Managing User Accounts Using Meraki Cloud Authentication

Last updated
Save as PDF

Overview

When you use Cisco Meraki Authentication for Client VPN authentication, SSID association requirements, or MS switch Access Policies, a network administrator can create and edit user accounts from the Meraki dashboard. Organization administrators can also delete existing user accounts. This article describes how to create, edit, or delete users for network access.

Note: Meraki Authentication provides secure authentication services using the Meraki Cloud as the authentication server. The system uses FIPS-140-2 certified device-to-cloud connectivity and supports a recommended value of 10 authentication calls per second for every organization.

Prerequisites

Meraki Authentication must be enabled on Client VPN or at least one SSID before you can create, edit, or delete users.
To create or edit guest users, you must have Network Administrator access with write permissions to at least one network.
To delete users, you must have Organization Administrator access.

Step-by-step instructions

Creating Meraki Cloud authentication guest users

The Meraki dashboard supports two types of Meraki Cloud Authentication accounts: Guest and Administrator. Dashboard accounts (network and organization administrators) appear as administrators. Guest accounts are user accounts that you create manually.

Note: Meraki Authentication must be enabled on Client VPN or at least one SSID to be able to create, edit or delete users.

To create a guest user:

In the Meraki dashboard, navigate to Network-wide > Configure > Users.
Select the SSID to configure from the SSID drop-down menu.
Select Add user. A dialogue box appears with the following fields:
- Description: A descriptive name, for example, John Doe.
- Email (Username): The email address of the user account, which also serves as the login name. Passwords are sent to this address.
- Password: Enter a password or select Generate to create a random password. You can email the password to the new user after account creation.
- Password requirements
  - Passwords must meet the following criteria:
  - At least eight characters long (maximum 100 characters). A minimum of 12 characters is strongly recommended.
    - Number (0–9)
    - Contains at least three of the following character types:
    - Number (0–9)
    - Lowercase letter (a–z)
    - Uppercase letter (A–Z)
    - Symbol (for example: ! @ # $ % ^ & *). Both standard and extended ASCII symbols are supported.

Authorize: Select Yes to allow network access for the selected SSID, or No to deny network access.
Expires: Select the default of Never, or select Change and set the expiration value using the drop-down menu.

The Expires value applies to account authorization, not to the account password.

Select Create user.
Select Save changes at the bottom of the page and wait a few minutes for the changes to take effect.
The user receives an email notifying them of the account creation and allowing them to update their email address or password

Authorizing administrators

The dashboard automatically adds any dashboard administrator to the Meraki Authentication users list for Client VPN. For SSIDs, you must manually add the administrator to the respective SSID and authorize the account for the SSID or Client VPN.

To authorize an administrator:

In the Meraki dashboard, navigate to Network-wide > Configure > Users.
Select the SSID to configure from the SSID drop-down menu.
Select the administrator to be granted access.
Change the Authorized field to Yes.
Select Update user.

For more information about managing dashboard administrator accounts, refer to the Managing Dashboard Administrator Accounts article.

Managing guest user permissions

The Meraki Cloud Authentication users list is consistent across an organization. Any Network Administrator can manage any guest user in an organization, provided the Network Administrator has write access to at least one network. A Network Administrator can:

Authorize or deauthorize the user for the network the administrator has permission to access.
Update the user account, such as setting up a new password. Password changes apply to the user account across all networks in the organization.

Editing users

Use the following steps to midify an existing guest user account. You can update user attributes such as the password and authorization status for the selected user.

In the Meraki dashboard, navigate to Network-wide > Configure > Users.
Select the SSID to configure from the SSID drop-down menu.
Select the user account you want to edit. A dialogue box appears with editable user attributes.
Make the required changes and select Update user.
Select Save changes at the bottom of the page and wait a few minutes for the changes to take effect

Note: A user who does not have an administrator account can modify their own credentials and reset their password by logging in at account.meraki.com/account/account_login. This login page is available only for users created under an SSID configured as splash or Client VPN.

Deleting users

Note: Since the users list is consistent across an organization, only an Organization Administrator can delete users.

In the Meraki dashboard, navigate to Network-wide > Configure > Users.
Select the SSID from the SSID drop-down menu that contains the user account you want to delete.
Select the X icon to the far right of the user account.
Select Save changes.

Deauthorizing administrators

Because administrators on the users list are tied directly to existing dashboard administrator accounts, you cannot delete them from the users list. You can prevent administrators from using Client VPN or associating with a Meraki Authentication-enabled SSID by revoking their access.

To deauthorize an administrator:

In the Meraki dashboard, navigate to Network-wide > Configure > Users.
Select the SSID to configure from the SSID drop-down menu.
Select the administrator whose access you want to revoke.
Change the Authorized field to No.
Select Update user.
Select Save changes.