Home > General Administration > Other Topics > Two-Factor Authentication

Two-Factor Authentication

Introduction to Two-Factor Authentication

Two Factor Authentication, also known as 2FA, two-step verification or TFA is a method of adding another layer of security for user verification by using a security identifier method in addition to username and password. It is generally something that only the actual intended user may possess and it is inherently separated from the original login method. Some examples include phone apps, SMS verification or keyfobs.

Setting up and Changing Phone Numbers for Two-Factor Authentication

In order to change the phone number used for Two-factor authentication on the dashboard, follow these steps:

1. Log into the dashboard with a valid username and password.

2. Once logged in, locate the "my profile" option on the dashboard. It is on the top right corner of the screen.

3. Click on "my profile".

4. Scroll down to the SMS authentication section of the page.

5. Click "Edit" right next to the current registered phone number.

6. Enter the new phone number in the Phone number field.

7. In the Setup your phone section, click on the Send code button. A code is sent to the new phone number.

8. Enter the code into the Code field and click the Verify button.

9. Hit Next.

10. Optionally, enter a backup phone number. Click Next.

11. Confirm the information and click Save changes.

Using Two-Factor Auth with Client VPN

Cisco Meraki Client VPN incorporates several methods for authenticating users before they are allowed onto the network. For admins who want to incorporate an additional level of security, client VPN also allows for the use of third-party two-factor auth solutions, requiring users to go through a second authorization step.

Client VPN does not natively support two-factor auth, a third-party solution is required for this configuration. As such, please refer to your two-factor auth solution's documentation for additional information and troubleshooting.

Two-factor auth can be incorporated in one of two ways:

  • Included as part of the authentication. Users are prompted for a username and password as normal but must provide additional information as required by the third-party solution (appending a key to the password, for example).
  • A push notification, where an agent on a RADIUS server holds an accept message until the user pushes an "accept" button or equivalent on their side. By default on the Meraki platform, the RADIUS session will time out after a short period of time. This may be too short a time span for some solutions, please contact Meraki Support if you need this timeframe extended.

Both of the above methods are compliant under the PCI DSS 3.0 standard, as two-factor security for remote access.

Client VPN does not support the use of xauth, two-factor auth solutions that use xauth are not supported.

Additional Resources for Two-Factor Auth with Client VPN

For reference, the following sites outline examples of two-factor auth that may be used with client VPN:

Using Google Authenticator for Two-factor Authentication in Dashboard

Administrators can require two-factor authentication for logging into Dashboard. One of the options available to users is the Google Authenticator. This service is useful because it can provide two-factor authentication regardless of SMS service. 

This article walks through the necessary steps to configure two-factor authentication using Google Authenticator.

Download Google Authenticator onto your Smartphone

To download Google Authenticator onto a smartphone visit your mobile app store and download the Google Authenticator app.

Screenshot_2017-10-17-12-09-27.png

Edit the Dashboard Profile and Verify

  1. Once the app is downloaded log into Dashboard and navigate to the My Profile page on the top right. 

 2017-07-26_14_17_56-Organization_overview_-_Meraki_Dashboard.gif

 

  1. Find the Section labeled SMS authentication and select the appropriate hyperlink from the listed options. This example uses an iPhone:
2017-07-26_14_21_59-2017-07-26.gif

 3. Add your Dashboard account to Google Authenticator as a token.

  • On Google Authenticator, select the “+” button and tap the button “scan barcode”. 
  • Scan the second barcode on the Dashboard page. This is unique to your account and will sync a Google Authentication token to your login.
  • You should now see a new token on your authenticator. Notice that the token changes every 30 seconds. Check that the token is working by entering in the current, active token on the verify window on Dashboard.

On the Phone:

Screenshot_2017-10-17-12-12-42.png

In Dashboard:

2017-07-26_14_45_56-2017-07-26_(1).png

  1. Once verified, select Continue and then OK to turn on two-factor authentication. Note: The Dashboard account will be logged out once OK is clicked.

Testing and using login with two-factor authentication

Starting with the next login, the user will be prompted to enter the active verification code found on the authenticator. 

Recovering Access to Accounts Protected by Two-Factor Authentication

Two Factor Authentication (TFA) is an important security mechanism, and cannot be disabled by Cisco Meraki without positively identifying the account owner. There are two methods available to ensure access is not lost: a backup phone number (with SMS auth), and a list of one-time codes (with Google Authenticator).

 

The two methods above are the primary options for disabling or temporarily bypassing two-factor authentication. If these methods cannot be utilized for any reason, the only alternative is to provide proof of identity after contacting Cisco Meraki Technical Support. There are two methods to request removal of SMS and Google Authentication for TFA.

Method 1:

  1. Open a case by emailing support@meraki.com
    - This email must
     be sent from the email address of the account TFA is to be disabled on. 
    - It must include the full name of the organization that the account resides in. 
  2. A second organization administrator must comment on the case through Dashboard granting approval to disable TFA on the account.
    - Email or phone approval is not acceptable for this. The approval must come as a comment on the case.
    - This permission can be granted only by an organization administrator with Full access.

Method 2:

Alternatively, if a second organization administrator with full access does not exist or is otherwise unavailable:

  1. Open a case by emailing support@meraki.com
    - This email must
     be sent from the email address of the account TFA is to be disabled on. 
  2. Once in communication with a Cisco Meraki Support Engineer, explain that TFA needs to be disabled for the account.
  3. Mail (not email) notarized proof of identity using a company letterhead. 
    • When this is received by support, it will then be scanned and attached to the case before TFA is disabled.
    • It is strongly recommended to send this letter with tracking, in case of postal issues.
    • This letter will contain this information:
      • Full name of the Dashboard organization
      • Full email address of the account
      • Full name that is set on the account’s profile (First Name + Last Name)
      • Case number the request is associated with
      • Copy of photo identification
      • Must be notarized
    • Unless otherwise specified by the technician, use the following address format:
      Cisco Meraki
      500 Terry A Francois Blvd
      4th Floor, C/o [TECHNICIAN'S NAME]
      San Francisco, CA 94158
You must to post a comment.
Last modified
12:19, 17 Oct 2017

Tags

Classifications

This page has no classifications.

Article ID

ID: 6251

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community