Policy changes are only applied when a session is being established.  They don't get applied during an existing session.

 

I don't think there is any way to clear an AD authenticated person.

---

I guess I am not going with Meraki for gateways then, We rely on AD and not being able to terminate a users session is nuts, every other vendor I've worked with over the years can do this. 

@PhilipDAth by "session" I am assuming you mean the session between client and website i.e web session not the user session. If so restarting the client and waiting 5 mins should break this session however changes still don't work.

Thanks for your help

@BlakeRichardsonCan you confirm your using (active directory or my radius server)? We support both.

You can terminate a users session with CoA if your using radius, which is the standard on how all vendors do this using 802.1x/EAP-PEAP (Username/Password). The MX platform does support 802.1x/radius and CoA, however from what your describing your using the built in Windows Active Directory which taps into AD via WMI and reads the logs. This is a unidirectional communication, we can only read the logs when a user logs in and out, there is nothing in that standard that can send back de-authentication events. When you say other vendors support this are you sure your not referring to CoA? When you use LDAP or WMI there aren't any mechanisms from the AD/NPS/Authentication gateway that can be sent back to disassociate a client, thus flip a policy role on the fly.

@DCooper We currently use a Sonicwall Appliance with AD authentication, it has a status page which allows me to terminate the users login session. 

When I reviewed Palo Alto I'm pretty sure it had the same feature.