topic Re: CWA Chaining with Intune in Network Access Control

CWA Chaining with Intune

pcno — Sat, 27 Jun 2020 12:48:17 GMT

Hi all,

I have an Intune setup which provides a client authentication certificate via SCEP and this certificate will be used to Authenticate with Cisco ISE to connect WIFI.

Is it possible for me to use CWA chaining for extra security in this scenario?

If anybody has a proper document on CWA chaining step by step config please share it with me.

Thanks

Re: CWA Chaining with Intune

Greg Gibbs — Mon, 29 Jun 2020 23:20:42 GMT

I don't believe there is a step-by-step guide for CWA Chaining, but this CiscoLive presentation has a section showing how it works - Advanced ISE Services, Tips and Tricks - BRKSEC-3697

There's also a video on LabMinutes related to CWA Chaining. It uses an older version of ISE, but the concept is the same and can be translated to current ISE versions.

Re: CWA Chaining with Intune

Andrii Oliinyk — Sun, 03 Oct 2021 19:37:21 GMT

Hi Greg

in absence of EAP-TEAP & EAP-FASTv2, for the EAP with CWA chaining i guess we still need MAR enforced, correct? no sources confirming this unfortunately

Re: CWA Chaining with Intune

Greg Gibbs — Sun, 03 Oct 2021 23:35:00 GMT

No, CWA Chaining does not leverage MAR. It uses URL redirection as a result of a successful 802.1x machine auth to direct the user to a pre-configured CWA guest portal. Upon logging into that CWA portal with their username/password, they would be authorised on the network.

There is no EAP Chaining or 'was machine authenticated' (MAR) state tracked for the session. Technically, it is just a webauth session, but you are using a successful 802.1x auth to provide the CWA portal to the user for login.