Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2955
Views
0
Helpful
4
Replies

Jabber Certificate-Based Authentication on MDM-managed iPhones

klopez138
Level 1
Level 1

‎12-12-2017 04:24 AM - edited ‎03-17-2019 07:14 PM

We are currently trying to register Jabber clients on MDM-managed (Intune) iPhones using MRA through our Expressway-E (version X8.10.2) appliance. We're attempting to use certificate based authentication that uses the certificate that is issued to iOS devices from our internal PKI when they are enrolled into Intune. We are using a clustered CUCM (version 11.5.1.11900-26) that is configured for SAML SSO via ADFS. We are able to register Jabber clients using cert-based auth when the registration is sourced from our internal LAN going directly to the CUCM cluster, but we are unable to get the Expressway to "broker" the cert-based auth requests from the internet. When registering through the expressway from the internet, users are still presented with our ADFS login page and have to enter their AD credentials to register Jabber, when compared to iPhones on our corporate wireless, the Jabber registration succeeds without entering username and password. We've consulted all related documentation on this issue and can't locate any specific information on how to configure what exactly we are trying to do.Any help is appreciated.

2 people had this problem
0 Helpful
4 Replies 4

Cyril Albert
Level 1
Level 1

‎12-21-2017 12:06 PM

Hi,

 

It seems an IdP Proxy should be installed in the DMZ. Do you have one in your design?

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab11/collab11/directry.html#pgfId-1217340

 

HTH

 

Cyril

0 Helpful

klopez138
Level 1
Level 1
In response to Cyril Albert

‎01-24-2018 05:13 AM

Yes. We have an ADFS proxy server in our DMZ. In fact, I think that is where the issue lies. I suspect that that the ADFS configuration is what is causing the issue. When trying to authenticate through the expressway, there is no drop-down or prompt on the ADFS login page to select the certificate to be used to authenticate.

0 Helpful

karen.johnson5801
Level 1
Level 1
In response to Cyril Albert

‎10-23-2018 01:03 PM

hi expert,

 

anyone has successfully deploy this finally ?

 

K

0 Helpful

ALEX CULVER
Level 1
Level 1
In response to karen.johnson5801

‎11-12-2018 01:12 PM

I have this issue too, have had for a long time, just now getting around to looking at correcting...

 

we can use UPN at the username prompt and get passed the logon, but clearly, the prompt is a fallback from what should be seamless sso SSO process.

 

i too do not use an IDP proxy, just the idp.....

 

reading, i have to wonder if the UID being returned in the claim just doesn't match to my userid in cucm.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents