Active Directory Group Policy Content Filter with old IP Address

Todd_Z
Here to help

Active Directory Group Policy Content Filter with old IP Address

Hi everyone. I've run across this some time ago and wondering if anyone else has seen this. 

 

We currently use Active Directory integrated with our MX for Content Filtering, it works great. Here is my issue:

-User Jon Doe with DHCP Address 10.1.1.100 connects to the Internet. The MX applies the appropriate Content Policy to the AD user Jon Doe. Now let's say Jon Doe is gone for two weeks and his DHCP address is released and 10.1.1.100 is available. A new device that is not part of AD takes this address and connects to the Internet. What will happen is the MX will simply say its 'Jon Doe' and give that non AD user his access. I've tested this over and over and it definitely works this way. I would LOVE a clear/release button in the MX console for this, but there isn't one. The only way I can get it to work is to literally power down the MX to clear the AD cache. Now to be clear in this exact same scenario if someone takes 10.1.1.100 and is just a different AD user it works great, the MX acknowledges its a different user and applies the appropriate policy. It's when the MX doesn't recognize a change that it keeps it the same, again it would be great to clear that.

 

Thanks!

5 REPLIES 5
arekdreyer
Here to help

Is there anything in this documentation that helps: Active Directory Integration documentation?

I'd definitely open a ticket. I hope this isn't normal behavior as that would be a security flaw.

Nick
Head in the Cloud

I would be concerned about that if it is the case. Just hoping onto an IP of a VIP or engineer could get you access to places you shouldn't be. File a case
PhilipDAth
Kind of a big deal

You are correct - that is definately the way it works.

 

The (IP,User) table is updated based on the security event log.  A non-AD user does authenticate to AD, so doesn't generate a security event log entry to update the (IP,User) mapping.

Todd_Z
Here to help

Thanks everyone for the responses! I've spoken with Meraki several times on this. Again, it would be so nice if you could clear an entry for these kinds of situations.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels