Re: BYOD Password less solution with Meraki, Cisco ISE and Azure IDP - Page 3

kshah2589 · ‎09-05-2023

Hello,

We need to configure SSID in Meraki dashboard for our BYOD network to use a captive portal with SSO authentication. the flow is from Meraki > to ISE > to Azure IDP.

Our goal is to be 100% password less. We will be using certificates for managed device on another SSID but for BYOD devices (phones, tablets, personal computers) we want to internal employees to have the ability to connect password less. Our IDP is configured with password less… that is once you enter your user id the screen provides you a 2-digit number and you enter this number on your authenticator app. With a match you are authenticated. No password needed.

Let me know if anyone has configured the solution.

Regards,

Kunal Shah

kshah2589 · ‎10-19-2023

Thanks Greg for your reply.

After your earlier comment on your lab testing about iPhone, what's your recommendation?

should we disable Apple CNA and move forward with our set up or are we missing something?

Greg Gibbs · ‎10-19-2023

I would suggest keeping the CNA Bypass feature enabled and moving forward. Apple is known to change things without much warning in their CNA which can cause other issues.

kshah2589 · ‎10-20-2023

Thanks for your valuable suggestions.

1).While looking at Endpoints in Context Visibility, I am curious to know what makes certain endpoints the Identity store is Azure_SAML for other it is Internal Endpoints.

2). What criteria decide, when and how frequently the user has to reauthenticate to portal?

Regards,

Kunal

kshah2589 · ‎10-24-2023

Hello Greg,

I hope you are doing well.

1).Did you get a chance to look at and give your suggestions about the earlier questions I asked?

2). we have secondary ISE node in our environments, do I need to make any additional changes in the set up to make it work?

3).Does user somehow know once their endpoints purge from database and they need to reauthenticate?

Regards,

Kunal

Greg Gibbs · ‎10-24-2023

The Internal Endpoints Identity Store is used for sessions using MAB.

Typically, the session timeout on the WLC/SSID is what requires the user to reauthenticate, but with the 'Remember Me' flow, the endpoint purge will force the user to reauthenticate to the portal.

Please start a new discussion for topics not specifically related to the initial post.

kshah2589 · ‎10-26-2023

Thanks Greg for reply.

kshah2589 · ‎11-22-2023

Hello,

While testing the BYOD flow, time to time we are facing the following error in screen shot. we are not sure what could be the reason. Is there any way we can remediate the issue?

we already have following websites in Meraki walled garden as per the documents, are we missing anything else?

login.microsoftonline.com
aadcdn.microsoftonline-p.com
aadcdn.msauth.net

Let me know if any suggestions.

Greg Gibbs · ‎11-29-2023

@kshah2589

The URL redirect shows 'device.login.microsoft.com' which might not be permitted by the specific URLs defined in your Walled Garden. You might try allowing all subdomains as well using the following URLs instead.

*.login.microsoftonline.com
*.aadcdn.microsoftonline-p.com
*.aadcdn.msauth.net

If that still does not work, you might also try adding some of the domain URLs documented here:
https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud

kshah2589 · ‎11-30-2023

Thanks Greg for your response, that is what I am also suspecting. I will them into walled garden and let you know if any issue.