CWA chaining

vkirchev — Wed, 20 Dec 2017 15:11:10 GMT

Hello team,

We have a customer that requires to check both device certificate (to prevent access of non-corporate laptops) and user identity (username and password). They don't have AD and would like to store the identity in the internal ISE DB. One of the possible solutions discussed was to chain EAP-TLS and CWA but we still have a doubt regarding group information. The attribute we use for that is CWA_ExternalGroups but would it be populated with user group if internal users DB is used for the CWA auth instead of LDAP / AD?

Thanks,

Viktor Kirchev

Re: CWA chaining

Craig Hyps — Wed, 20 Dec 2017 16:21:17 GMT

The CWA identity is assigned the identity used to perform CWA. It is that value which would be used for group lookup. As the common use case is to perform lookup to one of the defined external ID stores, so not sure if specific testing performed for InternalUser>IdentityGroup, but would suggest trying it.

topic CWA chaining in Network Access Control

CWA chaining

Re: CWA chaining