Meraki

Community

China cannot enable SMS TFA for the dashboard account

Jim_Liang
Meraki Employee
Meraki Employee
‎Dec 4 2019 5:48 PM
‎Dec 4 2019 5:48 PM

China cannot enable SMS TFA for the dashboard account

Some people and companies have a hard requirement to set TFA (Two Factor Authentication) to secure their dashboard login from password leakage.

And normally, using SMS (service provided by Telecom Carrier, e.g. China mobile, China Telecom) is a very common method to do so.

But our experience and many issues were reported from such end-users show that You can indeed enable SMS TFA, but you basically will never have it working when login to your dashboard. 

 

We will strongly suggest that DO NOT enable SMS TFA with China mainland mobile numbers (it seems if you are roaming to China with a US number, it would still fail).

Please read the dashboard banner carefully before you enable it. It clearly stated that SMS TFA is only validated in the US and UK.

 

In order to secure your dashboard login as per your company requires, please enable TFA with google authenticator app, this is an offline tool, you do not need to connect to internet/google service when using it.

So please do not worry about the unavailability of Google service in China.

 

Another option is to use the "one-time codes", Meraki dashboard will list you with 8 codes, so please copy and paste them into a safe place for your future use.

Screen Shot 2019-11-29 at 09.53.42.pngScreen Shot 2019-11-29 at 09.55.24.pngScreen Shot 2019-11-29 at 09.55.47.png

7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 4 2019 9:21 PM
‎Dec 4 2019 9:21 PM

Good tip @Jim_Liang .  I haven't had much luck either with the TXT option (I'm in New Zealand).  I had forgotten this option even existed as a result.  According to my calculations, this feature is only available to a bit under 6% of the global population.  Maybe Meraki should review their TXT provider with a view to selecting a company with more of a global presence.

 

For those larger companies you also have the option of using SAML authentication.  Many SAML providers can offer additional services such as conditional access policies, logging, linkages to other authentication back ends, and various mitigations against hacking and authentication attacks.

 

I'm not sure about Office 365 in China, but the majority of the result of the world can use office 365 as a SAML authentication provider for the Meraki Dashboard and use the free MFA that comes with that cloud service.

In response to PhilipDAth
Jim_Liang
Meraki Employee
Meraki Employee
‎Dec 5 2019 12:15 AM
‎Dec 5 2019 12:15 AM

Great point, @PhilipDAth Thanks a lot.

Indeed, users with large organizations can use SAML SSO for the dashboard login.

There is the KB article for SAML as the following.

Configuring SAML Single Sign-on for Dashboard

 

0 Kudos
In response to Jim_Liang
SO
Here to help
‎Oct 25 2020 10:13 PM
‎Oct 25 2020 10:13 PM

I'm interested, so I'll post the current status on this matter.
Regarding SMS authentication on the China dashboard, I (user) get a note on the dashboard as mentioned above, but I am able to use SMS authentication on the China dashboard using the Chinese phone number ( China Unicom) within China.

As you all know, the input example is as follows.
e.g.) 

Primary phone number+86xxxxxxxxxxx

 

Of course, you can authenticate offline using an APP like Google authenticator or Authy. If you can't download Google authenticator from the store, you can substitute another similar APP. 
If you are concerned about the stable operation of SMS authentication, you can use it together with APP.

In response to SO
Jim_Liang
Meraki Employee
Meraki Employee
‎Oct 25 2020 10:17 PM
‎Oct 25 2020 10:17 PM

Hi Mate

 

Thanks a lot for the update.

This is very much helpful for everyone.

 

0 Kudos
Jim_Liang
Meraki Employee
Meraki Employee
‎Jan 13 2022 12:46 AM
‎Jan 13 2022 12:46 AM

Per China dashboard user needs, created a Chinese version for future reference.

https://community.meraki.com/t5/Dashboard-Administration/%E4%B8%AD%E5%9B%BD%E7%94%A8%E6%88%B7%E5%90%...

 

0 Kudos
Jim_Liang
Meraki Employee
Meraki Employee
‎Dec 11 2023 11:26 PM
‎Dec 11 2023 11:26 PM

If you are the admin for the orgs on both .com and .cn dashboards, with the identical email address as the account name.

There is a limitation when enrolling them with Microsoft authenticator, if not updating the name when doing so, the latter one will override the first one. e.g. .cn account overrides the .com account on MS authenticator.

You will have to change a different name during the enrollment.

Please refer to the Chinese Version of this post with the link above for the details.

0 Kudos
Jim_Liang
Meraki Employee
Meraki Employee
‎Dec 11 2023 11:27 PM
‎Dec 11 2023 11:27 PM

If you are using Huawei mobile, to download the MS authenticator successfully, you can download "Baidu Mobile Assistant" 百度手机助手, then search and download the MS authenticator from there.

Please refer to the Chinese Version of this post with the link above for the details.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.