cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2448
Views
0
Helpful
4
Replies
klopez138
Beginner

Jabber Certificate-Based Authentication on MDM-managed iPhones

We are currently trying to register Jabber clients on MDM-managed (Intune) iPhones using MRA through our Expressway-E (version X8.10.2) appliance. We're attempting to use certificate based authentication that uses the certificate that is issued to iOS devices from our internal PKI when they are enrolled into Intune. We are using a clustered CUCM (version 11.5.1.11900-26) that is configured for SAML SSO via ADFS. We are able to register Jabber clients using cert-based auth when the registration is sourced from our internal LAN going directly to the CUCM cluster, but we are unable to get the Expressway to "broker" the cert-based auth requests from the internet. When registering through the expressway from the internet, users are still presented with our ADFS login page and have to enter their AD credentials to register Jabber, when compared to iPhones on our corporate wireless, the Jabber registration succeeds without entering username and password. We've consulted all related documentation on this issue and can't locate any specific information on how to configure what exactly we are trying to do.Any help is appreciated.

4 REPLIES 4
Cyril Albert
Beginner

Hi,

 

It seems an IdP Proxy should be installed in the DMZ. Do you have one in your design?

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab11/collab11/directry.html#pgfId-1217340

 

HTH

 

Cyril

Yes. We have an ADFS proxy server in our DMZ. In fact, I think that is where the issue lies. I suspect that that the ADFS configuration is what is causing the issue. When trying to authenticate through the expressway, there is no drop-down or prompt on the ADFS login page to select the certificate to be used to authenticate.

hi expert,

 

anyone has successfully deploy this finally ?

 

K

I have this issue too, have had for a long time, just now getting around to looking at correcting...

 

we can use UPN at the username prompt and get passed the logon, but clearly, the prompt is a fallback from what should be seamless sso SSO process.

 

i too do not use an IDP proxy, just the idp.....

 

reading, i have to wonder if the UID being returned in the claim just doesn't match to my userid in cucm.

 

 

Create
Recognize Your Peers
Content for Community-Ad