Active Directory Group Policy Content Filter with old IP Address

Here to help

Active Directory Group Policy Content Filter with old IP Address

Hi everyone. I've run across this some time ago and wondering if anyone else has seen this. 


We currently use Active Directory integrated with our MX for Content Filtering, it works great. Here is my issue:

-User Jon Doe with DHCP Address connects to the Internet. The MX applies the appropriate Content Policy to the AD user Jon Doe. Now let's say Jon Doe is gone for two weeks and his DHCP address is released and is available. A new device that is not part of AD takes this address and connects to the Internet. What will happen is the MX will simply say its 'Jon Doe' and give that non AD user his access. I've tested this over and over and it definitely works this way. I would LOVE a clear/release button in the MX console for this, but there isn't one. The only way I can get it to work is to literally power down the MX to clear the AD cache. Now to be clear in this exact same scenario if someone takes and is just a different AD user it works great, the MX acknowledges its a different user and applies the appropriate policy. It's when the MX doesn't recognize a change that it keeps it the same, again it would be great to clear that.



Here to help

Is there anything in this documentation that helps: Active Directory Integration documentation?

I'd definitely open a ticket. I hope this isn't normal behavior as that would be a security flaw.

Head in the Cloud

I would be concerned about that if it is the case. Just hoping onto an IP of a VIP or engineer could get you access to places you shouldn't be. File a case
Kind of a big deal

You are correct - that is definately the way it works.


The (IP,User) table is updated based on the security event log.  A non-AD user does authenticate to AD, so doesn't generate a security event log entry to update the (IP,User) mapping.

Here to help

Thanks everyone for the responses! I've spoken with Meraki several times on this. Again, it would be so nice if you could clear an entry for these kinds of situations.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.