Solved: Re: Jabber Clients MRA & Two Factor Authentication

gzulko · ‎10-31-2018

We’re running CM/IMP 11.5(SU4) with latest (MRA) Expressway load and Jabber for IPhone client. Has anyone implemented a two factor authentication solution or found a way to limit the number of IPhone Jabber clients that can register with a user’s LDAP account? We only want our users to use their company IPhone for Jabber and not install it on their personal device. It would be great if you could tie the IPhones Caller-ID to the Jabber TCT device (Mobility Identity) and limit it that way but I don’t see that option or whitelisting devices in Expressway. Can we do this through certificates? I’ve seen something with SSO and IDP mentioned but no details on anyone who has implemented this solution.

Jonathan Schulenberg · ‎11-04-2018

Ashish is exactly correct. Your only option is user certificates, usually through an MDM solution, so the OS browser authenticates to the SAML IdP using that cart instead of username/password. It’s complicated to setup but easy for Jabber; it doesn’t care how the OS browser authenticates to the IdP, only that it gets a SAML cookie in the end. The user certificate is usually also used for EAP-TLS with corporate WiFi so the ROI isn’t isolated to Jabber.

One caveat: you’ll need to enable native Safari for this to work with iOS on CUCM, CUC, and Expressway.
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/11_5_1/sysConfig/11_5_1_SU1/cucm_b_system-configuration-guide-1151su1/cucm_b_system-configuration-guide-1151su1_chapter_0101.html#task_B7C8F88E9E0E67A2FA2943611F1A1FF7

View solution in original post

Ashish Patel · ‎11-02-2018

Hi

Other customers have used their Mobile Device Management (MDM) to push a certificate onto the corporate mobile / paid for mobile phone and used that to authenticate the device before it is allowed onto the network via Jabber and MRA. This needs assistance from the customer/your MDM team. There is some reference to this method on the Cisco website but as there are so many MDM vendors its hard to create a guide.
Search for Certificate-Based Authentication for Cisco Jabber for Android or Certificate-Based Authentication for Cisco Jabber for iPhone and iPad. I think you have referneced this already. There will be a need to test this to ensure you get it right.

Good luck

ashish

Jonathan Schulenberg · ‎11-04-2018

Ashish is exactly correct. Your only option is user certificates, usually through an MDM solution, so the OS browser authenticates to the SAML IdP using that cart instead of username/password. It’s complicated to setup but easy for Jabber; it doesn’t care how the OS browser authenticates to the IdP, only that it gets a SAML cookie in the end. The user certificate is usually also used for EAP-TLS with corporate WiFi so the ROI isn’t isolated to Jabber.

One caveat: you’ll need to enable native Safari for this to work with iOS on CUCM, CUC, and Expressway.
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/11_5_1/sysConfig/11_5_1_SU1/cucm_b_system-configuration-guide-1151su1/cucm_b_system-configuration-guide-1151su1_chapter_0101.html#task_B7C8F88E9E0E67A2FA2943611F1A1FF7

gzulko · ‎11-05-2018

Thanks you Ashish and Jonathan for your responses. More homework to do on MDM's.

NOCNOC80902 · ‎12-27-2023

Hello Gzulko,

Have you implemented this ?

b.winter · ‎12-27-2023

Hi, I have already answered on your post. IMHO, it doesn't make any sense if you ask the same question on multiple old forum threads, if you don't even answer on your own post...