cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
785
Views
1
Helpful
6
Replies

Enable Multi factor authentication for Jabber MRA login

NOCNOC80902
Level 1
Level 1

Dear all,

We have been requested to enable MFA for jabber login through MRA only and we have RSA as external IDP .

what the configuration part to forward the authentication request to the IDP after the user send his username and password ?

SSO and SAML is not required.

Internal jabber is not required.

Any one tested that ?

6 Replies 6

b.winter
VIP
VIP

Whatever MFA methods you want to use depends on the IDP and not on Cisco (Expressway, Jabber)
You need to activated SAML SSO in the Expressway, to use MFA via IDP. The IDP has to be directly reachable by the Jabber on the internet.

And even if you don't use jabber internally, you still have to do all the configs for MRA to work.

Thanks b.winter,

Do I need to enable SSO and SAML in CUCM and Unity as well ? or on expressway only?

we are relay on ADFS and RSA as SSO and IDP but both are on premices and smart phones are connecting from internet . do we need reachability between the IDP and smartphones or the expressway will intercept the authentication and pass the OTP to jabber clients?

IF the MFA is not support .  How is it easy to limit the jabber MRA login to the enrolled devices only ?

1) You can have SSO enabled on Expressway only.
2) Jabber in the Internet needs to reach the IDP directly, Expressway won't intercept it.
3) Enroll a company certificate to the phone (e.g. via MDM software) and check the certificate as an authentication factor.

But again, your IDP has to support the MFA you want to have, not the Expressway. Expressway doesn't care, how the authentication works, because it is not involved. Only the IDP and the device are involved in this phase, that's why device needs to have direct reachability to the IDP.

Thanks so much for your response.

I have a discussion with cisco TAC and they always advise to enable SSO in CUCM and CUC which I don't agree as the scope is only MRA clients.

Since the IDP will not be accessable to the jabber MRA clients then the best option is certificate based authentication . would you please share more detail on the configuration part in expressway C and E  and also what the is required to share with MDM team.

Certificate based authentication was just another example of the authentication method, just like MFA. So you too need SSO via IDP.
If you cannot enable SSO, because the reachability is not given between the device and IDP, then you cannot do anything else than standard username / password authentication.
For everything else, you need SSO.

marcoperson250
Level 1
Level 1

If you are enabled to log in to MFA for Jabber Mobile,

First, you log in to the CUCM, then choose End User, then choose the Jabber user account. You will fill out the user setting option and then select an MFA-inclusive authentication rule. then conserve the modification, and then you will verify.