Active Directory "Whitelist" Policy


Active Directory "Whitelist" Policy

Hi everyone,


     We have a Meraki MX64 and so far everything is working fine except a policy I'm trying to create. I've opened a ticket support and they've tried to help me, but I guess either I'm not explaining correctly, they don't understand me, or, it can't be done. I'll explain my setup.


     By default, we block the typical stuff: Adult sites, gaming, proxy and spam sites and so on. We also have a default limit of streaming video to 1MB per client. Basically what I want to do is have an active directory policy that allows all content based on the domain groups that a user. I have the domain controllers in the Meraki configuration and they get green check marks. I can see the LDAP groups. I created a policy called "Allow all" and applied it to the LDAP groups. However, the content is still being blocked, and streaming is still limited to 1mb. I've attached a screenshot of the "Allow all" policy I have. I imagine it's something simple I'm missing, but I simply can't figure a way around it.




     I've been on the phone with Meraki technical support several times over the last week for at least 2 hours at a time. I've done everything they've wanted from delete and re-create policies, to delete and re-add the domain controllers, factory reset the Meraki, reload the firmware, you name it. One thing that confuses me is under the group policy setting. I notice under "Blocked Website categories", you can't choose "Ignore" like you can the rest of the categories. You can only override or append. What if you don't want to block ANY? I tried using *, and *.* in the white list URL pattern but that doesn't. I've changed the Block Defaults to every choice available as well.


Am I missing something here? Thank you in advance.



Kind of a big deal

Is the MX the default gateway for the clients?

Make sure you the AD controller in the security log you can see events for users logging on that includes their IP address.  If you don't see these then there is something wrong with the audit policy.


Hi Phillip,


Thanks for the reply. The answer to your questions is Yes. The Meraki is in gateway mode. The only thing between it and the clients are regular switches. I have the domain controllers setup to audit logins and failures via their local policy. I can see my login in the domain controller security log as well. This is what it shows (edited for security).


An account was successfully logged on.
 Security ID:  NULL SID
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0
Logon Type:   3
Impersonation Level:  Impersonation
New Logon:
 Security ID:  XXX\username
 Account Name:  Username
 Account Domain:  Domain
 Logon ID:  0x1615B078
 Logon GUID:  {987b0278-4d73-0cbb-d464-e3a8f6b5f794}
Process Information:
 Process ID:  0x0
 Process Name:  -
Network Information:
 Workstation Name: Correct
 Source Network Address: Correct IP address.
 Source Port:  50373


When I look under "Clients" on the Meraki and find my machine, it even shows I've authenticated against Active Directory:


Clients › ComputerName
Status: currently connected send WOL 
User: CN=Correct, OU=Correct OU=Correct,DC=Correct,DC=com (Active Directory).


In the Meraki event log, I see my domain account repeatedly authenticated as well:


Sep 10 09:45:32
VGEPC033 Domain authentication user: Correct
Sep 10 09:44:37
VGEPC033 Domain authentication user: Correct
Sep 10 09:44:22
VGEPC033 Domain authentication user: Correct


Any thoughts?

Kind of a big deal

So to clarify, you are plugging in via a wired connection.  Your machine is in the same subnet as an MX interface, and that MX is your default gateway (so you are only using layer 2 switches)?


What firmware version are you using on your MX?


Hi Philip,


Thanks for the reply. That's correct. Simple switches, single subnet, Meraki MX64 is the gateway. It's running version 15.16 right now. I've tried it with the stable firmware, release candidate firmware, and now the beta firmware. No changes.


Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.