Is it possible to add authentication process to limit access to the dashboard?

SOLVED
hcoq
Conversationalist

Is it possible to add authentication process to limit access to the dashboard?

Hello, I have been working on the Meraki dashboard since a few months and I am trying to configure it through the python API, which is working well. I have noticed that through those API calls I never had to give my credentials for a Meraki account. Therefore I think that anyone who manage to steal my API key can manipulate my network as he/she wants. Is there a way to secure that connexion between python API and dashboard?

1 ACCEPTED SOLUTION
Bruce
Kind of a big deal

Your API key is your authentication to the Dashboard. Think of it as your username and password all wrapped up into a single non-comprehendable string of characters, and treat it with the same respect. I get what you are saying, but your API key is everything in the Meraki APIs at the moment. This is why you’re only ever shown it once when you generate it, never to see it again - you need to keep it secure.

View solution in original post

7 REPLIES 7
ww
Kind of a big deal
Kind of a big deal

Api == meraki account

The connection is https.

Greenberet
A model citizen

You can limit the API by the client IP. However this feature is still in beta and not yet available for the wide public.

 

You can apply for it here

 

hcoq
Conversationalist

I have seen this IP range limitation possibility but I wanted to know if there is any method to add an authentication process between the API request and the dashboard, so that you would need an account to communicate with the Dashboard

Bruce
Kind of a big deal

Your API key is your authentication to the Dashboard. Think of it as your username and password all wrapped up into a single non-comprehendable string of characters, and treat it with the same respect. I get what you are saying, but your API key is everything in the Meraki APIs at the moment. This is why you’re only ever shown it once when you generate it, never to see it again - you need to keep it secure.

View solution in original post

John-K
Meraki Employee

@Bruce is right. To add onto this--REST APIs are stateless. You have to provide that API key with every single request. 

This principle is important to understand when it comes to API security.

 

In REST APIs, there is no such thing as a "session" except as abstracted through the validity of the API key, or via frameworks (like the Python requests module).

hcoq
Conversationalist

Yes for sure but if someone manage to get my API key, he can push/pull trough the python API and mess up with my network, whereas he wouldn't have been able to do it through the dashboard since he would have needed to log in my meraki account first

Limitless
Here to help

We have added MFA to our frontend dashboard so we can limit access by function. We don't share the Meraki dashboard with anyone else

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.