Configuring Group Policy Settings
Sections:
- Group Policy Overview
- Applying Group Policies by Client
- Applying Group Policies by Device Type
- Applying Group Policies by VLAN
- Scheduling Group Policies
Resources:
- Creating & Applying Group Policies
- Applying Policies by Device Type
- Troubleshooting Group Policies
- Meraki MS Group Policy ACLs
Overview:
- In Cisco Meraki, the Network-wide Group Policy settings allow you to configure specific policies for devices connected to the network. Group policies are a set of configurations that can be applied to specific users or devices within a network to control their access, behavior, and permissions
- Group policies are commonly used in environments where there is a need to apply consistent settings to different groups of users or devices, such as limiting bandwidth for guests, controlling content access, or enforcing security measures
Group Policy Overview
- Group Policies define a list of rules, restrictions, and other settings, that can be applied to devices in order to change how they are treated by the network
- Per Cisco, group policies can be used on wireless and security appliance networks and can be applied through several manual and automated methods
- Cisco Meraki recommends as a best practice to create no more than 100 group policies per network
- Only one policy can be active on a client at a time and can be applied to client devices in a variety of ways
- By Client
- By Device Type
- By VLAN
- By Sentry Policy
- By Active Directory Group
- By RADIUS Attribute
- By Identity PSK
- Group Policy Available Options
- Scheduling
- Per-client Bandwidth Limit
- Hostname Visibility
- VLAN Tagging
- Splash Page Authorization
- Layer 3 Firewall Rules
- Layer 7 Firewall Rules
- Traffic Shaping Rules
- Security Filtering
- Content Filtering
Cisco Meraki - Group Policy Application Methods
Cisco Meraki - Group Policy Options
Meraki Group Policy - Example 1
- This example demonstrates how a group policy could be used on a wireless network to provide corporate users with more freedom and special treatment over other users
- Accomplished Tasks
- Remove Bandwidth Restrictions
- Disable Hostname Visibility
- Remove Layer 3/7 Firewall Rules
- Provide QoS Tagging for Voice & Video-conferencing Traffic
- All other settings would be inherited from network defaults
Network-Wide Group Policy - Menu
Network-Wide Group Policy - Defining Corporate Policy
Network-Wide Group Policy - Defining Corporate Policy
Applying Group Policies (By Client)
- Group Polices can be manually applied to clients from the 'Network-wide >> Monitor >> Clients' Page
- Per Cisco, on wireless and combined networks, different group policies can be applied depending on the SSID the client is associated to. Therefore admins have the ability to set multiple group policies to a client based on the SSID they are connected to
Applying Group Policies by Client
Applying Group Policies by Client
Applying Group Policies by Client - Option to set multiple policies based on SSIDs
Applying Group Policies by Client - Verification of Group Policy applied to Client
Applying Group Policies (By Device Type)
- In wireless networks, group policies can be automatically applied to devices by type when they first connect to an SSID and make an HTTP request
- This deployment method can be configured by navigating to 'Wireless >> Configure >> Access Control'
- Per Cisco, this deployment method only triggers when a device first connects to the SSID and persists until it is manually overridden. Thus, some previously connected clients may need to have policies manually assigned. It is also possible for a client to be misclassified based on the initial HTTP request, depending on how it is generated by the device. If this occurs, manually assign the desired policy
Applying Group Policies by Device Type
Applying Group Policies by Device Type - Available Device Types
Applying Group Policies by Device Type - Configuration
Applying Group Policies by Device Type - Verification
Applying Group Policies (By VLAN)
- On security appliance networks, group policies can be automatically applied to all devices that connect to a particular VLAN
- This deployment method can be configured by navigating to 'Security & SD-WAN >> Configure >> Addressing & VLANs' from the Meraki Dashboard
- Per Cisco, when a group policy is applied to a VLAN, that policy becomes the new "network default" for any other group policies applied to clients in that VLAN. Since this policy is the new "network default," the client devices will still show a "normal" policy applied under 'Network-wide >> Monitor >> Clients'
- For example, a group policy named "Guest Network" with more restrictive layer 3 firewall rules than the network-wide configuration is applied to the guest VLAN, and a second group policy "Low Bandwidth" has a custom bandwidth limit, but is set to use network firewall & shaping rules. If the Low Bandwidth group policy is applied to a client on the guest VLAN, the client will use the layer 3 firewall rules configured on the Guest Network group policy, not the network-wide layer 3 firewall rules configured on the 'Security & SD-WAN >> Configure >> Firewall' page
Applying Group Policies by VLAN
Applying Group Policies by VLAN - Selecting Policy on VLAN Configuration
Applying Group Policies by VLAN - Defining a VLAN80 port on MS switch for Client
Applying Group Policies by VLAN - Verification
Scheduling Group Policies
- Meraki offers a scheduling feature to group policies, allowing the policy to only be active (or inactive) during the times specified
- Per Cisco, when scheduling a policy applied to a VLAN, traffic on the LAN will briefly drop as the configuration is applied. This will occur at the start and end of the schedule. Meraki recommends taking this into consideration when scheduling a group policy
Scheduling Group Policies
Scheduling Group Policies
