soon as possible.

You may always contact your Meraki Account Manager if you had any questions or concerns about your licensing or order; **** ****@cisco.com

Thank you again, 

Cisco Meraki Support

So if you apply the license where can you find your keys?  Well that can be found in the change log.  When you apply your license you can restore your old license by clicking on the undo arrow at the far right (shown below highlighted in yellow).

You will get a popup with a key you can add to update your license.  If however you miss or close the popup without getting your key you can get the key from the change log.  The key is labelled as an unclaimed license.

You will want to select the latest generated value as shown below

This is an ongoing issue here is a link to a reddit thread where someone had a similar issue.

https://www.reddit.com/r/meraki/comments/e9r1dg/burned_by_meraki_cotermination_licenses_and_they/

Meraki MDM - Fixing Invalid Profile when adding device to MDM

 With apple's iOS 15 update, I found I had some issues to fix with some of our organizations iPads, specifically because they are only 16 gb versions; they were out of space.  Also with the pandemic the Push cert was not kept up due to the systems being off.  Resetting and reformatting the ipads ended up being required.  Now these ipads were store bought ipads and not directly purchased from apple; which complicates things.  That caused the ipads to no longer connect to the Meraki MDM due to the bad push certificate and when I tried to re-add them using Apple Configurator 2, I got the invalid profile error.

After a lot of pain and troubleshooting, I had managed to make some progress on getting these ipads re-set up on the Meraki MDM.  After updating them to iOS 15.0.2 I ran the apple configurator which put them in the Apple Business Management center, but would not configure the ipads for use with the MDM.  

An issue that I also found which was causing me some of the grief is these ipads were somehow added to an icloud account, which I need to be removed before I could continue.  After removing the ipads from the iCloud account, I setup the ipads for automated enrollment thought Apple Configurator 2.  Doing this put the ipads into Apple Business Manager but still would not configure the ipads to use the MDM with the push certificate.  

I thought I would try and add them to the Meraki DEP, which I was able to do but this did not help me with getting the ipads setup to be used and updated with the push certificate.  What ended up being the solution was resetting all the certs (again), and setting up the ipads for just supervision with no MDM.  After the iPads were Supervised I was apple to add them to the MDM using Safari and the MDM web link.  I also had to remove the education configuration part of a profile configuration

 I thought this was odd but it was causing the following two errors in the Meraki log which you can see below.

Error: The top-level user “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx” is neither a leader nor a member.

Error: The payload “Your Meraki iPad Profile” is invalid.

Ultimately I re-did all the certs between apple business manager and Meraki

• The Apple configurator certificate
• the VPP certificate
• the push certificate
• DEP certificate.  

Then I removed the education part of the profile and setup the ipads as just supervised devices with no MDM having to add them manually after.   This worked and got the ipads back up in working order.

Connect the ipads to your mac and open Apple Configurator 2 and select the ipad or ipads and select the Prepare

Select Supervise devices and allow devices to pair with other computers.

Select do not enroll in MDM

Select the Organization 

Configure iOS Setup

After the ipad has been supervised, the ipad could be connected to the internet.

Un-Supervised Device

Once the ipad was supervised, the wifi screen shows up and when connected can then be joined to the MDM by the enrollment URL/Link.  You must use safari to connect to the MDM.

iOS Screen

I was able to use safari get to the enrollment URL/Link to join the MDM and the profiles were applied right away.  However before you do if you have apps that you will want to use that were purchased on a specific profile you will have to sign into the ipad with that account before loading the MDM.  Otherwise you will lose access to those apps.

Meraki Network Registration

 

Sign in with Google

Sign in with a Meraki email.

Enter the password

Finds The MDM Network

Allow the profile to download to the iPad

Close the alert and open the settings

Click on Profile Downloaded

Install the profile

Trust the certificate from the MDM

Once the profile is installed, the ipad will start reconfiguring to what you have setup for the profile on the MDM.

to get the devices setup.  Once that was done.  I used apple configurator to just supervise the devices.  Then I used safari to add them to the MDM.  Once there I was able to set them up as before in Meraki, adding and removing profiles as required for apps.

Meraki MX64 Review

 

I have had the good fortune in being able to have a look at the Meraki MX64 router/security appliance from Cisco.  Since I use PFSense I was interested in see what this locked down proprietary appliance was all about.  At my work we are using Meraki Switches and have been very happy with them, they are easy to setup, configure, manage, and the web based management system gives you a wonderful single pane of glass to view everything.  I was interested in seeing if the router was as easy to setup and manage.

Like all Cisco Meraki products, you add the device by going to the Network-Wide menu and go add device as shown below.

Then press the claim button on the right most side of the screen across from the search box.

You will get a popup asking for the serial number of the device or the order number(s).

Then put in the serial number, if you don't have the order or email you can find the serial number located at the bottom of the device

After that you will need to add the license for the device which would come from your provider.  If you don't have a license you only have 14 days in which you will be able to use the device before getting a license.

Select "add another license"

Input the license provided by your provider.  Select the operation License more devices (as we are adding the router to our meraki cloud)

Once that is done you will have a few side bar menu called Security & SD-WAN if you didn't have a meraki router before.

After getting the device registered, it took a while for the dashboard to recognize it but to be fair I have it going to the internet though my PFSense firewall, it did eventually make a connection.  One thing I will note is it did come with a network preconfigured in the device probably supplied to our vendor when they sent it over at our request.  For example it would have came on a non configured vlan 192.168.0.1/24 setup with DHCP which I would already have on my meraki network.

After getting the device connected, The network setup is located under the Addressing & VLANs menu

By default the device comes in routed mode and single lan setting.

Configuring the MX64 for use with VLANS is pretty easy, change the lan setting to VLANs then add the VLASs using the "Add VLAN" button.  It is easy and very straight forward.  I have left the deployment settings the same but I changed the Single Lan Setting to VLAN and setup the following.

1. Setup VLAN 1 with a subnet of 192.168.0.0/24 - MX IP 192.168.0.1 (DHCP Served By Meraki MX)
2. Setup VLAN 2 with a subnet of 192.168.10.0/24 - MX IP 192.168.0.10 (No DHCP)
3. Setup VLAN 3 with a subnet of 172.32.0.0/24 - MX IP 172.32.0.4 (No DHCP)

I then setup the ports

- WAN port goes to my LAB network 192.168.182.0/24 the MX has an ip of 192.168.182.50

- Lan 3 I have going to my laptop with 2 VLANs attached.  Lan 2 is setup as the NATIVE VLAN which has no DHCP Server 

When I plugged my laptop into port 3 which as a native vlan of VLAN2 which has no DHCP server on that network I got a 169 address.  When I changed my VLAN on my laptop to access VLAN 1; the output of ipconfig from my laptop where DHCP is being server by meraki mx I got the following:

PS C:\Users\Trevor Tye> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Lenovo-P52s

   Primary Dns Suffix  . . . . . . . :

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter vEthernet (Default Switch):

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter

   Physical Address. . . . . . . . . :

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . :(Preferred)

   IPv4 Address. . . . . . . . . . . : (Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.240.0

   Default Gateway . . . . . . . . . :

   DHCPv6 IAID . . . . . . . . . . . : 1006638429

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-4D-16-AA-48-2A-E3-1A-77-16

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1

                                       fec0:0:0:ffff::2%1

                                       fec0:0:0:ffff::3%1

   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter vEthernet (Internal Network):

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #3

   Physical Address. . . . . . . . . :

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : (Preferred)

   Autoconfiguration IPv4 Address. . : 169.254.38.103(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.0.0

   Default Gateway . . . . . . . . . :

   DHCPv6 IAID . . . . . . . . . . . :

   DHCPv6 Client DUID. . . . . . . . :

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1

                                       fec0:0:0:ffff::2%1

                                       fec0:0:0:ffff::3%1

   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter vEthernet (External Switch):

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2

   Physical Address. . . . . . . . . :

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : (Preferred)

   IPv4 Address. . . . . . . . . . . : 192.168.0.20(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Lease Obtained. . . . . . . . . . : July 7, 2021 1:24:49 PM

   Lease Expires . . . . . . . . . . : July 8, 2021 10:42:26 AM

   Default Gateway . . . . . . . . . : 192.168.0.1

   DHCP Server . . . . . . . . . . . : 192.168.0.1

   DHCPv6 IAID . . . . . . . . . . . :

   DHCPv6 Client DUID. . . . . . . . :

   DNS Servers . . . . . . . . . . . : 192.168.0.1

   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : optionkey.ca

   Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8265

   Physical Address. . . . . . . . . : 18-1D-EA-2F-AE-59

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 3:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #5

   Physical Address. . . . . . . . . :

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 4:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #6

   Physical Address. . . . . . . . . :

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet 2:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : TAP-Windows Adapter V9

   Physical Address. . . . . . . . . :

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)

   Physical Address. . . . . . . . . :

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

PS C:\Users\Trevor Tye>

In my lab network I have a subnet of 192.168.1.0/24 on the static route I setup a route to go to 192.168.1.0 from 192.168.10.1.  For clarification my laptop is plugged into Port 3 on the switch which has a a native vlan of VLAN2 which has no DHCP services.  Below is the appliance status menu showing the connected ports.

I had set the virtual switch on my laptop to VLAN1, demonstrating that VLANs work because VLAN 1 is being served DHCP by Meraki MX.  The Static route I setup seems to be working as the ping test below shows pinging both the gateway and my workstation on the 192.168.1.0/24 network from 192.168.0.20

PS C:\Users\Trevor Tye> ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time<1ms TTL=64

Reply from 192.168.1.1: bytes=32 time<1ms TTL=64

Reply from 192.168.1.1: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.1.1:

    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Control-C

PS C:\Users\Trevor Tye> ping 192.168.1.250

Pinging 192.168.1.250 with 32 bytes of data:

Reply from 192.168.1.250: bytes=32 time<1ms TTL=64

Reply from 192.168.1.250: bytes=32 time<1ms TTL=64

Reply from 192.168.1.250: bytes=32 time<1ms TTL=64

Reply from 192.168.1.250: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.1.250:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

The DHCP tab is nice as it shows the amount of IP's used and the uplink tab also gives some "nice to know information".

There are a lot of features I would like to play with but it looks like I would need multiple mx appliances, such as setting up the firewall rules, and VPN, it looks like it would be easy to do and setup.

Firewall:

VPN (Site 2 Site)

VPN Client

The Meraki MX comes with the typical router features such as URL allow/deny listing, content filtering, traffic shaping (with some nice defaults), but also has some nice integrations having quick access the the WiFi Splash page, VPN, threat detection (and Cisco Umbrella or use to be known as OpenDNS) and intrusion detection.  In my opinion this would be great to have if your a smaller business or franchise with lots of locations, a service management company, or an organization you are looking to reduce the load of your IT staff and/or your staff are not technically inclined and/or have a limited experience with routing, setting up VPN servers or are very familiar with firewalls with different VPNs.  In my lab this was very easy to setup, and get working, I find there is more power with PFSense, and this would be fantastic solution if your going all in.  That is the thing though you have to go all in on Meraki.  Depending on your budget, and what your organization is wanting to do it can be quite the asset.