MV Sense MQTT Connection

webfrank
Getting noticed

MV Sense MQTT Connection

Hi,

   I'm just trying to use the new MV Sense API via MQTT and the works well. I have only one problem with authenticated MQTT server, I know I can put a CA Certificate but I need to specify username/password.

 

Someone knows if there is a plan to add this feature?

13 REPLIES 13
TMD
Conversationalist

Hi Webfrank, 

 

I'm trying to use cloud based MQTT for the same, but I cannot add my credentials to Meraki MQTT connection configuration. 

Were you able to authenticate with username and password?  

TheChad
Here to help

/bump

 

I sent in the exact same question to my Meraki engineer as well.  Hoping to find a response.

TMD
Conversationalist

Hi TheChad!

 

Well I haven't got any response yet, and I was asking about this on March. =/ 

Let's hope that your question triggers this at Meraki side. 

@TMD Just out of curiosity, are you looking at CloudMQTT?

TheChad
Here to help

@webfrank @TMD Just letting you guys know, I'm still waiting to hear back from my Meraki SE.  I also opened a Meraki case and pointed them to this thread as well.  Will continue to keep you posted.

 

FYI, the cloud broker that I am trying to utilize is https://www.cloudmqtt.com

 

DexterLaBora
Meraki Employee
Meraki Employee

The Meraki MV MQTT does not currently support username/password authentication. As noted, for secure connections, the only approach is by using a certificate. The feature to add user/pass auth has been submitted to the product team.

 

As a workaround....

I typically use a local MQTT broker to handle the high volume of local traffic. I then could forward all or a subset of that to an upstream broker. With this method, you could have different security types for each connection and just bridge the links. I do this on a basic Raspberry Pi with Node-RED running. I used the Mosca broker node, but mosquitto would do.

 

Screen Shot 2019-08-07 at 2.56.26 PM.pngScreen Shot 2019-08-07 at 2.56.10 PM.pngScreen Shot 2019-08-07 at 2.55.51 PM.png

 

Hope this helps!

Cory

Thanks @DexterLaBora

 

In the spirit of Meraki, I'm hopeful that the product team can come to a solution for leveraging cloud based brokers as I believe that a cloud based solution is what my customers are looking for as well as myself as an end user. The cloud based broker would eliminate the need for on premise equipment which is exactly why customers and myself love Meraki!

@TheChad , the Meraki MV Sense MQTT does support cloud brokers. The issue was that this particular cloud service charges you for the security mechanism that Meraki utilizes. Instead, CloudMQTT relies on a less secure alternative of username/password for their free service.

Here's a good article from HiveMQ that explains some of these details, and might be an alternative solution. 
https://www.hivemq.com/blog/mqtt-security-fundamentals-tls-ssl/ 

Thanks @DexterLaBora .  I was utilizing the user/pass combo of CloudMQTT as this is for a lab environment along with just a proof of concept and I didn't want to go down the path of getting a certificate.  I realize CloudMQTT, HiveMQ, and other cloud based brokers all utilize TLS/SSL but as I mentioned, I didn't want to go through the trouble of getting a certificate for a lab and/or POC only to have it torn down in a couple of months.

 

I can't speak to what @TMD and @webfrank use case(s) are, but my use case may be a very corner case.  Ultimately, having the option of user/pass for me would still be invaluable for any lab/POC that I want to attempt to show any potential customers the power of Meraki.  I can always mention that this is not the most secure way and using the TLS/SSL option is the best.

The problem here is that Meraki permit only the use of one CA certificate for all the cameras.

 

If one needs to setup different certificate for different camera is not possible.

 

Is not possible to specify the client is neither a custom prefix for the topic. 

 

All these end up to configure a different broker for different set of cameras as is not possible to segregate the messages. 

 

In my opinion this is a great limitation and is feasible only for small deploy.

@webfrank +100 for the topic/prefix option as well on the client side for the MV.  I was only concerned at the moment of trying to get one camera to work.  Imagine to my chagrin if I were to enable more cameras only to run in to the exact same issue you are alluding to.  The same goes for the certificate concern as well.

 

@DexterLaBora can these things (user/pass; topic/prefix; certificates) be considered as well?

Hello Guys,

I have connected my MV Cam over internet to Mosquitto MQTT Server installed locally in my computer. I have configured TLS connection, and it is OK.

 

But I have the following behavior per second:

 

1596931324: New connection from [IP Address] on port 8883.

1596931324: Client merakimv_[SERIAL] already connected, closing old connection.

1596931324: New client connected from [IP Address] as merakimv_[SERIAL] (p2, c1, k60).

 

MV has sent to me 4 or 5 timestamps per second, and each second it perform a new connection. Is its behavior correct?

 

Follow a sample of the output in my Mosquito server log:

 

1596931324: New connection from [IP Address] on port 8883.

1596931324: Client merakimv_[SERIAL] already connected, closing old connection.

1596931324: New client connected from [IP Address] as merakimv_[SERIAL] (p2, c1, k60).

1596931325: New connection from [IP Address] on port 8883.

1596931325: Client merakimv_[SERIAL] already connected, closing old connection.

1596931325: New client connected from [IP Address] as merakimv_[SERIAL] (p2, c1, k60).

1596931326: New connection from [IP Address] on port 8883.

1596931326: Client merakimv_[SERIAL] already connected, closing old connection.

1596931326: New client connected from [IP Address] as merakimv_[SERIAL] (p2, c1, k60).

1596931327: New connection from [IP Address] on port 8883.

1596931327: Client merakimv_[SERIAL] already connected, closing old connection.

1596931327: New client connected from [IP Address] as merakimv_[SERIAL] (p2, c1, k60).

1596931328: New connection from [IP Address] on port 8883.

1596931328: Client merakimv_[SERIAL] already connected, closing old connection.

1596931328: New client connected from [IP Address] as merakimv_[SERIAL] (p2, c1, k60).

Hi, if you have a clientId like merakimv_SERIAL you are using an old firmware with lot of issues on MQTT.

Newest firmware has a random clientId like mosqxxxxxxxxxx.

Multiple reconnection is an issue also with latest firmware and depends on camera not sending always required keep alive packets and broker closing connection if keep alive packets are not received.

Get notified when there are additional replies to this discussion.