Meraki AP-Give selected users access to changing PSK for required SSIDs

sumo--
Conversationalist

Meraki AP-Give selected users access to changing PSK for required SSIDs

Hi all,

 

been asking this on CISCO forum where I was advised to register here and ask... so "Hi" meraki experts 🙂

 

I am quite new to meraki solutions... and looking to deploy few Meraki AP (probably MR36 or 28 models). The client has some specific requirements below:

  • 3-floor building
  • each floor (department) will have its own SSID (such as 1st floor - Sales; 2nd floor HR + Management; etc)
  • each floor will have a selected user that will have access to change PSK for their department/floor when required. 
  • For guests, there will be a GUEST WIFI and a "token" generated that will last for specified hours. Guest WIFI will be for entire building/floors.

 

Now, I'm sure that meraki would be capable to cover most of the requirements, I'm however not sure about that (admin?) access for selected users to be able to change PSK only for their department (floor).... Is this possible at all? Are there admin roles that could be assigned to those selected users to be able to change PSKs for their departments and do not have access to change it for other departments? If not, is there at least a role that would give access for selected users to change PSK for all SSIDs?

 

appreciate if somebody could help me answer the above... So that I can communicate that properly to the client and alternatively suggest another way to achieve something similar to what he wants...

15 Replies 15
alemabrahao
Kind of a big deal
Kind of a big deal

You can limit administrator permissions by networks, but unfortunately you cannot limit them by resource, that is, the administrator will be able to change any configuration.

 

https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Managing_Dashboard...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
sumo--
Conversationalist

so... correct me if I'm wrong - after checking the link you posted, I can have , lets say 2 selected users, that I can assign a Network Admin Full access with Privilege "Wireless" and these users will have access to all WIFI configuration? But will not have access to switches configuration, for example

PhilipDAth
Kind of a big deal
Kind of a big deal

There is no privilege "wireless".  They'll have full access to everything located in that Meraki network.

 

If it is a concern - create a separate Meraki network with only the APs in it (one for each floor).  They'll be able to access all of the WiFi and AP config.

 

If you need greater control, BoundLess Digital makes a third-party solution offering role-based access control.

https://www.boundlessdigital.com/network-management/meraki-automation/role-based-access-control/ 

PhilipDAth
Kind of a big deal
Kind of a big deal

There are a couple of ways to achieve this.  If each floor is a separate VLAN with separate layer 3 domains, you could create 3 Meraki networks, each containing their respective switches and APs.  You can grant users access to only the network for their floor.

 

You could also use three separate Meraki networks just for WiFi, and do the same as above.

 

You could also download one of the many Python scripts for changing a PSK, create an API key for the script to use, and then have them just run the script.

 

 

 

sumo--
Conversationalist

Hi... it is not about segregating users to VLANs etc... The client's requirements is that PSK will be changed periodically and he wants to have one person for each WIFI network (department) that can do this PSK change... I will be discussing the requirements with the client again this week.

 

Btw, the idea with having a script for changing PSK looks quite cool... However, I'm not a "scripting" guy... If you have any resources or links to that kind of scripts, will be grateful if you could share with me 😉

PhilipDAth
Kind of a big deal
Kind of a big deal

KarstenI
Kind of a big deal
Kind of a big deal

If the access-control to the Meraki devices is your main concern, you could do iPSK with RADIUS. Each user only has access to the file containing the floors default PSK on the RADIUS server and can change it without ever touching the Meraki Dashboard.

sumo--
Conversationalist

thank you all... I will be redesigning the network later this year but will need to deploy WIFI soon.... Looks like I will have an admin that could change the PSK for now..... Really like the idea of the script that would automatically change PSK regularly and email the new PSK to users, as described in the link above..... its also a great opportunity for me to start exploring scripting 🙂

TBHPTL
A model citizen

Everyone is mistaken. You absolutely can have an SSID only admin. Its a relatively new feature and there are some caveats but it is 100% doable. you have to ask for it and have MSP set up.

 

SSID only admins: https://documentation.meraki.com/General_Administration/Service_Providers_-_SPs/Service_Provider_Das...

 

alemabrahao
Kind of a big deal
Kind of a big deal

I think you need to read between the lines before making a statement.

 

Note: This feature is only available to Service Providers and must be enabled by Meraki Support.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
TBHPTL
A model citizen

There are no lines to read between.  I clearly  and concisely stated there are caveats and it must be asked for. MSP portal is enabled by default.

 

Configuring the MSP Portal
An admin can create multiple Dashboard accounts using the same email address. When a new account is created using the same credentials, the MSP Portal feature in Dashboard will automatically activate and be displayed so the user account with access to multiple organizations can switch between them. There is no additional configuration necessary to enable MSP portal.


https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Using_the_MSP_Por...

 

 

https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Licensing_for_Man...

 

 

https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Licensing_for_Man...

 

alemabrahao
Kind of a big deal
Kind of a big deal

SSID only admin ::: This feature is only available to Service Providers.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
TBHPTL
A model citizen

Once again, ANYONE  can be a service provider.

alemabrahao
Kind of a big deal
Kind of a big deal

Wrong.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
TBHPTL
A model citizen

How much do you want to bet?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels