Active Directory based group policies allows administrators to utilize Microsoft domain security group membership to determine assignment of group polices. This article discusses how the MX Security Appliance determines and applies identity based group policies to an end-user's device, when the Active Directory Servers are located across an MPLS.
For detailed information about how the MX security appliance maps network devices to domain users, please refer to our documentation.
When an MX Security Appliance is configured for NAT mode and Active Directory Domain Controllers are located across an MPLS, authentication requests will traverse the MX WAN uplink. When this uplink traversal occurs, a NAT translation takes place and the source IP will be modified from the user's client device IP address to the WAN IP address of the MX Security Appliance. In this scenario, the Active Directory security logs will contain the IP address of the MX Security Appliance, rather than the IP address of the end-user's device. This prevents the MX from knowing which device to apply the identity based content filtering policies. Because of this, implementations like the one shown in below will not support Active Directory based group policies:
To support Active Directory group policy mappings when Active Directory servers are located across an MPLS, the MX Security Appliance must be placed in Passthrough mode. This can be accomplished by going to Configure > Addressing & VLANs on the Cisco Meraki Dashboard and selecting the option for Passthrough or VPN Concentrator (see below). In this mode, the MX Security Appliance acts as a layer 2 bridge and does not modify the source address of traffic that traverses the WAN uplink. This scenario allows the MX to query the security logs, obtain an end-user's account name and associated device IP address, and apply the corresponding group policy.
The image below shows an example topology that supports Active Directory-based group policy mappings, by using passthrough mode:
In summary, an MX appliance must be configured in Passthrough mode when Active Directory based content filtering is desired and the Active Directory domain controllers are located upstream or across an MPLS.