Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3392
Views
3
Helpful
38
Replies

BYOD Password less solution with Meraki, Cisco ISE and Azure IDP

kshah2589
Level 1
Level 1

‎09-05-2023 07:49 AM - last edited on ‎09-05-2023 10:24 AM by Cisco Employee

Hello,

We need to configure SSID in Meraki dashboard for our BYOD network to use a captive portal with SSO authentication. the flow is from Meraki > to ISE > to Azure IDP. 

Our goal is to be 100% password less.  We will be using certificates for managed device on another SSID but for BYOD devices (phones, tablets, personal computers) we want to internal employees to have the ability to connect password less.   Our IDP is configured with password less… that is once you enter your user id the screen provides you a 2-digit number and you enter this number on your authenticator app.  With a match you are authenticated.  No password needed. 

Let me know if anyone has configured the solution.

 

Regards,

Kunal Shah

 

 

0 Helpful
38 Replies 38

ahollifield
VIP
VIP

‎09-06-2023 02:00 PM

I would say guest self-registration using SAML is probably the best approach here.  You can then cache the MAC address for however long you like and purge as needed using endpoint purge rules.

kshah2589
Level 1
Level 1
In response to ahollifield

‎09-07-2023 08:33 AM

Thank you so much for your suggestion. I will discuss this option also with my team.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎09-06-2023 03:51 PM

You should be able to use the same flow as I documented here. As long as Azure is setup for passwordless, the redirect to the MS login should reflect that.

https://community.cisco.com/t5/security-knowledge-base/ise-byod-flow-using-azure-ad/ta-p/4400675

kshah2589
Level 1
Level 1
In response to Greg Gibbs

‎09-07-2023 08:31 AM

Thanks, Greg, for sharing the document. I just wanted to make sure following thing.

1). once use enter the credentials like use id only, he will get two-digit code in the authenticator app for validation, am I correct?

2). Is there any issue with directly implementing the solution in production networks?

Regards,

Kunal

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to kshah2589

‎09-07-2023 03:34 PM

1. This would be enforced on the Azure side. I never tested passwordless, but as long as everything is setup on the Azure side, I don't see why it wouldn't work. You would definitely want to test it in your environment to see the user experience.

2. The solution I documented was deployed in production by one of our customers to provide basic internet access for their BYOD users. As long as the SSID is segmented from the corporate network, I don't see any issues.

kshah2589
Level 1
Level 1
In response to Greg Gibbs

‎09-08-2023 08:22 AM

Thanks for reply. it takes a little bit time for us to implement but will let you know if we run into any issue.

0 Helpful

kshah2589
Level 1
Level 1
In response to Greg Gibbs

‎09-12-2023 08:15 AM

Greg,

what should be the format of username after @ when login to Microsoft, it has to be username @xxx.onmicrosoft.com or it can be our company domain name after @ (ex : uesrname@abc.com )

Regards,

Kunal

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to kshah2589

‎09-12-2023 02:56 PM

That would depend on the UPN (User Principal Name) of the user account in Azure AD, which would be entirely dependent on how your specific environment is set up (Azure AD Connect, etc).

The example I documented uses an account with the @xxx.onmicrosoft.com UPN and the ISE Policy is defined based upon that matching condition.

0 Helpful

kshah2589
Level 1
Level 1
In response to Greg Gibbs

‎09-12-2023 03:52 PM

Thanks for Reply. Can you please guide me if we want to set up as per our UPN set up in Azure AD, where should I change in ISE policy?

Regards,

Kunal

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to kshah2589

‎09-12-2023 04:28 PM

I just reviewed that doc again and realised I did not have any matching conditions for the UPN in the ISE policy. I was thinking of a different use case. 

0 Helpful

kshah2589
Level 1
Level 1
In response to Greg Gibbs

‎09-12-2023 05:36 PM

Thanks for checking, which means I can continue to configure the steps as described in document without changing any steps, am I correct?

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to kshah2589

‎09-13-2023 05:29 PM

Essentially, yes, but the document provides an example to prove the concept. As with any example, you'll want to tailor it for your specific environment.

That example also uses an AireOS WLC, so you'll need to tailor it to suit the Meraki wireless guest flow as per the How To: Integrate Meraki Networks with ISE.

I did confirm in my lab this morning that the ISE BYOD flow example does work with passwordless MFA.

0 Helpful

kshah2589
Level 1
Level 1
In response to Greg Gibbs

‎09-14-2023 06:52 AM

Thanks for taking time to validate the ISE BYOD Flow. I really appreciate your help. I will keep you posted if run into any issues.

Regards,

Kunal

0 Helpful

kshah2589
Level 1
Level 1

‎09-18-2023 08:03 AM

Hello Greg,

I have few questions.

1). What is the difference between following highlighted rules in authorization policy, do I need to create both rules?

kshah2589_0-1695049158555.png

2). What is purpose of following configuration and what are we trying to accomplish?

kshah2589_1-1695049294019.png

 

Regards,

Kunal

 

0 Helpful
Customers Also Viewed These Support Documents