Disabling Merkai z1 and z3 access remote users

FoozGrind
Comes here often

Disabling Merkai z1 and z3 access remote users

Hi everyone, I hope this question is in the correct forum. At my current company we have about 300 Meraki hardware devices in the field support remote users. We are allowing them to access our phone system with a physical Avaya IP phone and company issued computer. When a user is separated we do not have a really good way of knowing if a user had remote equipment unless HR lets us know. Even than we are not guaranteed to get the equipment returned to us. So at this point even though the network acnt is disabled they could technically still log into anyone's extension with the Avaya phone and plug in any computer of their own and have network access although it wouldn't be a domain computer but they could still obtain an IP and snoop. Is there a way to somehow completely cut access to the device automatically upon a user being terminated or leaving the company? This way if HR forgets to tell us or the user doesn't send the computer back our network is still safe? Thanks!

12 REPLIES 12
BrechtSchamp
Kind of a big deal

Doesn't the removal of their teleworker network break the VPN tunnels?

Hey not sure what that is.... I am little green. What I do now is log into our meraki dashboard. Claim the Serial, create a network for the device assign it the proper template then name the device fill in the user information and then tag it with the proper vlan. Hand it off the user and that is the last I see it.

>Hand it off the user and that is the last I see it.

 

You need to add an offboarding script.

  • Remove the device from the network
  • Delete the network
  • Get the device back from the user.

Would you be able to provide some links or guide on how to make this script? Is it running against the dashboard? Would our security team need to handle this? Just trying to figure out how this would work. 

If you just want to do that in dashboard it's:

 

  1. From the teleworker device's status page:
    2019-08-02 10_39_41-Clipboard.png
  2. From the View all networks page:2019-08-02 10_41_54-Clipboard.png

But I'd give it a short test to see if step 1 is necessary, just step 2 may be enough.

 

If your (physical) security team or HR would handle this, a script may come in handy.

 

Again, I'm not sure removal from the network first is needed, but if it is you'd need the following two API calls, more info on https://postman.meraki.com:

 

  • POST Remove a single device
{{baseUrl}}/networks/{{networkId}}/devices/{{serial}}/remove

HTTP REQUEST

POST /networks/[networkId]/devices/[serial]/remove

 

  • DEL Delete a network

HTTP REQUEST

DELETE /networks/[id]

 

To learn more and to get started with the API's, check out this page:

https://developer.cisco.com/meraki/learn/

 

 

Aaron_Wilson
A model citizen

What Fooz is asking for, how to tie the Z1/3 to a user so that if that person identity record is disabled then their Meraki is disabled as well.

This is certainly a gap I dont think Meraki has a solution for. There is nothing in the networks which ties a device to a person record, so there is no way to automate the deactivation of a Meraki. It would be sweet if you could add a ldap account to a Z1/3 network where it only allows the tunnel to connect if the ldap account is active. The check could occur on the hub side during the AutoVPN phase.

What about setting up radius authentication by workstation on the vlan coming in from the meraki devices? In the dashboard each network is called "RemoteUser201,202,203,204 etc...) When i go into the network I can see the users name at the top if it was typed in and we have the address etc.... The problem is when the person leaves the company if we dont know then we cannot disable the meraki. Its worse than that if we dont know what the serial number is or what the name of the network is then we play the guessing game...

So you're saying you don't know which network number (e.g. 204) corresponds to which user?

Setting up radius auth on the ports would certainly help. It would not disable the Meraki, just the devices tied to the user. The catch is, if you enable MAB as well for radius (which you would need for phones, etc) those devices would remain active.

Correct I just joined the company a few months ago and yea we now started naming the networks with the windows username so at least we know who it belongs to from just looking at the organization tab but other than that we have an excel spreadsheet we use in FL to help identity who network 204 would belong to IF it was entered into that spreadsheet. Then we have our other home office in Utah using some other way of tracking who they send them to... We dont have an asset management system until recently so hopefully we can use that to help. But as of now I believe HR asks the user do you have remote equipment user says yes they send us a ticket we send them boxes and hope we get the devices back. IF we dont get the device back and we dont know which VPN network it is technically even though their network account is disabled they can still log into anyone phone extension since the avaya phone ext and password are the same as the extension plus if they wanted to they could connect their own computer to the meraki and surf the internet or try and access or network devices although they wouldn't have a network account so its really how much effort they want to put into that. 

@FoozGrind - based on the above, I think you should setup your Z1/Z3's with RADIUS hybrid auth. This would mean all the ports require some form of RADIUS auth. Hybrid would allow you to do .1x for users/machines and then MAB for phones. I have this enabled on all my "home" based Merakis, which means if anyone's account is disabled it breaks wireless and wired. There would be a delay on the phone side as phone accounts required CUCM sync to disable the accounts.

I will warn you that getting hybrid auth to work with ISE was a bear, so FYI in case you are an ISE shop.

Much appreciated for the info! I am going to send an email off to our networking team with the suggestion 🙂

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels