Meraki

Community

Content filtering rules based on AD groups? org wide?

Solved
KrisOlaf
New here
‎Feb 20 2024 9:00 AM
‎Feb 20 2024 9:00 AM

Content filtering rules based on AD groups? org wide?

So we have many sites and people work at multiple locations, but all the same domain. I'd like to apply a global content filtering policy and put people into AD groups and assign policies: 


GeneralAccessGroup - has most things blocked in 'Threat categories' and 'Content categories' and would be the default access policy unless they are in one of the other groups.


SocialMediaGroup - allowed to access social media and job sites. HR, Marketing, VIPs.  All'Threat categories' blocked


AllAccessGroup - only blocks 'Threat categories'

 

Is this possible? 

0 Kudos
1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 20 2024 9:05 AM
‎Feb 20 2024 9:05 AM

Yes, but it is necessary to configure each MX to authenticate with AD.

 

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 20 2024 9:05 AM
‎Feb 20 2024 9:05 AM

Yes, but it is necessary to configure each MX to authenticate with AD.

 

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Aamir
Here to help
‎Apr 16 2024 5:37 PM
‎Apr 16 2024 5:37 PM

hi, How to achieve the same if customer has Azure AD?

0 Kudos
In response to Aamir
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 6:12 PM
‎Apr 16 2024 6:12 PM

If they only have Azure AD you can't.

0 Kudos
In response to PhilipDAth
Aamir
Here to help
‎Apr 16 2024 7:06 PM
‎Apr 16 2024 7:06 PM

So what's the purpose of Azure AD integration with MX via SAML? is that just for Anyconnect? Does it mean for AnyConnect users that get authenticated via Azure AD i can do webfitering (based on group policy) but not for internal clients?

0 Kudos
In response to Aamir
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 7:24 PM
‎Apr 16 2024 7:24 PM

I can think of two SAML integrations.

The first is for AnyConnect, as you have noted.  It lets users login in with Azure AD credentials.  Their is a beta that lets you apply a group policy for VPN users.  Applying group policies via AzureAD and SAML is very painful.  You really want to be using another SAML provider like Cisco Duo to keep life simple.
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA...

The second is for logging into the Meraki Dashboard.
https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Configuring_SAML_S...

 

0 Kudos
In response to PhilipDAth
jimmyt234
Building a reputation
‎Apr 17 2024 12:33 AM
‎Apr 17 2024 12:33 AM

@PhilipDAth wrote:

Their is a beta that lets you apply a group policy for VPN users.

Is there documentation / more information about this Beta feature? 

0 Kudos
In response to jimmyt234
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 17 2024 1:04 AM
‎Apr 17 2024 1:04 AM

Not that I am aware of.  You can send an email to meraki-anyconnect-beta@cisco.com and request to go on the AnyConnclect SAML group policy beta.

 

But you need to have a good understanding on SAML to be able to configure this - and EntraID makes it particularly difficult. 

In response to PhilipDAth
jimmyt234
Building a reputation
‎Apr 17 2024 1:41 AM
‎Apr 17 2024 1:41 AM

I will email them - thanks 😊

0 Kudos
In response to alemabrahao
Aamir
Here to help
‎Apr 21 2024 6:14 PM
‎Apr 21 2024 6:14 PM

Hi,

 

Just to re-confirm if i have local AD then i make sure each MX authenticate with AD. all the VLAN default gateway is MX. So for eg. i have a user John, from HR, he logs on to his windows machine using AD credentials, and MX will be able to block youtube.come for John, similarly Andrew from HR gets facebook.com blocked even though both users are coming from HR Vlan but belong to different AD groups in AD? 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 20 2024 10:09 AM
‎Feb 20 2024 10:09 AM

Also note that the MX must be the default gateway for the users for this to work.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.