Ambassador Admin can see Guest User from another Abassador Admin from another Network

Mamba123
Getting noticed

Ambassador Admin can see Guest User from another Abassador Admin from another Network

An example for two locations.



We created an Ambrassador Admin for each location and granted him the rights only for his location. When he logs in, he immediately ends up in his location and can create the WLAN guests. So far so good.



The problem is that under Users he can also see the guests of other Ambrassador admin, which in my view is total nonsense and that is exactly what is not allowed according to data protection.



Does anyone have any idea how to stop it?



greeting

Max

13 Replies 13
ww
Kind of a big deal
Kind of a big deal

Permissions for Managing Meraki Authentication Guest Users

"Note that the list of Meraki Authentication users is consistent across an organization"

 

So you would  have to make  seperate orgz  or move to an external auth solution .

Mamba123
Getting noticed

Are you really serious ???

Why do I create an Abassador administrator and give him the rights to access a certain network when he can then see the users from other locations.

This is nonsense !!!

A full admin can see all guest users, that is clear and also no problem.

 

But an Ambassador Admin in one network cannot simply not see the users of another Ambassadort Admin in another network.

 

Or?

Mamba123
Getting noticed

The following is on the Meraki side:

 

Note that the list of Meraki Authentication users is consistent across an organization. So, any 'Network' Administrator may administer any guest user in an organization provided that they have write access to at least one network.

 

'Network' Administrator is not equal Ambassador Admin !!!

 

 

What can you assign a certain network to an Ambassador Admin if he can see all users in other locations anyway.

PhilipDAth
Kind of a big deal
Kind of a big deal

The intention is that a guest user only has to sign up once, but can be authorised for any of your sites.  You don't want to have the guest user having to sign up multiple times.

 

Consequently the guest admin can see all guest users, but can only authorize guest users for the networks they have access to.

Mamba123
Getting noticed

hi Philip,
Thank you for your message. Nevertheless, according to German data protection, it is not allowed. I have already contacted Meraki and Meraki is checking whether it is in compliance with the law.

PhilipDAth
Kind of a big deal
Kind of a big deal

I can't think how it violates GPDR.  What aspect do you think it violates?

PhilipDAth
Kind of a big deal
Kind of a big deal

Maybe this could be solved a different way.

 

Have you considered using sponsored guest access?  With this setup guests nominate someone in the company to approve their access (usually the person they are visiting).  That person gets an email with a link to click on to approve that access.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Sponsored_Guest

 

Another option I have used is pre-paid billing.  With this you print out a bunch of PIN numbers on cards.  You give these to reception and they give them out to guests.  You don't actually bill the users though.  Make sure you use the "fast pre-paid" option.

https://documentation.meraki.com/MR/MR_Splash_Page/Configuring_a_Prepaid_Card_Billing_SSID 

 

Splash Access (a third party commercial option) also do a great guest access solution.  You can print our a daily QR code (or setup a tablet to display it automatically).  Guest users coming in can scan the QR code to setup the guest WiFi automatically for them.  This actually uses a daily rotating PSK under the hood.

The Splash Access solution also has a million controls you can configure and customise as well.

https://www.splashaccess.com/splashaccess-guest-ambassador/ 

Mamba123
Getting noticed

Our customer had received an audit from a data protection officer last week and it is now precisely this point that GPDR is being violated here.

 

That an ambassador in one location can see the guests that another ambassador created in another location.

In my view, it is utter nonsense that you cannot stop it. If I create an Ambassador for Location A, why can he see what Ambassador is doing in Location B. That’s not possible. And that's exactly the problem.

PhilipDAth
Kind of a big deal
Kind of a big deal

>If I create an Ambassador for Location A, why can he see what Ambassador is doing in Location B.

 

That is not the case.  Ambassador A can not see what Ambassador B has authorised or given access to.

 

All they can both see is what organisation wide guests exists (not related to any specific location or network).  They can not see what access those guests have been granted in a remote network.

Mamba123
Getting noticed

But Ambassador A can see all the guests, those he did not create.

 

now I have formulated it precisely. Sorry for misunderstanding.

 

He should ONLY see guests that ONLY he created.

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

>He should ONLY see guests that ONLY he created.

 

That would also mean every Active Directory implementation would be illegal under GPDR.  AD has no way to restrict users operating it to only see global objects that only they have created.

Mamba123
Getting noticed

This is something else!!! A network administrator who is also a super admin and has full rights can also see everything and that is not a problem.

My case is ONLY Ambassador related.

Please don't twist my words.

I called Meraki today and they explained the problem and clarify it internally how to solve it.

Steve2020
Just browsing

Hi mamba123,

 

I'm just wondering about the same behavior. The Guest Ambassador can see the guest accounts and the Administrators as well! That's not what they have to see!.

 

So waiting for some news here 🙂

 

BR

 

Steve

Get notified when there are additional replies to this discussion.