Restricting Access to local status page

Solved
KyleR-D
Here to help

Restricting Access to local status page

I don't want to allow unauthorized users from being able to view the local status page of my meraki devices but I don't want to disable it entirely. Is there a way to restrict the VLANs from accessing the status page and permitting only certain IPs to access it?

1 Accepted Solution
RWelch
Kind of a big deal
Kind of a big deal

What is the driving factor to keep the local status page enabled but restricted?  

 

Most would suggest disabling the local status page once your devices are in place, enable local status access only if absolutely necessary (for a short period of time) to make changes then disabling it after changes are completed.  Leaving it enabled is risk adverse in my opinion.

Is there something in particular that you can't do via the dashboard (i.e., a need or reason for leaving the local status enabled)?

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

15 Replies 15
alemabrahao
Kind of a big deal

No, it's not possible. 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Mloraditch
Kind of a big deal

There is not natively. You have on or off for local access and remote access in Network-Wide General  and then the MXs do have on the firewall settings page the ability to lock down WAN Access to their status page.

If you have your devices management interfaces on a dedicated management VLAN you could possibly setup ACLs relating to accessing that VLAN. On an MX that could be done via group policy, but just depends on your setup as to where and how.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
michalc
Meraki Employee
Meraki Employee

Hi @KyleR-D , welcome to the Meraki Community!

Please see the KB article about Using the Cisco Meraki Device Local Status Page.

For your use case, I'd recommend utilizing L3 firewall rules / ACLs to block/allow access to the Local Status page of your Meraki devices.

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
KyleR-D
Here to help

Thanks for all of y'all answers. So here's the thing, my Meraki devices are on a management VLAN which I prevented inter VLAN routing to. When I connect to the SSID from the MR and I type in the gateway address in the browser I can view the Meraki page for the MX and if I type my.meraki.com I can view the status page for the MR. I went to put L3 firewall rules to prevent the guest and internal VLANs from establishing a TCP connection on port 443 and 80 of the gateway IP address. However when I test to see if that works, I was still able to view the status page. Hopefully this provide so more insight on how we can go about this.

Mloraditch
Kind of a big deal

That should be the local device status page option:

Mloraditch_0-1741874611226.png

You would want that to be disabled.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
KyleR-D
Here to help

I thought about doing that but I want to allow a few devices to access it and they won't be able to connect.

Mloraditch
Kind of a big deal

They can't access via the remote status page option?

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
KyleR-D
Here to help

When you disable the local status page the remote status page option disappears.

Mloraditch
Kind of a big deal

Gotcha, sorry I hadn't tried that. You can double check with support but you might be out of luck given the current architecture. You can always do this process to at least get it into the devs feedback queue: https://documentation.meraki.com/General_Administration/Other_Topics/Give_your_feedback_(previously_...)

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
KyleR-D
Here to help

I appreciate your help!

RWelch
Kind of a big deal
Kind of a big deal

What is the driving factor to keep the local status page enabled but restricted?  

 

Most would suggest disabling the local status page once your devices are in place, enable local status access only if absolutely necessary (for a short period of time) to make changes then disabling it after changes are completed.  Leaving it enabled is risk adverse in my opinion.

Is there something in particular that you can't do via the dashboard (i.e., a need or reason for leaving the local status enabled)?

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
BlakeRichardson
Kind of a big deal
Kind of a big deal

I agree there is no real need to access this page unless you are configuring a device for the first time or it's have dashboard connectivity issues and you need to see what the device itself is reporting. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
KyleR-D
Here to help

I've notice with equipment if a critical change has been made to the devices and they no longer have connectivity to the Meraki cloud, now to fix the problem I would have to login via the status page to do so. If I disable it and that situation occurs again then according to the documentation I would have to physically reset the equipment. That's why I asked the question but I guess I would have to decide which tradeoff to take and I value security over convenience. I will disable and re-enable when needed especially if I'm making critical changes like that so I can use the status page 

IvanJukic
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star

Hi All,

I Just wanted to clarify some points to clear any possible confusion.

You can disbale the Local Status Page in the Dashabord yes. However, If your device has a physical management port, it will always remain active regardless of the value of this setting.

 

It is recommended to change the Local Status Page password for devices with management ports. Navigate to Network-wide > Configure > General > Device configuration and provide a strong password

 

Refer to the section Disabling the Local Status Page in the guide below.

 

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Me...

 

 


Cheers,

Ivan Jukić,
Meraki APJC

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
KyleR-D
Here to help

Thanks Ivan!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels