cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4048
Views
45
Helpful
3
Replies

CWA Chaining with Intune

pcno
Level 1
Level 1

Hi all,

I have an Intune setup which provides a client authentication certificate via SCEP and this certificate will be used to Authenticate with Cisco ISE to connect WIFI.

Is it possible for me to use CWA chaining for extra security in this scenario?

If anybody has a proper document on CWA chaining step by step config please share it with me.

Thanks

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

I don't believe there is a step-by-step guide for CWA Chaining, but this CiscoLive presentation has a section showing how it works - Advanced ISE Services, Tips and Tricks - BRKSEC-3697

There's also a video on LabMinutes related to CWA Chaining. It uses an older version of ISE, but the concept is the same and can be translated to current ISE versions.

 

View solution in original post

3 Replies 3

Greg Gibbs
Cisco Employee
Cisco Employee

I don't believe there is a step-by-step guide for CWA Chaining, but this CiscoLive presentation has a section showing how it works - Advanced ISE Services, Tips and Tricks - BRKSEC-3697

There's also a video on LabMinutes related to CWA Chaining. It uses an older version of ISE, but the concept is the same and can be translated to current ISE versions.

 

Hi Greg

in absence of EAP-TEAP & EAP-FASTv2, for the EAP with CWA chaining i guess we still need MAR enforced, correct? no sources confirming this unfortunately

No, CWA Chaining does not leverage MAR. It uses URL redirection as a result of a successful 802.1x machine auth to direct the user to a pre-configured CWA guest portal. Upon logging into that CWA portal with their username/password, they would be authorised on the network.

There is no EAP Chaining or 'was machine authenticated' (MAR) state tracked for the session. Technically, it is just a webauth session, but you are using a successful 802.1x auth to provide the CWA portal to the user for login.