I can't see anywhere but is it possible when using Active Directory for authentication to set a maximum session time before the user has to re-authenticate?
Currently a Sonciwall appliance is being used and users have a maximum session time of 600 minutes before they have to login again. Its also set to logout idle users after an hour.
Is anything like this possible when using AD authentication which is needed because the client is not using Meraki's AP's but they need to have content filtering for specific users and without Meraki AP's this feature requires AD.
That seems like an awfully resource intensive way of doing it, So if you started the year with 1000 people logging in on day one its going to keep all of those sessions open until a users IP address changes which if they were statically assigned using DHCP would be never....
It also sounds very insecure all it would take is for another person to spoof their MAC and set the same IP and they get access...
It constantly scans the domain controllers event log for login and logout events. Yes, the more users the more resources required. Now you know why Meraki publish a guide suggesting boxes based on the number of users. The more users the more RAM and CPU are required.
If you are worried about users changing their MAC and IP addresses then you are not going to be protected with either way. You probably need to deploy additional measures such as 802.1x, IP Source guard and dynamic ARP inspection at the switching layer (I'm not sure the Meraki line up have IP Source Guard and Dynamic ARP inspection available yet).
I still find it hard to work out why such a simple feature which other major vendors i.e. Palo Alto, Sonicwall all allow this feature. While I love the Meraki products and brand I think the MX units still have a long way to come in terms of features and reporting.