Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Client , Doamin user and Group Policy

AlphacomItalia
Here to help
‎Feb 28 2022 3:13 AM
‎Feb 28 2022 3:13 AM

Client , Doamin user and Group Policy

Hi, 

I have had this problem for a long time:

we work with terminal servers, to apply the navigation policies I have activated the virtual IPs on the various terminal servers, so domain user have a specifi IP on Terminal Session.

Sometimes,  happens that the MX assigns domain user names (with active navigation restrictions) to some devices such as smartphones or tablets , but the devices connect directly without domain authentication.

I check domain controller connection and log and everything seems OK.

 

Has anyone had the same problem? how did it solve?

Labels:
0 Kudos
Subscribe
6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 28 2022 11:38 AM
‎Feb 28 2022 11:38 AM

Are you sure you aren't using some form of authentication on your WiFi network like WPA2-Enterprise mode?

 

Otherwise, any chance those devices are getting IP addresses from the same pool as other devices which are authenticating?  If so, it is assigning the last known username that was used by the IP address.

0 Kudos
Subscribe
In response to PhilipDAth
AlphacomItalia
Here to help
‎Apr 21 2022 8:39 AM
‎Apr 21 2022 8:39 AM

I badly explained myself.

on the terminal server I enabled the virtual IP and assigned a specific pool of addresses for the exclusive use of each terminal server. I have 5 terminal servers, each with a pool of 10 IPs.

Windows allows me to assign this "pool" to the terminal server, but I cannot assign a specific IP to a specific AD user, so it happens that today I log in with my user, server I am assigned a virtul IP (example 192.168.10.20) and i have navigation restrictions with meraky group policies and my AD group (example I cannot access facebook). In the evening I disconnect, the terminal server may restart for windows updates. In the morning I go back to my terminal, I log in and my virtual IP has become 192.168.10.21 which yesterday belonged to my boss and vice versa boss has my IP of yesterday. Result, I have free navigation because for meraki the last access of that IP is for the user of my boss, and he has limited navigation for the same reason.

assuming that I refuse to create a terminal server for each group policy, is there the possibility of setting a timeout (maybe 1-2 hours) for which meraki double-checks the last access and for that IP? or is there another way to solve the problem? I bought Meraki mainly for this use (plus everything else) and now I am screwed.

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 21 2022 1:44 PM
‎Apr 21 2022 1:44 PM

I assume you are using Active Directory group policy assignment.  Make sure you have Active Directory correctly setup, up and that the MX is configured to use all AD servers.  Make sure when you log into the RDP server that a "Logon" audit record is being created in the event viewer in AD.

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc... 

0 Kudos
Subscribe
AlphacomItalia
Here to help
‎Apr 21 2022 11:27 PM
‎Apr 21 2022 11:27 PM

AD is configured correctly and the audit logs are correct, the problem is that for the same IP I could have 2/3 logs of different users throughout the day, but i don't know how often the mx updates its records

0 Kudos
Subscribe
In response to AlphacomItalia
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 22 2022 4:03 PM
‎Apr 22 2022 4:03 PM

I think it scans the security event log "minute by minute".  So it should be right up to date.

 

This is very rare, as in I have only experienced it once, but I had one customer that seemed to have corruption in the security event log on their AD controller.  We found after clearing the log everything started working correctly.  Perhaps you could try this in desperation on all your AD controllers.

0 Kudos
Subscribe
AlphacomItalia
Here to help
‎Apr 22 2022 12:16 AM
‎Apr 22 2022 12:16 AM

Another problem, I use dchp for notebooks and smartphones, if an iphone takes the address that the day before was from a notebook that has done AD authentication, iphone has navigation restrictions for the notebook user.
I know i can manage this with resverde IP on dhcp,
but you will accrodo with me which is a management to be maintained continuously with smartphones and notebooks that come and go they change they replace

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.