Active Directory group policy not including security appliance only rules

SteenSN
Comes here often

Active Directory group policy not including security appliance only rules

I have followed this guide https://documentation.meraki.com/MX-Z/Group_Policies_and_Blacklisting/Integrating_Active_Directory_w... and it works for layer 3, layer 7 and traffic shaping rules.

 

The wireless client gets the layer 3, layer 7 and traffic sharping rules just fine, but no security appliance only rules. 

 

My only option to get the security appliance only rules (i.e. blocked website categories, blocked url patterns and so on) to work is to manually set det clients device policy to the same group policy as the 802.1x policy. Then it works fine.

 

But I don't want to set every clients device policy manually in the dashboard in order to get the security appliance only rules to work. What I would like is to control the group policy including the security appliance only part through active directory group membership.

 

Is the no way to automatically include the security appliance only part of the group policy automatically?

 

 

 

13 REPLIES 13
PhilipDAth
Kind of a big deal
Kind of a big deal

Is the WiFi using 802.1x by chance? (WPA2 Enterprise mode)?

Yes I have set up NPS and use 802.1x WPA2 enterprise with RADIUS

Adam
Kind of a big deal

I may not be fully understanding what you want to accomplish but here are my thoughts. 

 

If you want rules like blocked website categories etc to apply to all users then you just set it up in the content filtering section etc.  If you want more granular control then you can map AD groups to Meraki groups in Security Appliance>Active Directory.  That way whatever group they are associated with in AD will automatically link to a policy in Meraki. 

 

Capture.PNG

We basically have the default content filtering blocks for everyone in the company then we have some groups that we selectively assign for exceptions (slightly more or less access in special circumstances).  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
SteenSN
Comes here often

I have already linked AD groups to Meraki groups and it works - for layer 3, layer 7 and traffic shaping rules

 

What I want is to.be able to put students into AD group on the day of their exam, where they are allowed to use their computer but with at lot of restrictions - here I need the security appliance only restrictions so I can limit their internet access only to a few websites.

 

That AD group maps to a Meraki group - let's call it "RestrictedExamAccess".

 

All clients get the right 802.1x policy but it only maps to the layer 3, layer 7 and traffic shaping rules of the Meraki group policy.

 

For the security appliance only rules I have to manually set each device policy to "RestrictedExamAccess" - which is a poor solution when it has to be done for hundreds of students

Adam
Kind of a big deal

The above mapping works for me with content filtering as well.  We use it to allow users to get to Dropbox so we just have to make sure they are in the AD group and it automatically maps to the Meraki group and allows them access.  Although there is a slight delay for it to sync.  Which part(s) aren't mapping/working in your test because it seems like you are trying to do what we are doing?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
SteenSN
Comes here often

examstrict.jpgsecapponly.jpg

The part that isn't working is the settings on the image to the right. The image on the left shows a client which received the 802.1x policy "EksamenStrict". Below you se no rules for layer 3, layer 7 and a single traffic shaping rule. These rules work fine (also layer 3 and layer 7 if there were any)

But note that the device policy says "normal" If I change the device policy to "group policy" and select the "EksamenStrict" Meraki group policy, then the rules on the above image works.

It seems as if 802.1x policy only applies to layer 3, layer 7 and traffic shaping rules - the mapping of AD groups and Meraki groups does not include "security appliance only" rules - unless you manually set the device policy.

 

 

 

 

 

 

Adam
Kind of a big deal

I think I may be getting a sense of what you have going on here.  So in your "left" image, it shows the 802.1x "Access Policy".  The only settings that tie to that policy are in Switch>Access Policies and they look like this:

Capture.PNG

 

Group Policies, on the other hand, are configured under Network Wide>Group Policies.  They look more like this:

Capture.PNG

 

I believe there are two ways you can assign the Group Policy to a device.  One is manual as you observed and that would be annoying.  The second is to go to Security Appliance>Active Directory and link your Active Directory Group to the Meraki Group Policy.  I don't believe this shows up in the dashboard when you view a computer but it definitely works.  Then you can just assign users to that Active Directory Group and they'll automatically get the permissions from the Meraki Group Policy.    

Capture.PNG

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
SteenSN
Comes here often

You are quite right - the trouble however is, that it's precisely what I've done:

 

 

ldapmapping.JPG

I have no trouble mapping the AD-group and the Meraki policy - only trouble is, that I only get layer 3, layer 7 and traffic shaping rules - none of the rules listed under "Security appliance only" in the Meraki group policy page are working.

There seems to be a difference between 802.1x policy and device policy. My testing shows, that AD groups only control layer 3, layer 7 and traffic shaping rules of the Meraki group policy. The last part (the rules below Security appliance only) has to do with a device policy, that needs to be set manually.

Adam
Kind of a big deal

What types of things are you trying to set for the Security Appliance Only section that aren't working?  In the Dropbox policy I've referenced, those work just fine.  Here is what I do since we block File Sharing.  I append whitelisted dropbox items then if the user is part of that AD group it maps to this Meraki Group Policy and allows them.  

 

Capture.PNG

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
SteenSN
Comes here often

Here are my settings:

secapp.JPG

I have blocked every URL pattern (*) only allowing the ones I have whitelisted. This part is only working if I set the device policy to the group policy name manually.

 

 

Adam
Kind of a big deal

Two things I'd try.

 

1.  Just set the * as the default in Security Appliance>Content Filtering for blocked and in your Group Policy configure the whitelist to append.

2.  Try just setting a single site to blacklist in your policy to test if for some reason it is the * thing messing it up. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
SteenSN
Comes here often

Thanks a lot - I'll try that tomorrow 

SteenSN
Comes here often

I have now tried all the settings below 'Security appliance only' and none of them works. I tried to blacklist a single website with no luck.

 

However, all setting work when I manually choose to set the device policy for the client to the same group policy

 

My conclusion is - at least in my setup with WPA2 enterprise and RADIUS - that AD groups mapped to Meraki groups only gives the client part of the group policy (layer 3, layer 7 and traffic shaping rules) and that the last part of the policy (security appliance only) is controlled by device policy that has to be set manually.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels