Killing a user session

BlakeRichardson
Kind of a big deal
Kind of a big deal

Killing a user session

I am playing around with a MX unit as a potential replacement for a Sonicwall 9200. AD authentication is currently used and I would like to stay with that.

 

I am finding the splash page coming up for new users is hit and miss but also when making changes to policies they don't seem to take affect if the person is already logged in, I am trying to block and unblock Facebook using multiple policies one of which is on a schedule however it doesn't work.

 

Even blocking and unblocking a simple site doesn't work.

 

Long story short I would like to kill the users login session but cannot find any way of doing this without rebooting the MX appliance. Is this possible?

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

Policy changes are only applied when a session is being established.  They don't get applied during an existing session.

 

I don't think there is any way to clear an AD authenticated person.

 

I think this process only works on MR splash pages, but it it a try.

https://documentation.meraki.com/MR/Splash_Page/Revoking_Splash_Page_Authorization


Policy changes are only applied when a session is being established.  They don't get applied during an existing session.

 

I don't think there is any way to clear an AD authenticated person.


 

I guess I am not going with Meraki for gateways then, We rely on AD and not being able to terminate a users session is nuts, every other vendor I've worked with over the years can do this. 

 

@PhilipDAth by "session" I am assuming you mean the session between client and website i.e web session not the user session. If so restarting the client and waiting 5 mins should break this session however changes still don't work.

 

Thanks for your help

DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@BlakeRichardsonCan you confirm your using (active directory or my radius server)? We support both.

 

You can terminate a users session with CoA if your using radius, which is the standard on how all vendors do this using 802.1x/EAP-PEAP (Username/Password). The MX platform does support 802.1x/radius and CoA, however from what your describing your using the built in Windows Active Directory which taps into AD via WMI and reads the logs. This is a unidirectional communication, we can only read the logs when a user logs in and out, there is nothing in that standard that can send back de-authentication events. When you say other vendors support this are you sure your not referring to CoA? When you use LDAP or WMI there aren't any mechanisms from the AD/NPS/Authentication gateway that can be sent back to disassociate a client, thus flip a policy role on the fly.

 

 

@DCooper We currently use a Sonicwall Appliance with AD authentication, it has a status page which allows me to terminate the users login session. 

 

When I reviewed Palo Alto I'm pretty sure it had the same feature. 

Uberseehandel
Kind of a big deal

@BlakeRichardson

 

Can you send wireless users a deauthentication packet? I do not know if it will work in your situation. I have some issues with smart devices but the Android based devices seem to do as they are told.

So, hopefully, change policy, send deauthentication packet, user blocked on attempt to login again?

 

Some Cisco info here - https://mrncciew.com/2014/10/11/802-11-mgmt-deauth-disassociation-frames/

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels