BYOD Password less solution with Meraki, Cisco ISE and Azure IDP - Page 2

kshah2589 · ‎09-05-2023

Hello,

We need to configure SSID in Meraki dashboard for our BYOD network to use a captive portal with SSO authentication. the flow is from Meraki > to ISE > to Azure IDP.

Our goal is to be 100% password less. We will be using certificates for managed device on another SSID but for BYOD devices (phones, tablets, personal computers) we want to internal employees to have the ability to connect password less. Our IDP is configured with password less… that is once you enter your user id the screen provides you a 2-digit number and you enter this number on your authenticator app. With a match you are authenticated. No password needed.

Let me know if anyone has configured the solution.

Regards,

Kunal Shah

Greg Gibbs · ‎09-18-2023

1. This is for the Guest 'Remember Me' feature. See the Guest Access Prescriptive Deployment Guide for more details.

2. That configuration on the WLC exempts those URLs from redirection. The same FQDNs would need to be in the Meraki Walled Garden configuration.

kshah2589 · ‎09-19-2023

Thanks for a reply.

1). I believe BYOD USER MAB rule is for 'Remember Me' feature. Do I still need to configure other authorization rule called BYOD user?

2). I am not 100% sure, why do we need those URLs to exempt from redirection, if there is no exemption what could be the issue?

Regards,

Kunal

kshah2589 · ‎09-21-2023

Hello Greg,

I am having some trouble in testing, when tested with personal phone connecting to test SSID. It is asking me for username, password and challenge, I am not sure why it is asking for password and second thing for apple phone it redirects me to microsoft but after putting my credentials it doesn't allow me to access internet. I have configured the policy same way as in document 1). BYOD MAB user and 2). Default.

Regards,

Kunal

Regards,

Kunal Shah

Greg Gibbs · ‎09-21-2023

Have you enrolled the phone as a passwordless device in MS Authenticator? That process requires logging in with your credentials first.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-phone

The description of the policy configuration is not enough to provide assistance.

If you have not configured the three AuthZ Policies as per the example, that is likely the problem. The 'BYOD User' rule is needed to complete the device registration process in ISE. Without that, the 'remember me' MAB-based rule will not match.

kshah2589 · ‎09-21-2023

Hello Greg,

In MS authenticator, when I clicked on "Enable Phone sign-in" option , I got following error.

2). I will configure 'BYOD User' policy and test.

Regards,

Kunal

Greg Gibbs · ‎09-21-2023

You will have to work with your Azure administrator to enable passwordless sign-in to use the feature. This is controlled purely on the Azure side and nothing ISE has control over.

kshah2589 · ‎09-27-2023

Hello Greg,

I was tested again Windows and Apple devices. here is the summary.

Apple Phone :

After our earlier discussion in the chat, I have added "BYOD User" authorization rule, so now I have 3 Authz rule. however, I am having same problem as mentioned earlier with apple phone, it redirects me to Microsoft login page but after putting my credentials it doesn't allow me to access the internet.

Company Managed Windows Laptops :

When tested company managed windows laptop, it redirects me to Microsoft login page, only asking for my email address and after putting my email address, got success page and allows me to access the internet.however, I noticed it's hitting first Default Rule and then "BYOD user MAB" rule but not hitting to "BYOD user" rule.

What am I missing in both Apple and Windows case, can you please suggest next troubleshooting steps?

Greg Gibbs · ‎09-27-2023

If you're hitting the 'BYOD user MAB' rule, then the device registration may be completing. You can check the endpoint in Context Visibility to confirm if it shows the expected Identity Group Assignment.

It sounds like the AuthZ is being sent by ISE, so there may be something on the Meraki side that is causing the problem. You might review your Meraki config against this guide.
How To: Integrate Meraki Networks with ISE

If all else fails, you might need to open a TAC case to investigate in more detail.

kshah2589 · ‎09-29-2023

Thanks, Greg, for suggestions.

1).I do see registration date and "BYOD_Endpoint" Identity Group for my windows laptop in Context Visibility >> Endpoints but I don't see those details for Apple devices. Any further suggestions on the same.

2). Looks like "BYOD user" Authz rule is not required now as device registration is covered by "BYOD user MAB" AuthZ rule, am I correct?

3). I am not sure what you mean by "Meraki Side something causing problem" because looks like it's working for Windows but not for Apple.

Regards,

Kunal

Greg Gibbs · ‎10-01-2023

2) No. I suspect at some point, this rule was hit in order to complete the registration process as that's how the 'Remember Me' flow is intended to work. It does no harm to leave it.

1&3) The flow works in my lab with an iPhone. You might try disabling Private Wi-Fi Address (MAC Randomization) on the SSID in case that is causing a problem. Otherwise, please open a TAC case to investigate further.

kshah2589 · ‎10-03-2023

Thanks, Greg for the suggestions.

2). I will keep the "BYOD user" rule. Just wanted to make sure is it something missing on my side that's what the reason so far, I am not hitting the "BYOD user" rule.

1&3). I disable MAC randomization but didn't work for me. The case is open with Cisco TAC for further investigation, will keep you posted our findings.

Regards,

Kunal

kshah2589 · ‎10-16-2023

Hello Greg,

So far with Cisco TAC, we found that iPhone device is sending RST packets but still researching why the device doesn't want to communicate?

We would like to also know the flow of communication, can you confirm our understanding is correct?

1). User device connects to Open SSID and then it is redirected to ISE portal.

2).ISE redirects user to Microsoft Login page.

3).user enter the credentials and Azure AD authenticates the user.

4).user browser receives encoded SAML response with assertion data from Azure AD.

5). SAML response from browser is sent to ISE.

6). ISE parse the SAML response and confirms successful authentication and then send session COA.

7). user grant internet access.

Let me know if our understanding is correct or not in any of the above steps.

Greg Gibbs · ‎10-16-2023

@kshah2589, yes.. that is essentially how the flow should behave. At step 6, the SAML assertion responses from Entra ID should also include any other attributes known by the IdP, like 'memberOf'

You can see an example of the SAML response I captured for another use case here. Unfortunately, I'm not sure there is a SAML tracer tool available for iOS so you would likely only see this communication via a packet capture on the wireless side.
Cisco ISE Sponsor Portal authentication via JumpCloud SSO

kshah2589 · ‎10-18-2023

Thanks Greg.

Looks like after disabling Apple CNA Meraki side, apple phone/iPad can connect to SSID and able to access internet. Did you have to do the same thing for iPhone to work in your test envirometn?

Regards,

Kunal

Greg Gibbs · ‎10-18-2023

Hi @kshah2589. No, I do not have Captive-Bypass enabled on my lab WLC/WLAN (Cisco 2504)