Group Policy not applying because of impersonation account

IanMartin
Here to help

Group Policy not applying because of impersonation account

Hi Everyone,

I've set up a Meraki group policy to restrict internet access I've applied this to an active directory group and I've added a user 'TEST' to this AD group.

I logon as user TEST and the internet is restricted as i expected great....

 

However approx 10 mins later the internet is no longer restricted, looking into the client logs in the Meraki admin console I can see another entry 'Domain authentication' for a different user and its a domain account just for our Sophos antivirus to update the clients from our in house Sophos server. This appears approx every 10mins which is how often our Sophos clients check for updates.

 

At no point have i logged off the user test the PC is still at the desktop with a internet browser open.

 

Does anyone have any ideas on how to stop this from happening?

 

Thanks

Ian

 

 

 

 

3 REPLIES 3
PhilipDAth
Kind of a big deal
Kind of a big deal

If something else is doing an AD authentication from the same machine then that is going to take precendence in Meraki's view.  Meraki can only see that an AD account has logged in.  It doesn't know if this was a "user" account by a real user, of some software using an account.  It looks the same in AD.

 

I don't think you are going to be able to resolve this.

 

You would need to change to using 802.1x authentication (which would need have Meraki MS and/or MR), or more painfull splash page authentication using RADIUS (where you can assign the Filter-Id attribute).

Many thanks for that reply,

I understand and agree as things are I don't see away round this.

 

 

Just a quick update.

It may not suit everyone but to sort this issue i created a local user on the Sophos server and changed the AV update policy to use this account to update the clients.

 

So instead of the clients using an AD account they authenticate directly against the Sophos server with a local account as there is no additional AD authentication the Meraki internet restrictions policy remains in force and the sophos application still updates fine.

 

Thanks

Ian

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels