Meraki

Community

Backup/Restore radius secret

webfrank
Getting noticed
‎May 13 2024 11:58 PM
‎May 13 2024 11:58 PM

Backup/Restore radius secret

Hi, using API it is not possible to retrieve the secret but it is possible to set one. The same for MQTT Broker settings.

 

I understand is is for security reason but it is really important to be able to backup and restore passwords using API.

 

A solution could be to retrieve encrypted (salted, hashed) password with a prefix, like sha256:xxxxxxxxxxxxx and when restoring the endpoint should use the already hashed password if a matching prefix exists or set as plaintext password if not.

 

This way it would be possible to restore previously saved configurations and security will be always enforced.

0 Kudos
5 Replies 5
daniel_abbatt
Getting noticed
‎May 14 2024 12:41 AM
‎May 14 2024 12:41 AM

It's a funny one with secrets in the API. On the one hand I understand why they don't allow downloading them but on the other hand if you have permissions to upload a new one and replace it with your own, then why wouldn't you have permissions to download the existing one.

As it currently stands we store various secret separately and when we hit endpoints that require uploading secrets then we apply them from our secret store at that point. 

 

PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 14 2024 2:04 PM
‎May 14 2024 2:04 PM

If this is important, I would use a "secrets" manager.

 

I've used Amazon AWS Cognito before.  You can do things like have the script authenticate the user (to verify they are allowed to retrieve the secret), and then get it.  I have used Cognito for storing Meraki API keys as well.  And if you want to get tricky, you can also team it up with a lamba script to automatically and regularly rotate the API key.  When the API key is no longer stored anywhere except the secrets manager, regularly changing it becomes easy.

https://aws.amazon.com/pm/cognito/

 

I am quite a fan of the Bitwarden password manager because of its enterprise features.  They also do a secrets manager - and they have a *free* plan option as well.

https://bitwarden.com/products/secrets-manager/

 

0 Kudos
webfrank
Getting noticed
‎May 16 2024 1:33 AM
‎May 16 2024 1:33 AM

Hi, this is not something related to where store secrets. The issue is that it is not possible to create a backup script which it's able to retrieve all the required information, secrets included. This is to have a working configuration backup which could be restore if required. If the radius secret is missing, it is not possible to restore the radius configuration.

 

If we can retrieve the secret, also in encrypted form for security, we could later restore the configuration, including the secret (already encrypted).

0 Kudos
In response to webfrank
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 16 2024 1:51 AM
‎May 16 2024 1:51 AM

I did not explain my answer well.

 

Correct - you can not retrieve a RADIUS secret.  What you could do is store the RADIUS secret in a secrets manager.  When you provision or restore a network, always provision the RADIUS secret from the secrets manager.

0 Kudos
In response to PhilipDAth
webfrank
Getting noticed
‎May 16 2024 1:54 AM
‎May 16 2024 1:54 AM

You are right but if writing a tool, not only for my configurations, the tool does not have history of the secret, it should retrieve from API and restore if necessary.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.