Integration Tips

Cisco Meraki Organizations, Networks, and Devices

Tenable designed the integration with the Cisco Meraki Dashboard API on the fundamental knowledge of how data is structured within Organizations and Networks with the goal of identifying devices and obtaining their details. It is crucial for users to comprehend this relationship, as doing so will enhance both their confidence and success when utilizing our integration.

Here is an illustration of the relationship between Organizations, Networks, and Devices:

You can be granted access to one or more Cisco Meraki Organizations and Cisco Meraki Networks (within an organization). Therefore, when requesting devices, an Organization Name is required in the scan credential Cisco Meraki Organization Name field, provided that you have permission to access the organization. The Cisco Meraki Network Name field is optional in the credential configuration because devices can be collected at the primary Organizational Level. However, you have more control over what devices the integration collects if you provide a Network Name value.

Cisco Meraki Credential Fields, Usage, and Limitations

For improved understanding of the Cisco Meraki credential and configurations, view the following list of required and optional fields, their usage, and limitations.

Required Fields

Cisco Meraki API Host

The Cisco Meraki API Host is the hostname of your Cisco Meraki Dashboard. Tenable communicates with the same Host for the backend REST API web service. The integration has the capability to accommodate the addition of a custom URL. By default, the API exists on /api/v1. You do not need to enter the default URL in addition to your hostname. For example, api.meraki.com/api/v1 is unnecessary because the integration uses the default URL. Only the hostname api.meraki.com is necessary in this case. However, if the API moves to v2, Tenable can support that version upgrade vwithout making a change to the integration. Simply enter your hostname/url (e.g., api.meraki.com/api/v2).

Cisco Meraki API Port

By default, this is port 443. However, you can enter a custom port if needed.

Cisco Meraki API Key

You need to generate an API key in your Cisco Meraki Dashboard account settings. For information on how to generate an API key, refer to the Cisco Meraki Dashboard documentation. The API key is used to authenticate a user to the Cisco Meraki Dashboard API.

Cisco Meraki Organization Name

As it relates to the Cisco Meraki Organizations, Networks, and Devices section of this document, you enter a single organization name in this field. You are allowed only one organization per credential as a way for you to control device collection. This avoids confusion and potential errors. Tenable provides the ability to configure a maximum of five Cisco Meraki credentials in a single scan policy if you need to collect for multiple organizations.

Optional Query Parameters

Tenable has provided multiple options (query parameters) in the Cisco Meraki credential to help you refine your device search and collection operations. When you leave all query parameter fields blank, Tenable collects all devices managed under the specific Cisco Meraki Organization Name provided in the credential. However, if you want to refine your device collection within a Cisco Meraki Organization Name, you can do so with the use of a combination of query parameters. Each of the fields described in the following sections offer you more control over the devices that Tenable collects.

Cisco Meraki Network Names

One or more networks may belong to an organization. Tenable provides the ability to filter the device collection to only certain networks. You enter the name of the network as seen in the user interface of the Cisco Meraki Dashboard. For example, you have access to the following networks: Network 1, Network 2, and Network 3. However, if you only want devices from Network 1 and Network 3, you should enter "Network 1, Network 3" in the Cisco Meraki Network Name field. Each network name must be comma-separated.

Cisco Meraki Product Type

Each device belongs to a particular product type. You are allowed to enter one or more comma-separated product types. The integration validates that you have entered the following valid product types:

  • appliance

  • camera

  • cellularGateway

  • secureConnect

  • sensor

  • switch

  • systemManager

  • wireless

  • wirelessController

If you provide an invalid product type, the integration warns of this entry in the debug logs for cisco_meraki_collect.nasl and moves on to request devices with all valid types. If no valid product types are found, the integration proceeds without providing product types in the search parameters of the API request, so results may be unexpected. Check the debug logs to help identify these invalid types.

Cisco Meraki Tags

You can create custom tag names to associate devices, networks, and organizations. You can enter one or more comma-separated tag names to be used as query parameters.

Cisco Meraki Device Name

You can specify a single Cisco Meraki Device Name (e.g., Meraki MS120-8). While the API supports only one name per field, this option is useful when multiple devices share the same name. The integration ensures that only one unique device name is processed even if multiple are entered.

Cisco Meraki Device Model

You can enter in one or more comma-separated device models (for example, MS120-8) to be used as query parameter values. It is possible that you provide an invalid model. In that case, the API returns an error message and an entry in the debug logs for cisco_meraki_collect.nasl.

Device Serial Number

You can enter one or more comma-separated device serial numbers to be used as parameters. If you provide a serial number that is invalid (in format), or one that does not exist, the API returns an error message and an entry in the debug logs for cisco_meraki_collect.nasl.

Cisco Meraki Device MAC Address

You can enter one or more comma-separated device MAC addresses to be used as parameters. If you provide a MAC address that is invalid (in format), or one that does not exist, the API returns an error message and an entry in the debug logs for cisco_meraki_collect.nasl.

Discover Devices

Tenable has provided the "Auto-Discovery" feature for optional use with the Cisco Meraki Dashboard API integration. Instead of manually entering device IP’s in the target settings, enabling the Auto-Discovery option automatically adds devices collected as targets to a scan. When disabled, you need to manually enter each device IP in the target settings. Enabling this feature is ideal when collecting a large volume of devices and it eliminates additional work.