Home > Security Appliances > Content Filtering and Threat Protection > Configuring Active Directory-based Group Policies with MPLS

Configuring Active Directory-based Group Policies with MPLS

Active Directory based group policies allows administrators to utilize Microsoft domain security group membership to determine assignment of group polices. This article discusses how the MX Security Appliance determines and applies identity based group policies to an end-user's device, when the Active Directory Servers are located across an MPLS.  

How the MX Maps Devices to Users

For detailed information about how the MX security appliance maps network devices to domain users, please refer to our documentation.

Example of Unsupported NAT Mode Configuration for Active Directory Group Policy Mappings

When an MX Security Appliance is configured for NAT mode and Active Directory Domain Controllers are located across an MPLS, authentication requests will traverse the MX WAN uplink.  When this uplink traversal occurs, a NAT translation takes place and the source IP will be modified from the user's client device IP address to the WAN IP address of the MX Security Appliance.  In this scenario, the Active Directory security logs will contain the IP address of the MX Security Appliance, rather than the IP address of the end-user's device.  This prevents the MX from knowing which device to apply the identity based content filtering policies.  Because of this, implementations like the one shown in below will not support Active Directory based group policies:

2c8acb7e-409a-43a4-aacb-5544cbe76ec5

Example of Supported Passthrough Mode Configuration with Active Directory Group Policy Mappings

To support Active Directory group policy mappings when Active Directory servers are located across an MPLS, the MX Security Appliance must be placed in Passthrough mode. This can be accomplished by going to Configure > Addressing & VLANs on the Cisco Meraki Dashboard and selecting the option for Passthrough or VPN Concentrator (see below).  In this mode, the MX Security Appliance acts as a layer 2 bridge and does not modify the source address of traffic that traverses the WAN uplink.  This scenario allows the MX to query the security logs, obtain an end-user's account name and associated device IP address, and apply the corresponding group policy.

ee6489c2-eeb1-4a02-b534-16390a0dd6a6

 

The image below shows an example topology that supports Active Directory-based group policy mappings, by using passthrough mode:

25daff65-a1d2-45c7-a0d2-5f39c3baa72c

 

In summary, an MX appliance must be configured in Passthrough mode when Active Directory based content filtering is desired and the Active Directory domain controllers are located upstream or across an MPLS.

You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1300

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community