Home > Security Appliances > Content Filtering and Threat Protection > Configuring Active Directory-based Group Policies with MPLS

Configuring Active Directory-based Group Policies with MPLS

Active Directory based group policies allows administrators to utilize Microsoft domain security group membership to determine assignment of group polices. This article discusses how the MX Security Appliance determines and applies identity based group policies to an end-user's device, when the Active Directory Servers are located across an MPLS.  

How the MX Maps Devices to Users

For detailed information about how the MX security appliance maps network devices to domain users, please refer to our documentation.

Example of Unsupported NAT Mode Configuration for Active Directory Group Policy Mappings

When an MX Security Appliance is configured for NAT mode and Active Directory Domain Controllers are located across an MPLS, authentication requests will traverse the MX WAN uplink.  When this uplink traversal occurs, a NAT translation takes place and the source IP will be modified from the user's client device IP address to the WAN IP address of the MX Security Appliance.  In this scenario, the Active Directory security logs will contain the IP address of the MX Security Appliance, rather than the IP address of the end-user's device.  This prevents the MX from knowing which device to apply the identity based content filtering policies.  Because of this, implementations like the one shown in below will not support Active Directory based group policies:

Example of Supported Passthrough Mode Configuration with Active Directory Group Policy Mappings

To support Active Directory group policy mappings when Active Directory servers are located across an MPLS, the MX Security Appliance must be placed in Passthrough mode. This can be accomplished by going to Configure > Addressing & VLANs on the Cisco Meraki Dashboard and selecting the option for Passthrough or VPN Concentrator (see below).  In this mode, the MX Security Appliance acts as a layer 2 bridge and does not modify the source address of traffic that traverses the WAN uplink.  This scenario allows the MX to query the security logs, obtain an end-user's account name and associated device IP address, and apply the corresponding group policy.

 

The image below shows an example topology that supports Active Directory-based group policy mappings, by using passthrough mode:

 

In summary, an MX appliance must be configured in Passthrough mode when Active Directory based content filtering is desired and the Active Directory domain controllers are located upstream or across an MPLS.

You must to post a comment.
Last modified
15:16, 18 Feb 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1300

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case