Meraki

ELobato · ‎Oct 18 2023

Hi team,

TL;DR Is there any way to basically "click that revoke button" with API? (from the screenshot below)

For additional context:

I have been trying to automate the flow for requesting guest access to the network with API through our ITSM solution. I have managed to get everything working correctly. The access is requested, the API call gets sent to Meraki to create the user and grant guest access to our guest VLAN SSID for the specified network. We have a few roadblocks however:

So as we have many sites throughout all timezones, I opted for using "Never" for expiration, and handling the user timeout through our ITSM solution with API calls, meaning that as soon as the request gets placed and approved, there will be a 1 day duration regardless of timezone from the time the request was approved to the user deletion.

Deleting the user seems to work through the API call as it gets deleted from the Network-wide>Users page, but the access is not revoked and the user can continue to connect. When I make API calls to getNetworkClientSplashAuthorizationStatus to the user id I just get { "ssids": {} } as a response. (Bug?)

My thought is then to add a call before deletion to revoke access to the client and then delete it, so when the user tries to connect again they would get the splash page. If they try to use their user/password as it is deleted it shouldn't work again and another request would need to be sent in repeating the process.

But I also can't seem to be able to use updateNetworkClientSplashAuthorizationStatus which I thought would do what I wanted.

Even after deleting the user, I can still find the client on the dashboard as online and it seems to be possible to revoke access from there:

I assume that the access will be automatically revoked when it expires in 22 hours (According to the picture), but I don't want to have to set expiry dates due to the timezones (in this particular example I set it up to expire at 2023-10-19T00:00:00.000000Z). Even setting it to Never would rely on the splash page frequency before expiring. Is there any way to basically "click that revoke button" with API before I delete the user?

I believe if I set the splash page frequency to 1 day then it will basically do what I want after 24 hours, but I want to be able to have some control since we might add extensions when requesting guest access for longer than 24 hours if necessary.

When revoking the access manually from the dashboard it works perfectly, so that is the solution obviously, I just can't find a way to do everything nicely through API calls. Seems to me like a very standard or straightforward process so I imagine it can't be too complicated.

Any help would be greatly appreciated, thanks in advance!

alemabrahao · ‎Dec 7 2023

There is not a direct API endpoint to “click that revoke button” for a client in the Meraki Dashboard. The Meraki API provides endpoints for managing users, but these are primarily for creating, updating, and deleting users.

One possible workaround could be to use the RADIUS CoA feature. Your RADIUS server would need to send a disconnect packet to trigger the revoke of access. But, this would require a RADIUS server, which you mentioned you do not have and do not plan to set up.

Another potential solution could be to set the splash page frequency to 1 day, as you mentioned. This would effectively revoke access after 24 hours. If you need to extend access for certain users, you could potentially do this by updating the user’s settings via the API.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Meraki

Community

Issue with: Create a guest user, revoke access, then delete it with API

Issue with: Create a guest user, revoke access, then delete it with API