Organization Login Security Configuration
Dashboard Location: Organization > Settings > Security
Comprehensive Authentication Security and Access Control Management
Section titled “Comprehensive Authentication Security and Access Control Management”Organization login security configuration in Meraki provides administrators with comprehensive authentication security capabilities, enabling password policy enforcement, multi-factor authentication, session management, IP-based access control, and API security management. This functionality supports enterprise security policies, compliance requirements, threat protection, access governance, and user account security while providing flexible authentication controls and audit capabilities. Login security is essential for organizational cybersecurity, regulatory compliance, access management, threat prevention, and maintaining secure administrative access while supporting enterprise security frameworks and multi-layered defense strategies.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”organizations (meraki.domains)
Section titled “organizations (meraki.domains)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| login_security | Class | [login_security] | No |
login_security (meraki.domains.organizations)
Section titled “login_security (meraki.domains.organizations)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| enforce_password_expiration | Boolean | true, false | No | |
| password_expiration_days | Integer | min: 1, max: 365 | No | |
| enforce_different_passwords | Boolean | true, false | No | |
| num_different_passwords | Integer | min: 1, max: 10 | No | |
| enforce_strong_passwords | Boolean | true, false | No | |
| enforce_account_lockout | Boolean | true, false | No | |
| account_lockout_attempts | Integer | min: 1, max: 10 | No | |
| enforce_idle_timeout | Boolean | true, false | No | |
| idle_timeout_minutes | Integer | min: 1, max: 1440 | No | |
| enforce_two_factor_auth | Boolean | true, false | No | |
| enforce_login_ip_ranges | Boolean | true, false | No | |
| login_ip_ranges | List | Any[IP or String[matches: `^((25[0-5] | 2[0-4][0-9] | [01]?[0-9][0-9]?).)3(25[0-5] |
| api_authentication | Class | [api_authentication] | No |
api_authentication (meraki.domains.organizations.login_security)
Section titled “api_authentication (meraki.domains.organizations.login_security)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| enabled | Boolean | true, false | No | |
| ranges | List | Any[IP or String[matches: `^((25[0-5] | 2[0-4][0-9] | [01]?[0-9][0-9]?).)3(25[0-5] |
Examples
Section titled “Examples”Example-1: The example below demonstrates login security configuration.
This configuration implements organization-wide authentication security policies and access controls. The example includes password requirements, session management, API access controls, and multi-factor authentication settings for comprehensive administrative security.
The login_security settings enforce various security policies for user authentication:
- Password expiration is enabled, requiring users to change their password every 11 days.
- Users must choose new passwords different from their last 5 passwords.
- Strong passwords are enforced, requiring at least 8 characters with a mix of numbers, uppercase, lowercase, or symbols.
- Account lockout is enabled after 5 consecutive failed login attempts.
- Idle sessions are logged out after 90 minutes of inactivity.
- Two-factor authentication and IP range restrictions are disabled.
- API authentication is disabled, with no IP ranges specified.
meraki: domains: - name: !env domain administrator: name: !env org_admin organizations: - name: !env org login_security: enforce_password_expiration: true # Boolean indicating whether users are forced to change their password every X number of days. password_expiration_days: 11 # Number of days after which users will be forced to change their password. enforce_different_passwords: true # Boolean indicating whether users, when setting a new password, are forced to choose a new password that is different from any past passwords. num_different_passwords: 5 # Number of recent passwords that new password must be distinct from. enforce_strong_passwords: true # Boolean indicating whether users will be forced to choose strong passwords for their accounts. Strong passwords are at least 8 characters that contain 3 of the following: number, uppercase letter, lowercase letter, and symbol enforce_account_lockout: true # Boolean indicating whether users' Dashboard accounts will be locked out after a specified number of consecutive failed login attempts. account_lockout_attempts: 5 # Number of consecutive failed login attempts after which users' accounts will be locked. enforce_idle_timeout: true # Boolean indicating whether users will be logged out after being idle for the specified number of minutes. idle_timeout_minutes: 90 # Number of minutes users can remain idle before being logged out of their accounts. enforce_two_factor_auth: false # Boolean indicating whether users in this organization will be required to use an extra verification code when logging in to Dashboard. This code will be sent to their mobile phone via SMS, or can be generated by the authenticator application. enforce_login_ip_ranges: false # Boolean indicating whether organization will restrict access to Dashboard (including the API) from certain IP addresses. login_ip_ranges: [] # List of acceptable IP ranges. Entries can be single IP addresses, IP address ranges, and CIDR subnets. api_authentication: enabled: false ranges: []