cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

80
Views
0
Helpful
2
Replies
Beginner

Using ISE BYOD Onboarding with SAML and MFA

hi experts,

 

Based on the following post: https://community.cisco.com/t5/security-documents/notes-on-okta-as-saml-idp/ta-p/3644284

I have the following question:

 

I have a customer that has successfully deployed SAML using Okta. SAML has been enabled on the BYOD and Mydevices portal and there are no issues when users authenticate.

The problem with this customer is that endpoints that has been enrolled via BYOD onboarding are not showing within the Mydevices portal when SAML is configured.

If AD/LDAP is used, everything works well.

 

Is this the expected when using SAML? I assume the endpoints gets mapped differently when using this service and, hence, MyDevice portal DB does not see the association (?)

 

I also suggested to use Okta as a external radius server. However, they want to discard the option of "push" notification or any other that involves a phone. They prefer the extra MFA that is included in the Okta portal when the users gets redirected there.

 

thanks in advance,

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Using ISE BYOD Onboarding with SAML and MFA

Your assumption is correct. I would suggest getting a tac case logged against it so it can be investigated. I’ll forward this to our engineers on BYOD as well
2 REPLIES 2
Cisco Employee

Re: Using ISE BYOD Onboarding with SAML and MFA

Your assumption is correct. I would suggest getting a tac case logged against it so it can be investigated. I’ll forward this to our engineers on BYOD as well
Beginner

Re: Using ISE BYOD Onboarding with SAML and MFA

Thanks Jason,

 

I believe the customer already opened a tac case and the answer was that this is not supported.

 

I assume, if they go with Okta as radius server instead of SAML, they will be able to see onboarded devices within the Mydevice portal, right?