Hey there,
We've been using a python script that uses the Meraki API to automate the offboarding of users when they leave the company. The script was running smoothly until mid November (we think, but we are not exactly sure about the specific date). In this script, we authenticate using the API key, get the user ID from the email address in this specific network ID, and then delete the authorized user. If the user is not authorized, we get a response that the user is already not authorized.
The users that are not authorized are still getting the correct response. However, users that are authorized, we get a response 404 when using deleteNetworkMerakiAuthUser call with an error message:
{'errors': ['Wired networks must have Client VPN enabled']}
We have no idea where this response is coming from as we couldn't find it documented anywhere. We also asked our network team for any change from their side to this network.
Is there anyone who faced this issue or someone who can help us find the source of this problem?
Thanks!
If you start by updating the users who are authorized, by setting the list of authorizations to an empty list, are you then able to remove the users?
The payload for this would be;
{
"id": "<merakiAuthUserId>",
"authorizations": []
}
Hey, thanks for the suggestion. Unfortunately, I'm getting the same response when trying to update users as well
{
"errors": [
"Wired networks must have Client VPN enabled"
]
}
I just did a few more tests of my own, and it could seem that my suggestion wouldn't work anyway.
Are you certain that you have ClientVPN enabled on the network for which you are trying to remove a user?
Because, when I create a user that is authorized for ClientVPN, disable ClientVPN and then attempt to remote the user using deleteNetworkMerakiAuthUser I get the same error are you.
Also note that you don't delete the user per se, when using that endpoint. You only delete the user's ClientVPN authorization.
If the network does have ClientVPN enabled, and you still get that error on the same network, I think should probably open a case with Meraki Support, as @PhilipDAth suggests.
Ah indeed, thats the way we intend to keep using it. As in, only removing the authorization.
Thats weird, we do have Anyconnect Client VPN enabled on this network.
I guess I'll be created a support ticket then.
Thanks for the help!
No worries, glad to be helpful. Feel free to update the post, with what you and Support find out. 🙂
This sounds like it might be a bug, and you'll need to open a support case.
I do like @rhbirkelund 's idea.
Well, an update here. After opening a case with Meraki, support couldn't help me. They suggested to call Cisco engineer.
After some tests, we found out that creating a user using the User Management portal and giving them authorization there will also create a user for them in the Client VPN page, granted, without authorization. In this case, the API call deleteNetworkMerakiAuthUser works (the user will be deauthorized). If the same user is authorized on both User management and Client VPN pages, the call will throw the mentioned error
networks, deleteNetworkMerakiAuthUser - 404 Not Found, {'errors': ['Wired networks must have Client VPN enabled']}
Basically, thats not something we want. We want to deauthorize them from using the Client VPN.
Thanks for sharing that.
Another update on this, it started working again without us doing any changes 😄