Solved: Re: MRA Endpoint Certificate authentication

mbuttnerMSI · ‎07-01-2018

I see in 8.1 VCS documentation its possible to authenticate devices via certificates configured in Zones,

Can we restrict MRA registrations in Expressway by user certificate? We are deploying endpoint certificates to BYOD. devices. No SSO. Running latest Expressway 8.10

https://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Cisco-VCS-Authenticating-Devices-Deployment-Guide-X8-1.pdf

Jonathan Schulenberg · ‎07-01-2018

Not at this time with physical phones. MRA relies on username/password credentials. If you want certificates-based authentication you need to use PhoneVPN.

For Jabber clients this is possible if you’re using SSO since authentication happens directly between the Jabber client’s native OS browser and the IdP. Jabber doesn’t care - nor is it aware of - how you authenticate to the IdP. The one footnote to this is that you have to allow cross-launch by protocol handler on iOS. This is disabled by default by an Enterprise Parameter on CUCM and also Expressway.

View solution in original post

Jonathan Schulenberg · ‎07-01-2018

Not at this time with physical phones. MRA relies on username/password credentials. If you want certificates-based authentication you need to use PhoneVPN.

For Jabber clients this is possible if you’re using SSO since authentication happens directly between the Jabber client’s native OS browser and the IdP. Jabber doesn’t care - nor is it aware of - how you authenticate to the IdP. The one footnote to this is that you have to allow cross-launch by protocol handler on iOS. This is disabled by default by an Enterprise Parameter on CUCM and also Expressway.