Meraki

Pugmiester · ‎Apr 16 2019

Hi all,

We are looking to tighten up the security on our existing Meraki organisation by enforcing all admins to have multifactor authentication enabled on their account. What we're not sure about is the impact of enforcing it after the accounts have been created.

We have a number of full organisation admin accounts and all of those with any sort of write permissions have MFA enabled but there are accounts with either organisational read-only or guest ambassador roles that currently don't.

If we throw the switch and enforce MFA under Organization > Settings > Security, does anyone know if that would effectively lock all of the non-MFA enabled users out completely or is there an automated process that relays those users to the MFA setup the first time they try to log back in?

We're just trying to avoid a bunch of help desk calls if we can and an automated process would make that a lot simpler.

Cmiller · ‎Apr 16 2019

Been a while since I did this on my orgs but I remember it going smoothly. Once enabled, the next time a user logs into the dashboard it will guide them through setting up 2FA. That user is unable to continue until completed.

See meraki doc:
https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Two-Factor_Authentication

View solution in original post

Cmiller · ‎Apr 16 2019

Been a while since I did this on my orgs but I remember it going smoothly. Once enabled, the next time a user logs into the dashboard it will guide them through setting up 2FA. That user is unable to continue until completed.

See meraki doc:
https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Two-Factor_Authentication

Pugmiester · ‎Apr 16 2019

Hi @Cmiller, that's what I was hoping for. We have a reasonable number of guest ambassadors as we have 25+ networks with local ambassadors managing the guests so it's a decent sized update for them all but if it's a guided process it will make things a bit simpler.

Cmiller · ‎Apr 16 2019

It was guided, and in this era of constant leaks and hacks 2FA is a must. You can choose to setup 2FA on your account and "demo" what the guided setup will look like for your users = Click your username in the top right > My Profile > scroll to the Two-Factor authentication section.

Good luck with the conversion and remember to save those one time codes in a safe place (I use and love 1Password)

stockster · ‎Apr 17 2019

I assume if the password currently set does not comply with the new rules, it would instruct the user to change it accordingly as well?

Regards,

stockster

Cmiller · ‎Apr 17 2019

correct

BrechtSchamp · ‎Apr 16 2019

When you enable it, the next time an admin logs in they will see the following page:

If SMS auth doesn't work in your country you can click on the offline access links in the green box and you will be brought to 2FA using an authenticator AP:

They can't login before they set it up.

Pugmiester · ‎Apr 16 2019

Hi @BrechtSchamp, that's great. Sounds like this shouldn't be a big a headache, just plenty of warning for the affected users and some hand holding to make sure the less technical staff (guest ambassadors) have an authentication app ready to go.

Cmiller · ‎Apr 16 2019

@BrechtSchamp I knew someone would have some sexy screenshots. Thanks for sharing those sir

BrechtSchamp · ‎Apr 16 2019

Well I didn't have them, but I thought I'd just test it out and take them.

(Trying not to lock myself out in the process, hence the delay in my response.)

MerakiNomads · ‎Apr 16 2019

Thanks, this helps a lot.
Stacy

Meraki

Community

Enabling multi factor authentication after admins are created

Enabling multi factor authentication after admins are created