Home > Security Appliances > Group Policies and Blacklisting > Creating and Applying Group Policies

Creating and Applying Group Policies

Group policies define a list of rules, restrictions, and other settings, that can be applied to devices in order to change how they are treated by the network. Group policies can be used on wireless and security appliance networks, and can be applied through several manual and automated methods. This article will describe the options available, how to create policies, and how those policies are applied to clients.

Creating Group Policies

Available Options

The following table describes what rules, restrictions, and other settings can be controlled via group policy on each platform. Only features that are available for the network will be displayed when configuring a group policy.

 

  MR Access Points MX or Z1 with Enterprise License MX with Advanced Security License
Scheduling
Per-client bandwidth limit
Hostname visibility
VLAN tag    
Splash page authorization    
Layer 3 firewall rules
Layer 7 firewall rules
Traffic shaping rules
Security filtering    
Content filtering    

Note: If using a group policy with Content Filtering, please reference our documentation regarding Content Filtering rule priority to understand how certain filtering rules supersede each other.

Creating a Group Policy

  1. Navigate to Network-wide > Configure > Group policies
  2. Click Add a group to create a new policy.
  3. Provide a Name for the group policy. Generally, this will describe its purpose, or the users it will be applied to.
    Ex. "Guests", "Throttled users", "Executives", etc.
  4. Modify the available options as desired. Unless changed, all options will use the existing network settings.
  5. When done, click Save Changes.

The group policy listed will now be displayed on the Group policies page and made available for use. Remember that a group policy has no effect until it is applied.

Example Group Policies

The following examples outline two common use cases, and how group policies can be used to provide a custom network experience:

Guests on a Security Appliance

The following example is meant to demonstrate how a group policy could be configured on a Security Appliance network to limit the access and speed of guest clients. This policy would accomplish the following:

  • Limit client bandwidth to 2Mbps up/down.
  • Deny access to the internal network (which uses the 10.0.0.0/8 address space).
  • Block all peer-to-peer sharing applications.
  • All other settings would be inherited from network defaults (such as security and content filtering settings).

4e71c082-5980-4cbb-96b1-62af61053b92

Executive Users on Wireless

This example demonstrates how a group policy could be used on a wireless network to provide executive users with more freedom and special treatment over other users. This policy would accomplish the following: 

  • Remove any bandwidth restrictions.
  • Disable hostname visibilty.
  • Remove any layer 3/7 firewall rules.
  • Provide QoS tagging for Voice and Video conferencing traffic.
  • Remove the splash page requirement.
  • All other settings would be inherited from network defaults.

71668f1f-766c-444e-9531-58ba3b75c459

Applying Group Policies

Group policies can be applied to client devices in a variety of ways, dependent on the platform being used. The table below illustrates what options are available for each platform. The rest of this section explains how to use each method.

 

Note: Only one policy can be active on a client at a time.

  MR Access Points MX or Z1 with Enterprise License MX with Advanced Security License
By client
By device type    
By VLAN  
By Sentry Policy
By Active Directory Group    
By RADIUS Attribute    

By Client

Group policies can be manually applied to clients from the Network-wide > Monitor > Clients page.

  1. Check the box next the the desired client(s) in the list.
  2. Click the Policy button at the top of the list.
  3. Select Group policy and then choose the specific policy in the dropdown.
  4. Click Apply policy.

 

Alternatively, on wireless and combined networks different group policies can be applied dependent on the SSID the client is associated to. This is applied from the same page as the previous steps.

  1. Check the box next the the desired client(s) in the list.
  2. Click the Policy button at the top of the list.
  3. Select Different policies by [connection or] SSID.
  4. For each SSID, select the desired group policy, built-in policy, or leave as Normal.
  5. Click Apply policy.

 

Policies can also be applied to individual clients by clicking on the client in the clients list, and then choosing a Device policy under the Policy section.

By Device Type

In wireless networks, group policies can be automatically applied to devices by type when they first connect to an SSID and make an HTTP request. 

  1. Navigate to Wireless > Configure > Access control.
  2. Select the desired SSID.
  3. Set Assign group policies by device type to 'Enabled'.
  4. Click Add group policy for a device type.
  5. Select the desired Device type and the Group policy that should be applied to it. 
  6. Repeat steps 4-5 as needed to assign policies to all desired devices.
  7. Click Save changes.

 

Keep in mind that this only occurs when a device first connects to the SSID and persists until it is manually overridden. Thus, some previously connected clients may need to have policies manually assigned. It is also possible for a client to be mis-classified based on the initial HTTP request, dependent on how it is generated by the device. If this occurs, manually assign the desired policy.

90d8eb4f-7d15-40be-9e95-e2ee0e9bbfab

For more info on applying group policies by device type, please refer to our documentation.

By VLAN

On security appliance networks, group policies can be automatically applied to all devices that connect to a particular VLAN. From the Security appliance > Configure > Addressing & VLANs page:

  1. Ensure that VLANs is 'Enabled'.
  2. Click on the desired Local VLAN.
  3. Select the desired Group policy.
    355055f2-2a24-4caf-a3ac-59dc54116a7e
     
  4. Click Update.
  5. Click Save Changes.

 

Any clients that are placed in this VLAN will now be given the desired Group policy.

By Active Directory Group

Security appliance networks with Advanced Security licensing can use Active Directory groups to assign policies to clients. Refer to the article on Configuring AD-based Group Policy for more information.

By RADIUS Attribute

Wireless networks that are using RADIUS to authenticate clients can be configured to assign group policies via RADIUS attributes. Refer to the article on Configuring Group Policies with RADIUS Attributes for more information.

Scheduling

Group policies can be scheduled, using the Schedule option. This allows the policy to only be active during the times specified. In the example below, a policy has been scheduled to only be active from 8am-5pm on weekdays:

a58bd426-8107-48d2-9d2c-4c78f8982593

 

When enabled, elements of the policy that are subject to scheduling will be indicated with a small clock icon, as shown below. Options without this icon will always be in effect, regardless of time.

You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 2294

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community