- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Account repeatedly getting locked
Background: We have an API key associated with Administrator "X" that is used to automate API calls over multiple organizations. It seems that one of these organizations has denied Administrator X access to their organization. No issue with that! However, because of this, the Administrator X is getting repeatedly locked out of the entire Meraki API, making that API key useless for the remaining organizations.
Question 1: How do we find out from logs WHICH of the organizations has denied Administrator X access, so that we can configure our solution to no longer attempt API calls to that organization?
Question 2: When will the API Token limit be raised, so that an Administrator can have any number of API tokens?
Question 3: When will the lock-out apply to the token, instead of the Administrator?
Question 4: For well-known API Tokens (such as those Read-only ones used for Sandboxes), do you agree that this represents a Denial of Service bug? All someone has to do to lock out that Administrator is to repeatedly try to use it for an organization id that they know it won't work for?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had a similar problem with one of my admin accounts getting locked.
After digging into things I found it was due to a compromised server on AWS, nothing to do with ourselves/customers/Meraki. It looked like it was being used to try to brute force the password, which would never work due to TFA, but of course my account was getting repeatedly locked.
Amazon would not help, no response from the owner of the compromised server, and Meraki said they couldn't do anything. In the end I gave up on the account and used another email address, though after a couple of years the attempts stopped and I could use the old one again...
AFAIK there's nothing visible via API to diagnose this issue.
But if you're sure it's an org-specific access issue, not an external attack, i'd think you could use these endpoints to figure out which org is the issue...
https://developer.cisco.com/meraki/api-v1/get-organizations/
https://developer.cisco.com/meraki/api-v1/get-organization-admins/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sungod- thanks for the reply, but in this case, I'm sure that the problem is as described. When I rotated my API tokens, the problem went away.
So the problem was that account can get locked when API tokens are used to perform automations and those tokens are not unique to an organization.
The only currently-available fix is to have separate Administrator accounts per organization, and that means having a HUGE pool of email addresses available.
Meraki's Auth system is utterly broken. We minimally need to be able to have unlimited tokens and for lockouts to happen on tokens, not Administrators.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Absolutely with you on the need for a better admin-org-token scheme!
For other Cisco (non-Meraki) work I've currently got 20+ emails, similar for another vendor's API, fortunately I can do it with aliases to my base email, but it's still a pain, especially with TFA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not a good fix, but potentially if desperate enough you could consider restricting API access to a set of IP addresses until the core issue is resolved.