Solved: Using ISE BYOD Onboarding with SAML and MFA

Roberto.Carmona · ‎10-10-2019

hi experts,

Based on the following post: https://community.cisco.com/t5/security-documents/notes-on-okta-as-saml-idp/ta-p/3644284

I have the following question:

I have a customer that has successfully deployed SAML using Okta. SAML has been enabled on the BYOD and Mydevices portal and there are no issues when users authenticate.

The problem with this customer is that endpoints that has been enrolled via BYOD onboarding are not showing within the Mydevices portal when SAML is configured.

If AD/LDAP is used, everything works well.

Is this the expected when using SAML? I assume the endpoints gets mapped differently when using this service and, hence, MyDevice portal DB does not see the association (?)

I also suggested to use Okta as a external radius server. However, they want to discard the option of "push" notification or any other that involves a phone. They prefer the extra MFA that is included in the Okta portal when the users gets redirected there.

thanks in advance,

Jason Kunst · ‎10-11-2019

Your assumption is correct. I would suggest getting a tac case logged against it so it can be investigated. I’ll forward this to our engineers on BYOD as well

View solution in original post

Jason Kunst · ‎10-11-2019

Your assumption is correct. I would suggest getting a tac case logged against it so it can be investigated. I’ll forward this to our engineers on BYOD as well

Roberto.Carmona · ‎10-11-2019

Thanks Jason,

I believe the customer already opened a tac case and the answer was that this is not supported.

I assume, if they go with Okta as radius server instead of SAML, they will be able to see onboarded devices within the Mydevice portal, right?

Jason Kunst · ‎10-18-2019

yes likely but they would have to validate as we don't test that