Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Content filtering rules based on AD groups? org wide?

Solved
KrisOlaf
New here
‎Feb 20 2024 9:00 AM
‎Feb 20 2024 9:00 AM

Content filtering rules based on AD groups? org wide?

So we have many sites and people work at multiple locations, but all the same domain. I'd like to apply a global content filtering policy and put people into AD groups and assign policies: 


GeneralAccessGroup - has most things blocked in 'Threat categories' and 'Content categories' and would be the default access policy unless they are in one of the other groups.


SocialMediaGroup - allowed to access social media and job sites. HR, Marketing, VIPs.  All'Threat categories' blocked


AllAccessGroup - only blocks 'Threat categories'

 

Is this possible? 

0 Kudos
Subscribe
1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 20 2024 9:05 AM
‎Feb 20 2024 9:05 AM

Yes, but it is necessary to configure each MX to authenticate with AD.

 

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

Subscribe
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 20 2024 9:05 AM
‎Feb 20 2024 9:05 AM

Yes, but it is necessary to configure each MX to authenticate with AD.

 

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
Aamir
Here to help
2 weeks ago
2 weeks ago

hi, How to achieve the same if customer has Azure AD?

0 Kudos
Subscribe
In response to Aamir
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

If they only have Azure AD you can't.

0 Kudos
Subscribe
In response to PhilipDAth
Aamir
Here to help
2 weeks ago
2 weeks ago

So what's the purpose of Azure AD integration with MX via SAML? is that just for Anyconnect? Does it mean for AnyConnect users that get authenticated via Azure AD i can do webfitering (based on group policy) but not for internal clients?

0 Kudos
Subscribe
In response to Aamir
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

I can think of two SAML integrations.

The first is for AnyConnect, as you have noted.  It lets users login in with Azure AD credentials.  Their is a beta that lets you apply a group policy for VPN users.  Applying group policies via AzureAD and SAML is very painful.  You really want to be using another SAML provider like Cisco Duo to keep life simple.
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA...

The second is for logging into the Meraki Dashboard.
https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Configuring_SAML_S...

 

0 Kudos
Subscribe
In response to PhilipDAth
jimmyt234
Getting noticed
2 weeks ago
2 weeks ago

@PhilipDAth wrote:

Their is a beta that lets you apply a group policy for VPN users.

Is there documentation / more information about this Beta feature? 

0 Kudos
Subscribe
In response to jimmyt234
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Not that I am aware of.  You can send an email to meraki-anyconnect-beta@cisco.com and request to go on the AnyConnclect SAML group policy beta.

 

But you need to have a good understanding on SAML to be able to configure this - and EntraID makes it particularly difficult. 

Subscribe
In response to PhilipDAth
jimmyt234
Getting noticed
2 weeks ago
2 weeks ago

I will email them - thanks 😊

0 Kudos
Subscribe
In response to alemabrahao
Aamir
Here to help
a week ago
a week ago

Hi,

 

Just to re-confirm if i have local AD then i make sure each MX authenticate with AD. all the VLAN default gateway is MX. So for eg. i have a user John, from HR, he logs on to his windows machine using AD credentials, and MX will be able to block youtube.come for John, similarly Andrew from HR gets facebook.com blocked even though both users are coming from HR Vlan but belong to different AD groups in AD? 

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 20 2024 10:09 AM
‎Feb 20 2024 10:09 AM

Also note that the MX must be the default gateway for the users for this to work.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.