Meraki

rhbirkelund · ‎Jul 22 2024

First of all, the mac addres you get from the API is the Radio MAC. Second, you should edit your post, to remove the Serial Number, and in general don't share Meraki serial numbers.

rhbirkelund · ‎Jul 18 2024

I'm looking forward to see this, when my current customer project comes online, where we'll be doing a bunch of BGP. 😄

rhbirkelund · ‎Jul 18 2024

Do you have devices in your inventory that aren't named? That's probably the reason.

rhbirkelund · ‎Jul 18 2024

Nice! I needed this for my Mama's Spaghetti/Chow Mein Noodle BGP post!

rhbirkelund · ‎Jul 17 2024

Create a new profile, and use Device Profile (defualt), not User Profile (Apple). Add Settings, and you shold be able to see a Passcode Payload.

rhbirkelund · ‎Jul 17 2024

Assuming you're getting a list of all appliances in a single organization, and want to sort according to name, it'd be like this organization_id = "" response = dashboard.organizations.getOrganizationInventoryDevices( organization_id, total_pages='all', productTypes = ['appliance'] ) SortedListOfDevices = sorted(response, key=lambda d: d['name'])

rhbirkelund · ‎Jul 17 2024

I hear that MX Layer 8 firewall rules are roadmapped but sadly, there's no timeframe yet. 😉

rhbirkelund · ‎Jul 17 2024

I often use the simulate mode, when while starting out on a script, just to be sure I don't accidently post something unexpected to those orgs I use to test against. 🙂

rhbirkelund · ‎Jul 17 2024

Odd. I have it on my MX68W with adv.sec.

rhbirkelund · ‎Jul 17 2024

https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/Wireless_Mesh_Networking https://documentation.meraki.com/MR/Deployment_Guides/Mesh_Deployment_Guide Is there something specific you are looking for?

rhbirkelund · ‎Jul 16 2024

The reponse is usually a list, where each element is a dictionary. So you need to sort the list based on values that are further "down the chain", which are in a dictionary. You can sort the list using the sorted() method and pass a lambda function as key; newlist = sorted(list_to_be_sorted, key=lambda d: d['name']) https://stackoverflow.com/questions/72899/how-to-sort-a-list-of-dictionaries-by-a-value-of-the-dictionary-in-python

rhbirkelund · ‎Jul 16 2024

Unfortunately, no. There is no option to create an API key for an account that is not tied to an Email. API keys are personal. However, what you could do is have your organization create a service account only for Meraki Automation, and generate an API key for that account. It'll still be tied to a "personal" Meraki Administrator, but it would not be tied to a specific employee.

rhbirkelund · ‎Jul 16 2024

That's definitely not unlikely that the default rule in the end should be popped. (Although I'd expect the API to be able to handle that rule, but that's another story..) However, then I'd expect a different error than the python error. If memory serves me right, I think it would fail within the REST call itself, and not a positional error in the function call.

rhbirkelund · ‎Jul 16 2024

Yes, it is simple and I see that we will still get the "easy" switching between organizations. Although, instead of simply browsing to dashboard.meraki.com, we'd now have to jump in through myapplications.meraki.com, and from there jump into the dashboard. However, it still creates those issues where one has a local login somewhere in Meraki, which conflicts with SAML SSO. E.g. my lab at home is a CMNA kit (from when you could get a full stack) with a couple other devices I scoured up over the years. This is an organization I'd prefer not having ties to my employers AD, however I still use my company email on it, to switch back and forth between lab networks and customers when needing to do changes. Addtionally, SAML users can not create API Keys, so we'll have to add a local user to their dashboard anyway if needing to use Meraki API. Then from my perspective, I'd expect to run into the same troubles, since the API user cannot be a SAML user, but must a local user, and theres a match on the email address. But I suppose, this is where user.displayname as the username attribute, comes into play?

rhbirkelund · ‎Jul 16 2024

Aha! Interesting. I'm now getting both orgs with the SAML SSO. I think I've read through the SAML SSO guides on Meraki Docs hundreds of times, but I think these few details were really missing.

rhbirkelund · ‎Jul 16 2024

Okay. So I add the same SHA thumbprint to another lab dashboard that I have. The consumer url on this Org is different to that of my first Org. In the Dashbord Application on Azure it still referes to the Consumer URL of the first Org. Where should I then reference the Consumer URL for the second org?

rhbirkelund · ‎Jul 16 2024

When I set up the Dashboard App in Azure, the identifier (Entity ID) needs to be my SSO url <subdomain>.sso.meraki.com. If use the generic URL, SSO fails with the error that the identifier was not found. The identifier (and Sign-on URL) are configured in Azure on a per organization basis, as I see it. So to have multiple organizations, I'd end up with many different dashboard applications in Azure. Unless I'm misunderstanding something?

rhbirkelund · ‎Jul 16 2024

Having the customer adding med as a Guest User in their tenant, is usually where it goes badly. I'm added with my company email as a guest to the customers tenant, and as my email is already known as local account on many other customers organizations, I end up getting redirected to the Meraki "true" page with a SAML login failure in the dashboard logs.

rhbirkelund · ‎Jul 16 2024

So by using the same SHA certificiate (thumbprint) across different organizations, we'd be able to get the same Dashboard experience with a Organization Dropdown, and switch between organizations?

rhbirkelund · ‎Jul 15 2024

What would be the best course of action then, for an MSP with access to many customers? If we add our company tenant as IdP to the customers' organizations, we'd need to then set up a Dashboard application per customer. WOuldn't that then result in many different customer apps on the myapp.microsoft.com page? Or in the case of SP-initiated, they'd have to set a unique subdomain for their SSO login?

rhbirkelund · ‎Jul 15 2024

Yes, but I tend to prefer not to do any major changes to customers dashboards, just in order to give me access.

rhbirkelund · ‎Jul 15 2024

Use this instead # Pushing the rule to another network response = dashboard.appliance.updateNetworkApplianceFirewallL3FirewallRules( network_id, rules = fw_rules )

rhbirkelund · ‎Jul 15 2024

The SAML SSO configuration guide, clearly states that one should set the username attribute to email, but also clearly warns against it. This really messes things up for MSPs and those of us who are external consultants.

rhbirkelund · ‎Jul 15 2024

And well, this also goes to SP-initiated SAML SSO.

rhbirkelund · ‎Jul 15 2024

Lately, SSO login for Meraki Dashboard has been a huge nuisance for me, as I'm getting access to more and more customer organisations that use SAML SSO in their organizations. If unsuccessful in convincing their IT teams to add me directly as a local admin to their Org, I have to go through having my account created in their Azure tenant. Which by all means is probably also the correct way, IT security wise. But as an MSP with access to many customers, SSO is a PITA. Many customers followed the guides on the Meraki Documentation on how to setup SSO for their org in Meraki, but this has also resulted in many organisations' lack of consideration of the different SAML attributes in Azure. An easy fix would be to set the username attribute to something else than userprincipalname, which for some reason equates to their email address. In my tests, using employeeid is usually the best alternative, since chances are that this is more unique between customers and organisations, and especially for external consultants like myself. I'm curious as to how others handle SAML SSO from an MSP stand of view? Do you also spend days during first time onboarding in just trying to get access, by having to make the customer reconfigure their Dashboard App, which by all means works for them? What are you tips&tricks for when setting up SAML SSO? Or is there a simple Meraki setting that I'm just not aware of, that will fix everything, without having to touch their Azure tenant?

About rhbirkelund

rhbirkelund

Community Record

Badges