Showing results for 
Search instead for 
Did you mean: 
Greg Gibbs
Cisco Employee
Cisco Employee


With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to create a BYOD Flow to provide Wireless network access using an employee’s Azure AD credentials.

The use of Azure AD credentials is an alternative to using a certificate-based method such as EAP-TLS (which requires certificate provisioning) or PEAP-MSCHAPv2. It can mitigate concerns with using other password-based authentication methods (like PEAP-MSCHAPv2) as it uses the employee’s email address as the username rather than exposing their on-premise Active Directory attributes such as sAMAccountName.



Cisco recommends that you have knowledge of these topics:

  • Cisco ISE 3.0
  • Basic knowledge about SAML SSO deployments
  • Azure AD

Components Used

This configuration example is based on the following environment:

  • ISE 3.0 patch 2
  • AireOS-based Wireless LAN Controller (2500, 5500, etc) with software version 8.5 or higher
  • A separate Wireless SSID using Open authentication
  • Basic open internet access for employees
  • Azure AD user accounts associated with a BYOD Security Group

The following diagram illustrates the logical flow for the solution.

byod flow diagram.png

The lab used to validate the solution uses a single WLC, but the same solution will also work with a Foreign & Guest Anchor architecture.


The configuration herein assumes that an SSID has been created on the WLC for the BYOD network and the WLC has already been configured as a Network Device in ISE.

See the AireOS WLC configuration for ISE document for Open SSID WLAN configuration and best practices.



SAML IdP Configuration

Step 1 – Create a new SAML Identity Provider for Azure AD


Navigate to Administration > Identity Management > External Identity Sources > SAML Id Providers and click Add.

create saml idp.png

Input the Provider Id Name and optional Description values and click Submit.

saml idp name.png

*** NOTE: At the time of this writing, ISE cannot create more than one SAML Id Provider with the same Azure tenant ID.

ISE Policy Elements and BYOD Portal

Step 2 – Create an Allowed Protocols list for MAB (if one is not already created)


Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols and click Add

allowed protocols add.png

Input the Name and optional Description, select only the Process Host Lookup option, and click Submit.

process host lookup.png

Step 3 – Create an Endpoint Identity Group for the BYOD endpoints


Navigate to Administration > Identity Management > Groups > Endpoint Identity Groups and click Add.

eig add.png

Input the Name and optional Description and click Submit.

eig name.png


Step 4 – Configure a Guest Type for the BYOD users

Navigate to Work Centers > Guest Access > Portals & Components > Guest Types and click Create.

 guest type create.png

Input the Guest Type Name and optional Description

guest type name.png

Under the Login Options section, select the Endpoint Identity Group previously created.

guest type eig.png

Configure all other preferred settings and click Save.


Step 5 – Configure the BYOD Portal


Navigate to Work Centers > Guest Access > Portals & Components > Guest Portals. Create a new Sponsored Guest Portal or select an existing one.

Input the Portal Name and optional Description.

byod port name.png

In the Portal Settings section, select the SAML IdP from the ‘Authentication method’ drop-down list and the Guest Type from the ‘Employees using this portal as guests…’ drop-down list. 

byod portal settings.png

Configure all other preferred settings and click Save.


Azure AD SAML SSO Configuration

Step 6 – Export the SAML IdP info from ISE


Navigate to Administration > Identity Management > External Identity Sources > SAML Id Providers and Edit the IdP.

Select the Service Provider Info tab and click Export.

saml export.png


Save and extract the zip file and open the XML file in a text editor. Record the following attribute values:

  • entityID
  • AssertionConsumerService Locations


<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://CiscoISE/655019f2-fa19-4517-a5f6-b59d3110830b"><md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds=""><ds:X509Data><ds:X509Certificate>MIIF6jCCA9KgAwIBAgIQYH/EmAAAAACOrCYAdmBsQDANBgkqhkiG9w0BAQsFADB5MSUwIwYDVQQD
</ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="0"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="1"/></md:SPSSODescriptor></md:EntityDescriptor>


Step 7 – Create a BYOD Security Group in Azure AD


Login to the Azure AD Portal and navigate to Azure Active Directory > Manage > Groups

aad groups.png


Click New Group

new group.png


Configure the desired Group name, click the No members selected link and select the associated BYOD user accounts. Click Create.

group members.png


Record the Object ID for the new group.

group id.png


Step 8 – Register the Enterprise Application


Navigate to Azure Active Directory > Manage > Enterprise applications

enterprise app.png


Click on New Application

add app.png


Click on Create your own application


create own app.png


Name the application and ensure the Non-gallery option is selected. Click Create.


*** Note: A generic name was used as this application may also be used for other non-BYOD use cases in ISE.


Navigate to Manage > Users and groups

users and groups.png


Click on Add user/group

add usergroup.png


Under Users and groups, click on the link for None selected. Click the BYOD group created earlier and click Select.

select group.png

Navigate to Manage > Single sign-on


In the Basic SAML Configuration section, click Edit.

basic saml edit.png


Paste the entityID and Location values recorded from XML file earlier in Step 6 and click Save.

saml config.png

In the User Attributes & Claims section, click Edit.

edit claims.png


Click on Add a group claim. Select the Security groups radio button and click Save.

add group claim.png


You should now see the Group claim added with a value of user.groups.

claim added.png


In the SAML Signing Certificate section, click the Download link for the Federation Metadata XML and save the file.

download metadata xml.png

Complete the SAML Configuration in ISE

Step 9 – Configure the SAML IdP settings


Navigate to Administration > Identity Management > External Identity Sources > SAML Id Providers.

Select the SAML IdP and click on the Identity Provider Config tab.

Click the Browse button and select the Federation Metadata XML file downloaded from Azure in the previous step.

idp browse.png


Select the Groups tab and input the following URL for the Group Membership Attribute.

Click the Add button. For the ‘Name in Assertion’ field, paste the Object ID copied from Azure in Step 7 and input a unique value for the ‘Name in ISE’ field. Click OK.

idp add group.png


Select the Attributes tab and click Add. Input the following values and click OK.

Name in Assertion



Name in ISE



idp add attribute.png


Select the Advanced Settings tab.

Under the Identity Attribute, select the Attribute radio button and select the available claims schema from the drop-down.

Select the same schema from the Email attribute drop-down. Click Save.
idp adv attributes.png


Complete the ISE Policy Configuration

Step 10 – Create the Authorization Profiles


Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles and click Add.

Create a new redirect Authorization Profile with the following values and click Submit.




Example Value


<profile name>



<optional description>


Access Type



Common Tasks


Web Redirection (CWA, MDM, NSP, CPP)



<WLC ACL Name>



<BYOD Portal Name>

Azure BYOD Portal


redirect authz prof.png


Create a new Authorization Profile to permit BYOD user access with the following values and click Submit.




Example Value


<profile name>



<optional description>


Access Type



Common Tasks


Airespace ACL Name

<WLC ACL Name>




access authz prof.png


Step 11 – Create the Policy Set


Navigate to Policy > Policy Sets and create a new Policy Set matching the BYOD SSID. Select the Allowed Protocols list of MAB created earlier.

Click Save and then click the > symbol next to the new Policy Set.


create policy set.png

Create a new Authentication Policy with a ‘Use’ value of Internal Endpoints. Click the dropdown for Options and set the ‘If User not found’ option to CONTINUE.



authc policy.png


Create the Authorization Policies for the redirection and successful authorizations. Select the access AuthZ Profile created in Step 10 (e.g. AuthZ-Wireless-BYOD) for the access policies and the redirect AuthZ Profile (e.g. AuthZ-Wireless-BYOD-Redirect) for the Default policy. Click Save.



authz policy.png

*** Note: The ‘BYOD User MAB’ policy shown above is to take advantage of the ‘Remember Me’ Guest feature. This policy can be skipped if this feature is not desired. See the ISE Guest Access Prescriptive Deployment Guide  following link for more information on this feature.

Configure the Wireless LAN Controller

Step 12 – Configure the Wireless LAN Controller Called Station ID


On the WLC, navigate to Security > AAA > RADIUS > Authentication.

Ensure that the drop-down setting for ‘Auth Called Station ID Type’ includes the :SSID value.

auth called station id.png


*** Note: The above configuration is necessary to allow using the Policy Set matching condition for Called-Station-ID in Step 11.

Navigate to Security > AAA > RADIUS > Accounting.


Ensure that the drop-down setting for ‘Acct Called Station ID Type’ includes the :SSID value.

acct called station id.png


Step 13 – Configure the Airespace ACLs used in the ISE Policies


Navigate to Security > AAA > RADIUS > Access Control Lists > Access Control Lists.


Click New and create an Airespace ACL to permit the desired access for the BYOD users.

In this example, a simple ‘permit ip any any’ ACL is used.



acl permit byod.png

Click New and create an Airespace ACL for the URL redirection. At a minimum, the ACL should Permit (bypass redirection) for Inbound/Outbound traffic related to the following.

  • DNS
  • DHCP
  • TCP/8443 traffic for the ISE BYOD Portal (unless a custom port was configured)


byod redirect acl.png


Return to the Access Control Lists page, click on the down-arrow next to the new redirect ACL and select Add-Remove URL.

acl add url.png


Add the following URL String Name values to exempt the traffic from redirection.



url example.png

Verify the configuration

In ISE, navigate to Work Centers > Guest Access > Portals & Components > Guest Portals.

Select the BYOD Portal and click the Test portal URL link.

portal test url.png


The browser will be redirected to the Microsoft login. Sign in with an Azure AD user account that is a member of the BYOD group created in Step 7.



ms login.png


Depending on the settings configured for the BYOD Portal, you should see an AUP or Success page that includes the Azure AD login username.

login success.png

Level 1
Level 1

Hi Greg,


i strictly followed your excellent guide.

From test portal it works fine but does not work from a client

It looks like browser do not send back to ise the succesful repsonse it gets from azure


here you can find my issue


any help would be appreciated

BeomYong Park
Level 1
Level 1

Your documentation has been a great help in testing ISE.

I have one question for you.

What is the license level of ISE required to apply this document?


Level 1
Level 1

@BeomYong Park, all you need is Essentials

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: