Meraki

Community

User-based Policy not per device!

ahmadtat
Getting noticed
‎Sep 17 2017 7:46 AM
‎Sep 17 2017 7:46 AM

User-based Policy not per device!

Hi,

We're having this request that MX100 (or any MX) needs to authenticate users based on their credentials (not their Mac-address) or devices. in a case like below:

same PC is used by 2 users (at different shifts) .. the shifts are not really time specific (so Policy scheduling will not resolve this).

We did Active Directory integration and we can use MX with a splash page to authenticate the users by their credentials.. but the issue in this scenario is that we can only control the splash page frequency (by hours , days, weeks).. but that will not resolve the time slot differences in our case.

 

If there is a way to authenticate users (and then apply certain polices on) without a splash page, that would be great.. if not, how can we resolve this issue ?

 

Thanks

0 Kudos
6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 17 2017 4:55 PM
‎Sep 17 2017 4:55 PM

I'm sorry to say but I do not believe this is possible.  The entire Meraki model is based around device enforcement.  Even when you authenticate it just associates this with the device and then enforces that device.

MilesMeraki
Head in the Cloud
‎Sep 17 2017 8:47 PM
‎Sep 17 2017 8:47 PM

Hello @ahmadtat; Welcome to the community! You're post is a little confusing. However, my recommendation is to look into 802.1x intergration with AD - This assumes you are using a full stack Meraki deployment. - This assume that the respective users would log-out from the machine before finishing their shifts.

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
In response to MilesMeraki
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 17 2017 9:02 PM
‎Sep 17 2017 9:02 PM

I like the 802.1x idea!  It should not be that much of a discipline for users to log in and out of their machines.  You can set group policy to lock their machines if idle for (say) 5 minutes.  Then if someone forgets to logout the next user will be forced to log back in again as they wont have the credentials of the prior user.

In response to MilesMeraki
ahmadtat
Getting noticed
‎Sep 17 2017 9:25 PM
‎Sep 17 2017 9:25 PM

Thanks for your input.. will the 802.1x work if we only have the MX100?
Meaning: we don't have Meraki switches or APs yet.. we have a mix of Cisco catalyst and Linksys switches and Cisco APs.
Appreciate your feedback.
0 Kudos
In response to ahmadtat
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 17 2017 9:46 PM
‎Sep 17 2017 9:46 PM

No, it wont work in that case.

0 Kudos
bblank05
New here
‎Nov 21 2017 6:25 AM
‎Nov 21 2017 6:25 AM

We are having the same issues. Been working with support for weeks now and still nos resolve. We have an MX100 firewall and it randomly will not apply the group policies that we set in Meraki that integrates with active directory. I can sign into 3 machines with my username and 2 out of the 3 machines will block access to certain sites. Basically it is applying the default policy to my account on two out of three machines. Big problem when you are the Admin and cant get to resources you need. This is also a problem due to the fact that a default user that needs restricted access to certain sites now have full access at random. When looking at the MX100 you will see the IP address doesn't match up with the logged in user. I see other users getting my policy that shouldn't. 

This is a HUGE security flaw that needs to be addressed and right now with it coming up top three weeks of an issue. The only TEMPORARY fix is to white-list the IP address but if it doesn't have a static IP then someone else will get a white-listed IP that shouldn't when they get a DHCP release. 

Not sure if this is just me but i feel like Meraki is dragging their feet on this.

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.