Hi everyone,
We have a Meraki MX64 and so far everything is working fine except a policy I'm trying to create. I've opened a ticket support and they've tried to help me, but I guess either I'm not explaining correctly, they don't understand me, or, it can't be done. I'll explain my setup.
By default, we block the typical stuff: Adult sites, gaming, proxy and spam sites and so on. We also have a default limit of streaming video to 1MB per client. Basically what I want to do is have an active directory policy that allows all content based on the domain groups that a user. I have the domain controllers in the Meraki configuration and they get green check marks. I can see the LDAP groups. I created a policy called "Allow all" and applied it to the LDAP groups. However, the content is still being blocked, and streaming is still limited to 1mb. I've attached a screenshot of the "Allow all" policy I have. I imagine it's something simple I'm missing, but I simply can't figure a way around it.
I've been on the phone with Meraki technical support several times over the last week for at least 2 hours at a time. I've done everything they've wanted from delete and re-create policies, to delete and re-add the domain controllers, factory reset the Meraki, reload the firmware, you name it. One thing that confuses me is under the group policy setting. I notice under "Blocked Website categories", you can't choose "Ignore" like you can the rest of the categories. You can only override or append. What if you don't want to block ANY? I tried using *, and *.* in the white list URL pattern but that doesn't. I've changed the Block Defaults to every choice available as well.
Am I missing something here? Thank you in advance.
Eric
Is the MX the default gateway for the clients?
Make sure you the AD controller in the security log you can see events for users logging on that includes their IP address. If you don't see these then there is something wrong with the audit policy.
Hi Phillip,
Thanks for the reply. The answer to your questions is Yes. The Meraki is in gateway mode. The only thing between it and the clients are regular switches. I have the domain controllers setup to audit logins and failures via their local policy. I can see my login in the domain controller security log as well. This is what it shows (edited for security).
When I look under "Clients" on the Meraki and find my machine, it even shows I've authenticated against Active Directory:
Clients › ComputerName
Status: currently connected send WOL
User: CN=Correct, OU=Correct OU=Correct,DC=Correct,DC=com (Active Directory).
In the Meraki event log, I see my domain account repeatedly authenticated as well:
Sep 10 09:45:32
VGEPC033 Domain authentication user: Correct
Sep 10 09:44:37
VGEPC033 Domain authentication user: Correct
Sep 10 09:44:22
VGEPC033 Domain authentication user: Correct
Any thoughts?
So to clarify, you are plugging in via a wired connection. Your machine is in the same subnet as an MX interface, and that MX is your default gateway (so you are only using layer 2 switches)?
What firmware version are you using on your MX?
Hi Philip,
Thanks for the reply. That's correct. Simple switches, single subnet, Meraki MX64 is the gateway. It's running version 15.16 right now. I've tried it with the stable firmware, release candidate firmware, and now the beta firmware. No changes.
Eric