Solved: CWA Chaining with Intune

pcno · ‎06-27-2020

Hi all,

I have an Intune setup which provides a client authentication certificate via SCEP and this certificate will be used to Authenticate with Cisco ISE to connect WIFI.

Is it possible for me to use CWA chaining for extra security in this scenario?

If anybody has a proper document on CWA chaining step by step config please share it with me.

Thanks

Greg Gibbs · ‎06-29-2020

I don't believe there is a step-by-step guide for CWA Chaining, but this CiscoLive presentation has a section showing how it works - Advanced ISE Services, Tips and Tricks - BRKSEC-3697

There's also a video on LabMinutes related to CWA Chaining. It uses an older version of ISE, but the concept is the same and can be translated to current ISE versions.

View solution in original post

Greg Gibbs · ‎06-29-2020

I don't believe there is a step-by-step guide for CWA Chaining, but this CiscoLive presentation has a section showing how it works - Advanced ISE Services, Tips and Tricks - BRKSEC-3697

There's also a video on LabMinutes related to CWA Chaining. It uses an older version of ISE, but the concept is the same and can be translated to current ISE versions.

Andrii Oliinyk · ‎10-03-2021

Hi Greg

in absence of EAP-TEAP & EAP-FASTv2, for the EAP with CWA chaining i guess we still need MAR enforced, correct? no sources confirming this unfortunately

Greg Gibbs · ‎10-03-2021

No, CWA Chaining does not leverage MAR. It uses URL redirection as a result of a successful 802.1x machine auth to direct the user to a pre-configured CWA guest portal. Upon logging into that CWA portal with their username/password, they would be authorised on the network.

There is no EAP Chaining or 'was machine authenticated' (MAR) state tracked for the session. Technically, it is just a webauth session, but you are using a successful 802.1x auth to provide the CWA portal to the user for login.