cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1039
Views
5
Helpful
3
Replies
Highlighted
Beginner

Jabber Clients MRA & Two Factor Authentication

We’re running CM/IMP 11.5(SU4) with latest (MRA) Expressway load and Jabber for IPhone client. Has anyone implemented a two factor authentication solution or found a way to limit the number of IPhone Jabber clients that can register with a user’s LDAP account? We only want our users to use their company IPhone for Jabber and not install it on their personal device. It would be great if you could tie the IPhones Caller-ID to the Jabber TCT device (Mobility Identity) and limit it that way but I don’t see that option or whitelisting devices in Expressway.  Can we do this through certificates?  I’ve seen something with SSO and IDP mentioned but no details on anyone who has implemented this solution.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Jabber Clients MRA & Two Factor Authentication

Ashish is exactly correct. Your only option is user certificates, usually through an MDM solution, so the OS browser authenticates to the SAML IdP using that cart instead of username/password. It’s complicated to setup but easy for Jabber; it doesn’t care how the OS browser authenticates to the IdP, only that it gets a SAML cookie in the end. The user certificate is usually also used for EAP-TLS with corporate WiFi so the ROI isn’t isolated to Jabber.

One caveat: you’ll need to enable native Safari for this to work with iOS on CUCM, CUC, and Expressway.
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/11_5_1/sysConfig/11_5_1_SU1/cucm_b_system-configuration-guide-1151su1/cucm_b_system-configuration-guide-1151su1_chapter_0101.html#task_B7C8F88E9E0E67A2FA2943611F1A1FF7

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Re: Jabber Clients MRA & Two Factor Authentication

Hi

Other customers have used their Mobile Device Management (MDM) to push a certificate onto the corporate mobile / paid for mobile phone and used that to authenticate the device before it is allowed onto the network via Jabber and MRA.  This needs assistance from the customer/your MDM team.  There is some reference to this method on the Cisco website but as there are so many MDM vendors its hard to create a guide.  
Search for Certificate-Based Authentication for Cisco Jabber for Android or Certificate-Based Authentication for Cisco Jabber for iPhone and iPad. I think you have referneced this already.  There will be a need to test this to ensure you get it right.

Good luck

ashish

Highlighted

Re: Jabber Clients MRA & Two Factor Authentication

Ashish is exactly correct. Your only option is user certificates, usually through an MDM solution, so the OS browser authenticates to the SAML IdP using that cart instead of username/password. It’s complicated to setup but easy for Jabber; it doesn’t care how the OS browser authenticates to the IdP, only that it gets a SAML cookie in the end. The user certificate is usually also used for EAP-TLS with corporate WiFi so the ROI isn’t isolated to Jabber.

One caveat: you’ll need to enable native Safari for this to work with iOS on CUCM, CUC, and Expressway.
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/11_5_1/sysConfig/11_5_1_SU1/cucm_b_system-configuration-guide-1151su1/cucm_b_system-configuration-guide-1151su1_chapter_0101.html#task_B7C8F88E9E0E67A2FA2943611F1A1FF7

View solution in original post

Highlighted
Beginner

Re: Jabber Clients MRA & Two Factor Authentication

Thanks you Ashish and Jonathan for your responses. More homework to do on MDM's.

CreatePlease to create content