topic BYOD Password less solution with Meraki, Cisco ISE and Azure IDP in Network Access Control

BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

kshah2589 — Tue, 05 Sep 2023 17:24:12 GMT

Hello,

We need to configure SSID in Meraki dashboard for our BYOD network to use a captive portal with SSO authentication. the flow is from Meraki > to ISE > to Azure IDP.

Our goal is to be 100% password less. We will be using certificates for managed device on another SSID but for BYOD devices (phones, tablets, personal computers) we want to internal employees to have the ability to connect password less. Our IDP is configured with password less… that is once you enter your user id the screen provides you a 2-digit number and you enter this number on your authenticator app. With a match you are authenticated. No password needed.

Let me know if anyone has configured the solution.

Regards,

Kunal Shah

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

ahollifield — Wed, 06 Sep 2023 21:00:08 GMT

I would say guest self-registration using SAML is probably the best approach here. You can then cache the MAC address for however long you like and purge as needed using endpoint purge rules.

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

Greg Gibbs — Wed, 06 Sep 2023 22:51:14 GMT

You should be able to use the same flow as I documented here. As long as Azure is setup for passwordless, the redirect to the MS login should reflect that.

https://community.cisco.com/t5/security-knowledge-base/ise-byod-flow-using-azure-ad/ta-p/4400675

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

kshah2589 — Thu, 07 Sep 2023 15:31:30 GMT

Thanks, Greg, for sharing the document. I just wanted to make sure following thing.

1). once use enter the credentials like use id only, he will get two-digit code in the authenticator app for validation, am I correct?

2). Is there any issue with directly implementing the solution in production networks?

Regards,

Kunal

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

kshah2589 — Thu, 07 Sep 2023 15:33:14 GMT

Thank you so much for your suggestion. I will discuss this option also with my team.

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

Greg Gibbs — Thu, 07 Sep 2023 22:34:33 GMT

1. This would be enforced on the Azure side. I never tested passwordless, but as long as everything is setup on the Azure side, I don't see why it wouldn't work. You would definitely want to test it in your environment to see the user experience.

2. The solution I documented was deployed in production by one of our customers to provide basic internet access for their BYOD users. As long as the SSID is segmented from the corporate network, I don't see any issues.

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

kshah2589 — Fri, 08 Sep 2023 15:22:51 GMT

Thanks for reply. it takes a little bit time for us to implement but will let you know if we run into any issue.

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

kshah2589 — Tue, 12 Sep 2023 15:15:41 GMT

Greg,

what should be the format of username after @ when login to Microsoft, it has to be username @xxx.onmicrosoft.com or it can be our company domain name after @ (ex : uesrname@abc.com )

Regards,

Kunal

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

Greg Gibbs — Tue, 12 Sep 2023 21:56:46 GMT

That would depend on the UPN (User Principal Name) of the user account in Azure AD, which would be entirely dependent on how your specific environment is set up (Azure AD Connect, etc).

The example I documented uses an account with the @xxx.onmicrosoft.com UPN and the ISE Policy is defined based upon that matching condition.

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

kshah2589 — Tue, 12 Sep 2023 22:52:31 GMT

Thanks for Reply. Can you please guide me if we want to set up as per our UPN set up in Azure AD, where should I change in ISE policy?

Regards,

Kunal

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

Greg Gibbs — Tue, 12 Sep 2023 23:28:16 GMT

I just reviewed that doc again and realised I did not have any matching conditions for the UPN in the ISE policy. I was thinking of a different use case.

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

kshah2589 — Wed, 13 Sep 2023 00:36:11 GMT

Thanks for checking, which means I can continue to configure the steps as described in document without changing any steps, am I correct?

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

Greg Gibbs — Thu, 14 Sep 2023 00:29:47 GMT

Essentially, yes, but the document provides an example to prove the concept. As with any example, you'll want to tailor it for your specific environment.

That example also uses an AireOS WLC, so you'll need to tailor it to suit the Meraki wireless guest flow as per the How To: Integrate Meraki Networks with ISE.

I did confirm in my lab this morning that the ISE BYOD flow example does work with passwordless MFA.

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

kshah2589 — Thu, 14 Sep 2023 13:52:07 GMT

Thanks for taking time to validate the ISE BYOD Flow. I really appreciate your help. I will keep you posted if run into any issues.

Regards,

Kunal

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

kshah2589 — Mon, 18 Sep 2023 15:03:25 GMT

Hello Greg,

I have few questions.

1). What is the difference between following highlighted rules in authorization policy, do I need to create both rules?

2). What is purpose of following configuration and what are we trying to accomplish?

Regards,

Kunal

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

Greg Gibbs — Mon, 18 Sep 2023 22:45:42 GMT

1. This is for the Guest 'Remember Me' feature. See the Guest Access Prescriptive Deployment Guide for more details.

2. That configuration on the WLC exempts those URLs from redirection. The same FQDNs would need to be in the Meraki Walled Garden configuration.

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

kshah2589 — Tue, 19 Sep 2023 15:27:53 GMT

Thanks for a reply.

1). I believe BYOD USER MAB rule is for 'Remember Me' feature. Do I still need to configure other authorization rule called BYOD user?

2). I am not 100% sure, why do we need those URLs to exempt from redirection, if there is no exemption what could be the issue?

Regards,

Kunal

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

kshah2589 — Thu, 21 Sep 2023 17:42:37 GMT

Hello Greg,

I am having some trouble in testing, when tested with personal phone connecting to test SSID. It is asking me for username, password and challenge, I am not sure why it is asking for password and second thing for apple phone it redirects me to microsoft but after putting my credentials it doesn't allow me to access internet. I have configured the policy same way as in document 1). BYOD MAB user and 2). Default.

Regards,

Kunal

Regards,

Kunal Shah

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

Greg Gibbs — Thu, 21 Sep 2023 22:26:30 GMT

Have you enrolled the phone as a passwordless device in MS Authenticator? That process requires logging in with your credentials first.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-phone

The description of the policy configuration is not enough to provide assistance.

If you have not configured the three AuthZ Policies as per the example, that is likely the problem. The 'BYOD User' rule is needed to complete the device registration process in ISE. Without that, the 'remember me' MAB-based rule will not match.

Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

kshah2589 — Fri, 22 Sep 2023 00:21:53 GMT

Hello Greg,

In MS authenticator, when I clicked on "Enable Phone sign-in" option , I got following error.

2). I will configure 'BYOD User' policy and test.

Regards,

Kunal