topic Using ISE BYOD Onboarding with SAML and MFA in Network Access Control

Using ISE BYOD Onboarding with SAML and MFA

Roberto.Carmona — Thu, 10 Oct 2019 13:59:28 GMT

hi experts,

Based on the following post: https://community.cisco.com/t5/security-documents/notes-on-okta-as-saml-idp/ta-p/3644284

I have the following question:

I have a customer that has successfully deployed SAML using Okta. SAML has been enabled on the BYOD and Mydevices portal and there are no issues when users authenticate.

The problem with this customer is that endpoints that has been enrolled via BYOD onboarding are not showing within the Mydevices portal when SAML is configured.

If AD/LDAP is used, everything works well.

Is this the expected when using SAML? I assume the endpoints gets mapped differently when using this service and, hence, MyDevice portal DB does not see the association (?)

I also suggested to use Okta as a external radius server. However, they want to discard the option of "push" notification or any other that involves a phone. They prefer the extra MFA that is included in the Okta portal when the users gets redirected there.

thanks in advance,

Re: Using ISE BYOD Onboarding with SAML and MFA

Jason Kunst — Fri, 11 Oct 2019 11:53:54 GMT

Your assumption is correct. I would suggest getting a tac case logged against it so it can be investigated. I’ll forward this to our engineers on BYOD as well

Re: Using ISE BYOD Onboarding with SAML and MFA

Roberto.Carmona — Fri, 11 Oct 2019 16:41:08 GMT

Thanks Jason,

I believe the customer already opened a tac case and the answer was that this is not supported.

I assume, if they go with Okta as radius server instead of SAML, they will be able to see onboarded devices within the Mydevice portal, right?

Re: Using ISE BYOD Onboarding with SAML and MFA

Jason Kunst — Fri, 18 Oct 2019 07:38:54 GMT

yes likely but they would have to validate as we don't test that