Mist Updates – BYoD PSK Portal

Mist Updates – BYoD PSK Portal

Mist folks were busy, and as always, pushed out some cool updates past Thursday. Here is a quick list that caught my attention and I was waiting for.

  • Client onboarding – PSK Portal
  • VRF Configuration
  • Global Application Policies
  • Custom Virtual Routers (SRX)
  • For full details, please see this link

“BYoD” is something many organizations struggle with. Device onboarding, certificates, licenses, expensive and complicated NAC solutions, troubleshooting the work flows, security, all this can get overwhelming. Depending on the organizational needs, there are multiple ways to accomplish this.

Client onboarding – PSK Portal

Client onboarding and PSK Portal are part of the Mist IoT Assurance subscription. Last week’s update pushed out Client onboard and PSK Portal. This simplifies BYoD work flow and can be configured using the Mist UI or the APIs. PSK Portal uses BYoD (SSO) and uses an external “Idp” for SAML 2.0 authentication. For my testing, I used “Okta”, but you can also use MS Azure AD (Note: I tried to use Jump Cloud but I could not get it to work. I have created a ticket with their help desk; once I have more information, I will update my post). Setup with “Okta” is straightforward. You can read about the different setup options using this link.

Mist Setup:

Step one would be to create an “SSID” for the “PSK Portal” to use. Security must be “WPA2/PSK” with multiple pass phrases”. Under the “VLAN”, choose “List” and add all the “VLANs” that will get assigned to different users.

In step two, I created the “PSK Portal”. From “Organization – Admin – Client onboarding” click on “Add PSK Portal”.

Name the portal whatever you want to name it; I named it based on the VLAN assignment. It can be named based on the group of users, for example, contractors, employees, facilities, executives, etc.

Step three can be “Portal Authorization” but I completed the “PSK Parameters” first.

Next, under “Portal Authorization” I needed to get the “Portal SSO URL”. For now, I just added some generic information so that I can generate that URL.

Okta Configuration

For “Okta” configuration, start with a new “Create app integration” and choose “SAML 2.0”.

Name your app (upload logo if you want to).

Next screen is for the “SAML” settings. I only had to change three fields here as shown.

That should be it. Finish the setup process to complete the Mist setup. For that, I had to open up my app, and navigate to Sign On and “SAML setup”.

Next, I copied the settings from “Okta” to “Mist”, hit save and I’m done.

For testing, I embedded the link on my website. This can allow users to onboard their devices by clicking on the link, and signing in using their credentials (I had users created in “Okta”).

Art of RF – BYoD Onboarding

I am not a video editor, but I’ve tried to create couple of videos showing the process of a user onboarding a BYoD device. My apologies in advance if something is not clear in the video please feel free to leave any feedback and comments if something is not right and/or missing.

Art of RF BYoD – Mist Client Onboarding

Next video I will use my phone to scan the QR code and connect to the SSID. NOTE: you can also use the “PSK” displayed here to connect.

Art of RF BYoD – iPhone Video

After the device successfully connects, Mist portal shows the user and the device connected in the UI.

Art of RF BYoD – Self provisioned client

Once the self provisioning is complete, you also receive an email with the information. Thanks to Dan LaMay from Mist Systems pointing that out.

Art of RF BYoD – E Mail from PSK Portal

If any Admin changes the PSK key from the portal, you will get an email with the new QR code and the key.

Art of RF BYoD – PSK Change email

Summary

This is certainly an impressive offering from Mist that can not only simplify the BYoD integration but also save cost for the organizations planning on BYoD and IoT deployments. Always happy to hear the feedback. let me know if I may have missed anything here, is incorrect, or you would like to share your use case. Thank you for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

WordPress SEO