Mist folks were busy, and as always, pushed out some cool updates past Thursday. Here is a quick list that caught my attention and I was waiting for.
- Client onboarding – PSK Portal
- VRF Configuration
- Global Application Policies
- Custom Virtual Routers (SRX)
- For full details, please see this link
“BYoD” is something many organizations struggle with. Device onboarding, certificates, licenses, expensive and complicated NAC solutions, troubleshooting the work flows, security, all this can get overwhelming. Depending on the organizational needs, there are multiple ways to accomplish this.
Client onboarding – PSK Portal
Client onboarding and PSK Portal are part of the Mist IoT Assurance subscription. Last week’s update pushed out Client onboard and PSK Portal. This simplifies BYoD work flow and can be configured using the Mist UI or the APIs. PSK Portal uses BYoD (SSO) and uses an external “Idp” for SAML 2.0 authentication. For my testing, I used “Okta”, but you can also use MS Azure AD (Note: I tried to use Jump Cloud but I could not get it to work. I have created a ticket with their help desk; once I have more information, I will update my post). Setup with “Okta” is straightforward. You can read about the different setup options using this link.
Mist Setup:
Step one would be to create an “SSID” for the “PSK Portal” to use. Security must be “WPA2/PSK” with multiple pass phrases”. Under the “VLAN”, choose “List” and add all the “VLANs” that will get assigned to different users.
In step two, I created the “PSK Portal”. From “Organization – Admin – Client onboarding” click on “Add PSK Portal”.
Name the portal whatever you want to name it; I named it based on the VLAN assignment. It can be named based on the group of users, for example, contractors, employees, facilities, executives, etc.
Step three can be “Portal Authorization” but I completed the “PSK Parameters” first.
Next, under “Portal Authorization” I needed to get the “Portal SSO URL”. For now, I just added some generic information so that I can generate that URL.
Okta Configuration
For “Okta” configuration, start with a new “Create app integration” and choose “SAML 2.0”.
Name your app (upload logo if you want to).
Next screen is for the “SAML” settings. I only had to change three fields here as shown.
That should be it. Finish the setup process to complete the Mist setup. For that, I had to open up my app, and navigate to Sign On and “SAML setup”.
Next, I copied the settings from “Okta” to “Mist”, hit save and I’m done.
For testing, I embedded the link on my website. This can allow users to onboard their devices by clicking on the link, and signing in using their credentials (I had users created in “Okta”).
I am not a video editor, but I’ve tried to create couple of videos showing the process of a user onboarding a BYoD device. My apologies in advance if something is not clear in the video please feel free to leave any feedback and comments if something is not right and/or missing.
Next video I will use my phone to scan the QR code and connect to the SSID. NOTE: you can also use the “PSK” displayed here to connect.
After the device successfully connects, Mist portal shows the user and the device connected in the UI.
Once the self provisioning is complete, you also receive an email with the information. Thanks to Dan LaMay from Mist Systems pointing that out.
If any Admin changes the PSK key from the portal, you will get an email with the new QR code and the key.
Summary
This is certainly an impressive offering from Mist that can not only simplify the BYoD integration but also save cost for the organizations planning on BYoD and IoT deployments. Always happy to hear the feedback. let me know if I may have missed anything here, is incorrect, or you would like to share your use case. Thank you for reading.