I have now had a similar update from support, that we will never be able to view the passwords in the GUI again.

Hello

Following up on this case, to ensure the highest level of security and meet evolving regulatory requirements, neither Meraki nor the customers can see the password.

The network settings page will no longer have the ability to display a network’s LSP password.

It will be on the customer to save their password in a separate secure location for future reference.

The goal (and EU RED requirement) is for the customer to go and set it themselves. The intent of the auto-generated password is to act as a soft-block to customers to set their passwords themselves the first time.

Please check the document in the link below for more information.

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page/Configuring_the_Local_Status_Page

Please let me know if you have further questions.

Kinds Regards

Tony,

It sounds like there are 2 scenarios I am concerned about:

1) Device is online. You can choose to set a password and then track that with some kind of password manager or spreadsheet. Or you could just reset the password every time and don't bother tracking it. Is that accurate?

2) The second situation is the device is offline but a password has been set. Are you saying a reset wipes the password? Just thinking of situation where the device has been statically set so you can't get it back online.

Thanks in advance.

@tony.alfano - What in your mind is best practice in handling this change for an MSSP with 100s of service desk agents managing a Meraki dashboard with 100s of orgs, thousands of networks, and tens of thousands of devices?

If I were to manage such MSP, I would seriously evaluate a corporate password manager. Assuming MSP has it's own Directory Service (MS Active Directory or any other), it's key that the password manager solution accepts logins from your Directory Service. This would allow you to disable just one login in case an employee leaves MSP.

For extra security, you may rotate device's local password by using API calls in all managed orgs. 😄 Don't ask me exactly how to do it. I just know that this API exists.

Thanks Tony! Unfortunately that is not a great solution. Even if you wanted to spend the money to do that, you have to make sure 100s of agents across the globe are using it correctly. It is just not feasible. Unfortunate that Meraki is doing things that nobody wants.

Hi, @Mr_Meraki ,

It's a hard reality in computing: you add complexity every time you tighten security.

As you know from @edazeved reply, this change was made to comply with EU RED standard.

I'll say it again and you can see it in my earlier reply "I feel your pain. I also miss that old feature". I'm not just saying.

I'd better stop here before I start getting off topic while I runt about the good old days... And then someone will post that meme "Old man yells at cloud" making fun of me.

Anyhow, I'm not trying to convince you that the new local password feature is good or using a centralised password management solution is a great solution.

I'm here to help, just like you. Those are my insights on how We can adapt to that new regulation. The dashboard can change if enough people make feature request and We find a way to still comply with EU RED.

Thanks for your insights and thanks for understanding, @Mr_Meraki .

@Mr_Meraki I'm really curious how often are you accessing the local status page (to the point where you have to login) and what are the use cases besides initial setup (no password set yet) or outage recovery (factory reset adds maybe a couple of minutes to the process IF you don't know the password)?

I manage ~100 orgs with over 1000 MXs and 7000 MR/MS and I can think of very few cases where we access these past initial setup.

The only downsides to those are your RO admins could see the info, but if you are small enough to not have any background api tools where you could add password management and your password system not have an API where you could easily keep things in sync, that is less likely to matter, certainly seems like a usable workaround. Run your script 1x a week or similar.