Meraki

Community

Read-only admin can cycle switch ports???

sungod
Kind of a big deal
‎Oct 17 2023 6:53 AM
‎Oct 17 2023 6:53 AM

Read-only admin can cycle switch ports???

One of our customers contacted me after they had an issue with a switch port/connected device.

 

I was surprised when they told me they had cycled the port, they have only organization read access, they do not have any other permissions such as port management privileges.

 

I can see in the event log that the port was cycled a few times.

 

Is it really correct that a read-only admin can cycle ports? I would not expect read-only access to permit any impact on device operation.

 

0 Kudos
17 Replies 17
DarrenOC
Kind of a big deal
Kind of a big deal
‎Oct 17 2023 6:59 AM
‎Oct 17 2023 6:59 AM

Have you tried labbing that one @sungod?  I’m a read only admin for one particular customer so will take a look to see if I can cycle a switch port

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
DarrenOC
Kind of a big deal
Kind of a big deal
‎Oct 17 2023 7:06 AM
‎Oct 17 2023 7:06 AM

Hi @sungod , yep, that worked and can see the switch port being cycled in the event log.

 

Agree that this shouldn’t be allowed as a Read Only admin

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
In response to DarrenOC
sungod
Kind of a big deal
‎Oct 17 2023 7:11 AM
‎Oct 17 2023 7:11 AM

Thanks for checking.

 

Guess I'll be opening yet another support case!

RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 17 2023 7:11 AM
‎Oct 17 2023 7:11 AM

Of course they can! 

 

I can't find my old post about that. There is a list of things that R-O 'admins' can do that makes 0 sense. Let me find it.

In response to RaphaelL
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 17 2023 7:12 AM
‎Oct 17 2023 7:12 AM

Here it is: https://community.meraki.com/t5/Switching/Live-Tools/m-p/179117

 

Okay , it's not a loooong list , but cable test and port cycle shouldn't be available to RO admins. The fact that there is no logs at all it also a big joke.

In response to RaphaelL
DarrenOC
Kind of a big deal
Kind of a big deal
‎Oct 17 2023 7:14 AM
‎Oct 17 2023 7:14 AM

Ouch! Nearly been a year but that “feature” still remains.   

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 17 2023 7:17 AM
‎Oct 17 2023 7:17 AM

I can probably paste my actual case here but they have a weird definition of 'dashboard admin'. 

 

They basicly said : working as expected , please make a wish/ feature request. 🙂 

 

Also we had one of our 400-500 dashboard "admin" that was doing 1-48 cable test during the day and that affecting videoconference rooms... we couldn't find the culprit since there are NO logs. What a fun time we had last year !

0 Kudos
In response to RaphaelL
sungod
Kind of a big deal
‎Oct 17 2023 7:19 AM
‎Oct 17 2023 7:19 AM

'strewth!

 

Words fail me.

BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Oct 17 2023 2:00 PM
‎Oct 17 2023 2:00 PM

Hmm theres a few odd things coming out, first the requirement for hardware to be part of a network to actually be "claimed" and now they fact RO admins can disrupt a network. I am not sure what part of read only isn't read only. 

 

I would like the ability to have far more detail in the logs, it should be able option that Org admins can enable if they wish to. For those that can read detailed logs it's most likely going to cut down on support cases being opened which saves Meraki money but also means customers / MSP can resolve their own issues.

 

Win win for both sides. 

0 Kudos
sungod
Kind of a big deal
‎Oct 18 2023 6:14 AM
‎Oct 18 2023 6:14 AM

As expected, support say it's supposed to work like this, disappointing.

 

My response was that it's still incorrect behaviour and needs fixing, I asked them to escalate it.

 

Might be useful if a few more people could open a case for this, as it stands a malicious RO user with a bit of scripting knowledge could easily cause major problems across an organization.

 

We now have internal discussion to decide if/when we should start warning customers of the risk, as some of them want to have a lot of RO users.

 

0 Kudos
In response to sungod
DarrenOC
Kind of a big deal
Kind of a big deal
‎Oct 18 2023 6:43 AM
‎Oct 18 2023 6:43 AM

Put out a post on social media ie LinkedIn and forward your customers to this post and also reference your TAC support case number.  Might get some 👀 on it then.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
sungod
Kind of a big deal
‎Oct 18 2023 7:37 AM
‎Oct 18 2023 7:37 AM

Well, I just reported it as a vulnerability via Meraki's chosen route (bugcrowd), will see what happens.

 

Our internal security/systems people can decide what to do next with customers, I've more fun things I want to spend time on 🙂

 

sungod
Kind of a big deal
‎Oct 26 2023 4:03 AM
‎Oct 26 2023 4:03 AM

Well, I've exhausted options with Meraki support and their security vulnerability reporting process.

 

A read-only user has the ability to carry out a denial of service, Meraki position (stated via both channels) is that it is 'intended behaviour'.

 

Time to warn customers.

 

0 Kudos
TonyC
Meraki Employee
Meraki Employee
‎Oct 26 2023 8:07 PM
‎Oct 26 2023 8:07 PM

Hi @sungod and Community! 

 

First – thanks for raising this as a topic. While we initially designed the read-only role to include a user's ability to troubleshoot, and port cycle (along with all live tools) is seen as falling into that permissible category, we also fully recognize that this may or may not be the desired behavior based on your own organizational IT policies.

 

We are reviewing and further evaluating how we may add an explicit option to enable or disable this so to put this decision in our users' hands. We'll follow up when we have an update to share to address this concern and feedback.

 

 

Thanks for being Meraki MS customers, we value each of you. Be in touch!

 

~tony

Product Management, Meraki Switching

In response to TonyC
sungod
Kind of a big deal
‎Oct 27 2023 2:17 AM
‎Oct 27 2023 2:17 AM

@TonyC 

 

thanks for the update.

 

The option to disable would be a solution as no one I've spoken to so far in our customers (we're an MSP) realises this is accessible to their read-only users.

 

RaphaelL
Kind of a big deal
Kind of a big deal
‎Nov 13 2023 12:34 PM
‎Nov 13 2023 12:34 PM

Something curious : 

 

https://documentation.meraki.com/MI/MI_WAN_Health

The speed tests are currently available for download speed only and can only be run by Dashboard Administrators who have writing configuration privileges.

 

How hard would it be to retrofit that logic to problematic features that RO users have ? ( port cycle , cable tests , reboot devices [...] )

0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jan 27 2024 8:25 AM
‎Jan 27 2024 8:25 AM

Now documented in : https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Managing_Dashboard...

 

Read-Only admins can perform switch port cycles and cable tests

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.