Home > Security Appliances > Content Filtering and Threat Protection > Active Directory Integration

Active Directory Integration

Active Directory (AD) integration allows you to restrict access to the network and enforce Group Policies based on membership in Active Directory groups.

Currently, Active Directory-based authentication works only if one of the following is true:

  • The Domain Controller is in a VLAN configured on the appliance
  • The Domain Controller is in a subnet for which a static route is configured on the appliance
  • The Domain Controller is accessible through the VPN.

If there are multiple Domain Controllers in the domain, all of them must meet one of these criteria in order for Active Directory integration to function properly.

Integrating with Group Policies

A Group Policy in the Dashboard is a set of bandwidth limits, traffic shaping and firewall rules, security filtering, and content filtering settings that can be applied on a per client basis. 

Note: Cisco Meraki Active Directory-Based Group Policy on the MX should not be confused with Microsoft Active Directory Group Policy as they are in no way related. 

Traffic Flow

The MX utilizes Microsoft's Windows Management Instrumentation (WMI) service to pull a continuous stream of Logon Security Events from specified Domain Controllers in the Active Directory domain. These security events have critical information that tells the MX which user accounts are logged into which computers. Specifically, the events contain the IP address of the computer and the Windows username of the logged on user.

The MX will run through the following steps to identify AD group members and apply associated group policies:

  1. MX securely contacts the specified Domain Controllers for the AD domain, using TLS
  2. MX reads WMI logon events from the DC's security events, to determine which users are logged into which devices.
  3. MX binds to DCs using LDAP/TLS to gather each user's AD group membership.
  4. Group membership is added to a database on the MX.
  5. If a domain user's group membership matches an AD group policy mapping in Dashboard, the MX can apply the associated group policy to the user's computer.

Because the MX is continuously gathering this information from the domain controllers, it is able to accurately apply the policy in real-time whenever a new user logs in.

Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.

Benefits of Active Directory Integration

By using Microsoft WMI and standards-based LDAP to interact with the Active Directory network infrastructure, the MX can do real-time Active Directory-based Group Policy assignment without the need to install or maintain any agent software on local Active Directory Domain Controllers.

Configuration Overview

The following steps outline the required configuration (both in Dashboard and Active Directory) to allow for AD-based group policy application. Please be sure to follow each step as accurately as possible, errors can be difficult to diagnose and resolve.

  1. Create an Active Directory site for the MX so users authenticate against the correct Domain Controllers.
  2. Enable security auditing on Active Directory Domain Controllers so the MX can obtain all relevant logon events.
  3. Enable the Global Catalog role on each Domain Controller because the MX uses LDAP/TLS over TCP port 3268.
  4. Install a digital certificate on each Domain Controller for LDAP/TLS.
  5. Certificate Requirements for TLS
  6. Create groups in Active Directory which will be mapped to Group Policies in Dashboard.
  7. Add users to groups in Active Directory. 
  8. Configure Group Policies in Dashboard.
  9. Configure Active Directory Authentication in Dashboard.
  10. Create LDAP group to Group Policy mappings in Dashboard.

Create an Active Directory Site

In Active Directory, Domain Controllers are placed into sites. Sites are assigned IP subnets. Domain users and computers authenticate with Domain Controllers located in the site (IP subnet) for which they reside. Each authentication generates a logon entry within the Domain Controllers Security Event Log. Because the MX uses these Security Events to determine which users are logged onto which computers, all of the Domain Controllers that service logons in an Active Directory site whose IP subnets also correspond to the subnets configured on the MX must be added to Dashboard.

 

In the example below, the MX has the following IP subnets 10.0.0.0/24 and 192.168.0.0/24 configured under Addressing and VLANs. Active Directory sites need to be applied to both subnets.

1.png

Both IP subnets on the MX, are members of the Active Directory site named "Default-First-Site-Name" (shown below). Therefore, the IP addresses of servers DC1, DC1-UK, DC2, SE-Test, and WIN-K7346GNLZ29 located in this site must be added to Dashboard on the Active Directory page in Dashboard. 

2.png

Enable Security Auditing on Active Directory Domain Controllers

Explanation

When Active Directory Group Policy is enabled, the MX pulls a continuous stream of Security Events from Windows Active Directory Domain Controllers. Using Logon Events (540 and 4624) and Account Logon Events (672 and 4768) specifically, the MX can determine which domain users are logged into which domain computers and what the IP address of those computers are. This information is then coupled with the users Group Membership retrieved from an LDAP/TLS lookup and the IP address or MAC address of the computer learned via Cisco / Meraki client detection. By combining these pieces of information, the appropriate filtering policy can be applied transparently in real-time to each computer based on the currently logged on user. If Domain Controllers specified in Dashboard do not have Security Auditing enabled, the MX will not be able to associate users to computers transparently. To ensure that a Domain Controller is configured to audit successful Logon and Account Logon Events, enable this logging using the Default Domain Controller Policy or Local Computer Policy for Domain Controllers in your domain.

