06-27-2020 05:48 AM
Hi all,
I have an Intune setup which provides a client authentication certificate via SCEP and this certificate will be used to Authenticate with Cisco ISE to connect WIFI.
Is it possible for me to use CWA chaining for extra security in this scenario?
If anybody has a proper document on CWA chaining step by step config please share it with me.
Thanks
Solved! Go to Solution.
06-29-2020 04:20 PM
I don't believe there is a step-by-step guide for CWA Chaining, but this CiscoLive presentation has a section showing how it works - Advanced ISE Services, Tips and Tricks - BRKSEC-3697
There's also a video on LabMinutes related to CWA Chaining. It uses an older version of ISE, but the concept is the same and can be translated to current ISE versions.
06-29-2020 04:20 PM
I don't believe there is a step-by-step guide for CWA Chaining, but this CiscoLive presentation has a section showing how it works - Advanced ISE Services, Tips and Tricks - BRKSEC-3697
There's also a video on LabMinutes related to CWA Chaining. It uses an older version of ISE, but the concept is the same and can be translated to current ISE versions.
10-03-2021 12:37 PM
Hi Greg
in absence of EAP-TEAP & EAP-FASTv2, for the EAP with CWA chaining i guess we still need MAR enforced, correct? no sources confirming this unfortunately
10-03-2021 04:35 PM
No, CWA Chaining does not leverage MAR. It uses URL redirection as a result of a successful 802.1x machine auth to direct the user to a pre-configured CWA guest portal. Upon logging into that CWA portal with their username/password, they would be authorised on the network.
There is no EAP Chaining or 'was machine authenticated' (MAR) state tracked for the session. Technically, it is just a webauth session, but you are using a successful 802.1x auth to provide the CWA portal to the user for login.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide