Setting a session time?

BlakeRichardson
Kind of a big deal
Kind of a big deal

Setting a session time?

I can't see anywhere but is it possible when using Active Directory for authentication to set a maximum session time before the user has to re-authenticate? 

 

Currently a Sonciwall appliance is being used and users have a maximum session time of 600 minutes before they have to login again. Its also set to logout idle users after an hour.

 

Is anything like this possible when using AD authentication which is needed because the client is not using Meraki's AP's but they need to have content filtering for specific users and without Meraki AP's this feature requires AD.

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

I think Meraki relies on a "logoff" event.  If another user log's on using the same IP address then that also updates it.

 

I'm not sure why you would need a session time out if you are tracking the actively logged in user?

BlakeRichardson
Kind of a big deal
Kind of a big deal

That seems like an awfully resource intensive way of doing it, So if you started the year with 1000 people logging in on day one its going to keep all of those sessions open until a users IP address changes which if they were statically assigned using DHCP would be never....

 

It also sounds very insecure all it would take is for another person to spoof their MAC and set the same IP and they get access...

PhilipDAth
Kind of a big deal
Kind of a big deal

It constantly scans the domain controllers event log for login and logout events.  Yes, the more users the more resources required.  Now you know why Meraki publish a guide suggesting boxes based on the number of users.  The more users the more RAM and CPU are required.

 

If you are worried about users changing their MAC and IP addresses then you are not going to be protected with either way.  You probably need to deploy additional measures such as 802.1x, IP Source guard and dynamic ARP inspection at the switching layer (I'm not sure the Meraki line up have IP Source Guard and Dynamic ARP inspection available yet).

BlakeRichardson
Kind of a big deal
Kind of a big deal

I still find it hard to work out why such a simple feature which other major vendors i.e. Palo Alto, Sonicwall all allow this feature. While I love the Meraki products and brand I think the MX units still have a long way to come in terms of features and reporting.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels