Meraki Group Policies for vLAN Assignment via NPS/Radius

(Cisco) Meraki’s product line is fantastic, and integrating its group policies for vLAN assignment based on a reply-message from a Network Policy Server is quite simple and effective. However, we came across an issue at a school where some clients are remaining on the default vLAN, where only the Access Points and some other wired network devices should reside. This falls out of our firewalling between the Student vLANs and the servers, so it’s a bit of an issue.


In the event log of the Meraki dashboard, you can search for a client that is being a straggler on the default vLAN, and look at the 802.1x entries.

We were able to see the reply message, where the NPS was responding and telling the AP which Group Policy should apply to them, therefore assigning to a vLAN.

RADIUS response
group: Students1, vlan: -1, vap: 1 

Turns out… It’s a bug. Cisco Meraki techs are aware of the issue, and will update us shortly. When they do, I’ll update this post and let you know how to resolve. OK, there’s one headache gone for the day.