Configuration
  1. On the Domain Controller, open the Local Computer Policy using gpedit.msc.
  2. Navigate to Computer Configuration>Windows Settings>Security Settings>Local Policies>Audit Policy.
  3. Confirm that 'Audit Account Logon Events' and 'Audit Logon Events' is set to 'Success' as shown in this image: 

3.png

Note: If these auditing entries are not set to log Success events and the option to edit it is greyed out, then this setting is defined by Domain Group Policy, and you will need to modify this at the Domain level instead.  This setting can be found by opening the applicable Group Policy in the server's Group Policy Management Editor and navigating to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy. If further issues are encountered, please refer to Microsoft's documentation for assistance:

Enable the Global Catalog Role on Each Domain Controller

In order for a Domain Controller to maintain the logon events used by the MX for user/group identification, it must be running the Global Catalog Role. As such, a required configuration step is to enable the Global Catalog Role for each Domain Controller that the MX will be polling.

Please refer to official Microsoft documentation for specific configuration steps.

Install a Digital Certificate on Each Domain Controller

In order to communicate with a Domain Controller, the MX security appliance will need to establish Transport-Layer Security (TLS) so all communication between the MX and Active Directory will be encrypted. As a prerequisite to TLS, the MX will need to verify the identity of the Domain Controller. This is done with certificate validation.

An existing certificate can be used on the Domain Controller (so long as it meets the requisite requirements for TLS), or a self-signed certificate can be created on the server. 

Certificate Requirements for TLS

The following notes describe certificate parameters used in Windows Server, but can be generalized for any certificate's parameters.

Under the General tab, check for the following attributes:

  • The server must have the corresponding private key. To verify that the private key exists, view the General tab of the certificate and verify that you see the following message: "You have a private key that corresponds to this certificate".
  • Verify that the following statement appears: "This certificate is intended for the following purpose(s): Proves your identity to a remote computer". 
  • Check that the certificate is still valid, based on the "Valid from" values.

161660e9-4ca1-463e-83d2-0a501dec663d

 

Under the Details tab:

  • The Version value must contain "v3", indicating that it is an X.509 Version 3 certificate.

027016df-3566-4d53-b2f3-d800f475ceb7

 

  • The Enhanced Key Usage value must contain the Server Authentication certificate purpose (OID "1.3.6.1.5.5.7.3.1").

4cec2a3f-3bff-4a0b-b837-eeba0aeb523a

 

  • The Subject value must contain the Fully Qualified Domain Name of the RADIUS server, e.g. myserver.mydomain.com. 
  • The Public key value should be set to "RSA (2048 Bits)".

2fb213d1-e1a9-47d6-9c7c-7f0c5f65dbdf

 

  • The "Subject Alternative Name" value must contain the syntax "DNS Name=myserver.mydomain.com" where the the DNS name is the Fully Qualified Domain Name of your server. This is especially important when using an Active Directory-based PKI.

97a65a90-13d1-4cda-964f-64c09d2373be

 

  • The Key usage must contain the "Digital Signature" and "Key Encipherment" values.
    Note: In Server 2012, this option may be available as "Data Encipherment."

9ace3db0-f596-4c47-b9a9-7e0bd9a1d496

Create Groups in Active Directory

Since the MX will be mapping Active Directory groups to its own group policies, the appropriate groups will have to be created in Active Directory.

Please refer to official Microsoft documentation for specific configuration steps.

Add Users to Groups in Active Directory

When a user logs on to a domain, the logon event will include both user information and group membership. Since this group membership defines which Dashboard group policy will be applied, it is important to ensure that users are added to the appropriate groups in Active Directory.

Please refer to official Microsoft documentation for specific configuration steps.

Configure Group Policies in Dashboard

A group policy in Dashboard will determine the custom network rules and regulations that will apply to users with that policy. This can include custom bandwidth limits, more or less restrictive content filtering rules, custom access to subnets, etc.

Please refer to our documentation for more information about configuring Dashboard group policies.

Configure Active Directory Authentication in Dashboard

The following instructions explain how to add Active Directory servers to Dashboard and enable AD authentication for network clients.

  1. Log into Dashboard and navigate to Security Appliance > Configure > Active Directory.
  2. From the Active Directory drop-down, select Authenticate users with Active Directory.
  3. For Per-VLAN settings choose to Require logon via splash or Default to network-wide settings (Use global settings). Enabling logon via splash will prompt network users with a splash page where they will log in with their domain credentials, but is not a prerequisite to group policy integration.
    In our example below, we are requiring splash logon for the data VLAN and network defaults for the server VLAN.

Note: The MX AD splash page authorization expires after 2 days or if AD detects a new logon event on the client. The clear authorization button on the client list does not clear the AD splash page authorization on the MX.

  1. For Active Directory Servers, click Add an Active Directory domain server. Remember to add all Domain Controllers that are responsible for the sites/subnets that the MX handles. In our example below, we added all 5 Domain Controllers located in our Active Directory site.
  2. To add an Active Directory server, enter the following information:
    1. Short Domain: Short name of the domain (a.k.a., NetBIOS name), as opposed to the fully qualified domain name (FQDN). Typically if the FQDN is "mx.meraki.com", the short domain is "mx".
    2. Server IP: The IP address of the domain controller.
    3. Domain admin: A domain administrator account that the MX can use to query the AD server.
    4. Password: The password of the domain administrator account.

User permissions for AD integration

While the AD integration account does not have to be a domain admin, it is usually the easiest way to implement this feature. If using a domain admin account is not possible or not preferable, ensure that the account has the necessary permissions to perform the following actions:

  • Query the user database via LDAP
  • Query group membership via LDAP
  • Query the domain controller via WMI
  1. Click the Save changes button.

10.png

Create LDAP Group to Group Policy Mappings in Dashboard

Once Active Directory has been successfully integrated on the MX, the following steps outline how to map Dashboard group policies to groups in AD:

  1. In Dashboard, navigate to Security appliance > Configure > Active Directory > LDAP policies.
  2. Click the Refresh LDAP Groups button to pull LDAP groups from the configured Active Directory servers.
  3. Under Groups, select the LDAP group, and under Policy select the appropriate group policy for that LDAP group.
  4. Click Save Changes at the bottom of the page.

If a user is part of more than one group specified in a Group Policy mapping the first group in the list is applied, they will not receive a combination of both policies. For example, in the screenshot below, if a user was part of both staff and executives they would be mapped to staff and only receive the policy configured as the staff policy:

11.png

Note: Policy mappings in Dashboard are done based on the FQDN of the group policy object in Active Directory. If the OU of any object in the FQDN path changes, the group policy mapping will need to be re-added in Dashboard.

Note: Active Directory group policy does not support group nesting or policy overlapping. If a domain user is a member of an AD group (e.g. staff), and that group is contained within another group that has a Group Policy mapping (e.g. executives), the mapped policy (executives) will not be applied to the user.


The best practice for deploying Active Directory-based group policy is to add users to a single AD group which is mapped to a single group policy. In the example below, a company has different security levels for its executives and staff. A user Bob is a staff member and Billy is an executive. In this case, the company creates two AD groups, staff and executives. Bob is added to the staff group and Billy the executives group. Therefore Bob receives the policy applied by staff and Billy the policy from executives:

12.png

Troubleshooting

Once the configuration above has been completed, the Meraki device should be able to communicate with the Active Directory server using TLS. If this fails, the Status column next to the server in Dashboard will show a red X. Hovering over the X will display a tooltip with more detailed error information:

13.png

ldap_bind: Invalid credentials

Error Description: Short domain, Domain admin or Password values are incorrectly configured for Active Directory Servers in Dashboard. 

Error Solution: The following steps describe how to find the correct info to enter in Dashboard under Security appliance > Configure > Active Directory > Active Directory Servers:

  • Short domain: Use the pre-Windows 2000 (NetBIOS) domain name format. Find the pre-Windows 2000 domain name by doing either of the following on the domain controller.
    • Run the set command from the command prompt and locate the USERDOMAIN value:

14.png

  • In the Active Directory Users and Computers console, locate the pre-Windows 2000 domain name value on the Account Properties tab of the domain administrator or any user in the domain. Note: Do not include the backslash when entering the short domain in Dashboard.

15.png

  • Domain admin: Use the User logon name of the Domain administrator without a NetBIOS domain name prefix or UPN suffix. This can be found on the Account Properties tab of the domain administrator in the Active Directory Users and Computers console of the domain controller.

16.png

  • Password: The password for the Domain admin account is incorrect or the user is locked out in Active Directory. To determine if the account is locked, check the Account Properties tab of the domain administrator in the Active Directory Users and Computers console of the domain controller. 

17.png

Could not Reach the Domain Controller

Error Description - The MX is unable to reach the LDAP and WMI services on the domain controller. Specifically, the MX is unable to establish a TCP session with either service.

Error Solution - To resolve an unreachable domain controller, please verify:

  • The correct IP address of the domain controller is entered into the Server IP field in Dashboard.
  • There is IP connectivity between the MX and domain controller. 
  • A firewall is not blocking LDAP and WMI connections to the domain controller. LDAP connections will use TCP port 3268 and WMI will use TCP ports 135, 445, and dynamically-assigned ports, 1024-65535(TCP) for Windows 2003 and older, and 49152 - 65535(TCP) for Windows 2008.
  • Verify Windows Management Instrumentation (WMI) service is running on the domain controller. This is done by check the servers Services console.

For more information on troubleshooting connection issues, reference our documentation on Troubleshooting a connection.

ldap_bind: Can't Contact LDAP Server

Error Description - This error indicates the MX can connect to the WMI service on the domain controller but cannot connect to the LDAP service. Note that this is different from the Could not reach domain controller error (described above) which indicates both the WMI and LDAP services are unreachable.

Error Solution - To resolve LDAP connection failures, please verify:

  • The domain controller is a Global Catalog listening on TCP port 3268:

​​​​​​​18.png

  • A firewall is not blocking LDAP connections to the Global Catalog service on TCP port 3268.

For more information on troubleshooting connection issues, reference our documentation on Troubleshooting a connection.

ldap_start_tls: Server is Unavailable

Error Description - The MX uses TLS to secure the LDAP connection to the domain controller. This error indicates the MX received an Error initializing TLS response from the domain controller when attempting to establish TLS.

Error Solution: To resolve issues with TLS, please verify the following:

  • The domain controller has a valid certificate installed. 
  • The domain controller supports STARTTLS. Since the MX does not support LDAP over SSL, it uses STARTTLS instead.

WMI Error

Error Description - This error means the WMI service on the domain controller is returning an NT error code when the MX tries to pull security logs. These events are necessary for the MX to learn which user accounts are logged into which computers. 

Error Solution - There are two reasons for WMI errors:

  • The user account configured in Dashboard does not have permissions to access domain controller security logs. If Dashboard shows a continuous WMI Error, the issue is likely user permissions. To fix this, add the configured Domain admin account as a member of the Domain admins group in Active Directory. 
  • In order to apply Group Policies to clients in real-time, the MX connects to the WMI service every 5 seconds to pull the most recent logon events. The WMI Provider Service may require increased memory and handle quotas and a smaller Security Event log size to handle the requests.
    Please follow the steps below to increase WMI Provider Service memory and handle quotas and decrease the size of the Security Event logs:
  1. Open the Event Viewer.
  2. Navigate to Event Viewer> Windows Logs > Security.
  3. Right click Security and click Properties.
  4. Set the Maximum log size (KB) to 1024.
  5. For When maximum event log size is reached select Overwrite events as needed (oldest events first) or Archive the log when full, do not overwrite events.

19.png

  1. Click OK

LDAP Connection error

Error Description: This error commonly occurs when the domain controller does not support TLS v1.0 

Error Solution: Verify the domain controller supports TLS v1.0.

Integrating Group Policies with MPLS 

An MX appliance must be configured in Passthrough mode when Active Directory-based content filtering is desired and the Active Directory domain controllers are located upstream or across an MPLS. Additional information on the traffic flow and the reason for this required configuration is explained below.

Passthrough Mode Configuration

To support Active Directory Group Policy mappings when Active Directory servers are located across an MPLS, the MX Security Appliance must be placed in Passthrough mode. This can be accomplished by going to Security Appliance > Addressing & VLANs on the Cisco Meraki Dashboard and selecting the option for Passthrough or VPN Concentrator.  

24.png

In this mode, the MX Security Appliance acts as a layer 2 bridge and does not modify the source address of traffic that traverses the WAN uplink. This configuration allows the MX to query the security logs, obtain an end-user's account name and associated device IP address, and apply the corresponding group policy.

21.png

NAT Mode Configuration

When an MX Security Appliance is configured for NAT mode and Active Directory Domain Controllers are located across an MPLS, authentication requests will traverse the MX WAN uplink. When this uplink traversal occurs, a NAT translation takes place and the source IP will be modified from the user's client device IP address to the WAN IP address of the MX Security Appliance.  

In this scenario, the Active Directory security logs will contain the IP address of the MX Security Appliance, rather than the IP address of the end-user's device. This prevents the MX from knowing which device to apply the identity-based content filtering policies. Because of this, a NAT mode configuration will not support Active Directory-based group policies.

Integrating with Client VPN

The Cisco Meraki MX Security Appliance supports Active Directory authentication with Client VPN, so a client will be required to provide domain credentials in order to connect via VPN.

Traffic Flow

When a user attempts to connect to Client VPN, the following process occurs:

  1. The user's device attempts to establish a VPN tunnel using L2TP over IP.
  2. The user provides their valid domain credentials.
  3. The MX, from its LAN IP, queries the Global Catalog over TCP port 3268 (encrypted using TLS) to the AD server configured in Dashboard.
  4. If the user's credentials are valid, the AD server will send its response to the MX, completing authentication.
  5. The MX offers the client an IP configuration on the Client VPN subnet, and the client can start communicating on the network.

Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.  

Configuration Overview

In order to configure Active Directory authentication for Client VPN, configuration steps must be completed on both Dashboard and Active Directory, outlined below:

Active Directory Configuration

The following requirements must be configured on each AD server being used for authentication:

  • Every AD server specified in Dashboard must hold the Global Catalog role. Please refer to Microsoft documentation for specific configuration steps.
  • Since communication between the MX and AD server will be encrypted using TLS, a valid certificate with the appropriate parameters must be configured on the server.
    • If no certificate is present, it will be necessary to install a Self-Signed certificate.
    • If a certificate already exists, please ensure that it has been configured with the necessary parameters for TLS.
  • The MX will communicate from its LAN IP with each AD server over TCP port 3268, ensure that no firewalls or ACLs on the network or server will block that communication.

When Active Directory authentication is configured, the MX queries the Global Catalog over TCP port 3268. Therefore the Active Directory server (Domain Controller) specified in Dashboard must also hold the Global Catalog role.

Dashboard Configuration

Once the AD servers have been primed with the configuration requirements outlined above, the following steps outline how to set up AD authentication for Client VPN:

  1. In Dashboard, navigate to Security appliance > Configure > Client VPN
  2. If Client VPN has not yet been enabled, please refer to our Client VPN documentation for info on initial configuration.

Note: In order for Client VPN users to be able to resolve internal DNS entries, the Custom nameservers option should be configured with an internal DNS server. The server's firewall may need to be adjusted to allow queries from the Client VPN subnet, and best practices dictate that a public DNS server should be listed as a secondary option.

  1. Set Authentication to Active Directory.
  2. Under Active Directory server, provide the short domain name and server IP, as well as the credentials for an AD domain admin.

Note: If the credentials provided do not have domain admin permissions, the MX will be unable to query the AD server.

  1. Click Save Changes.

Client Configuration

Clients can use their native VPN client to connect to Client VPN, with or without Active Directory.

Please refer to our Client VPN documentation for OS-specific configuration steps.

(Optional) Client Scoping

Due to the nature of Active Directory authentication for Client VPN, all domain users will be able to authenticate and connect to Client VPN. There is no Dashboard-native way to limit which users can authenticate, however, there is a workaround in Active Directory that allows the scope of users to be limited by specifying a domain administrator with limited group visibility.

The following article outlines how to configure this workaround for wireless networks, but the same principles can be applied to Client VPN: Scoping Active Directory per SSID

Note: This configuration is entirely reliant on Active Directory. Depending on how domain groups are managed, this may not work some environments - please refer to Microsoft documentation and support for assistance with Active Directory configuration.

Testing

Once the configuration above has been completed, the Meraki device should be able to communicate with the Active Directory server using TLS. If this fails, Microsoft offers the Ldp.exe tool to ensure that the LDAP service is running and compatible with the current certificate.

Please reference Microsoft documentation for error code details and troubleshooting assistance.

Additional Resources

For more information about both Client VPN and Active Directory integration, please refer to the following articles:

Clearing Active Directory Client Information 

When a client is authenticated with an AD server through an MX appliance it authenticates once and holds those credentials locally. In situations where clients must be removed or forced to re-authenticate with the Active Directory server, there are two options:

  • Navigate to Network-wide > Monitor > Clients, then blocking and unblock the specific client, this will clear the AD user currently associated with that client device.
  • It is also possible by performing a factory reset on the MX security appliance. This clears all information on the device itself but will cause some brief downtime until the MX comes online and redownloads its configuration from Dashboard.

Note: Resetting the MX will also clear any local configuration performed on the MXs Local Status Page, including its IP configuration. Please make note of any required changes or additional maintenance before resetting the MX, to minimize downtimes.

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 4169

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community