cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1383
Views
5
Helpful
2
Replies
Highlighted
Beginner

Difference between BYOD, CWA, LWA, Portals etc functionality

Hi!

 

Although I understand the main concept but I have confusion about why there are so many web related things available in ISE. I beleive BYOD is the best thing that you register your device to ISE and its easy to go. I havent checked the full configuration of BYOD but go through CWA,LWA and sponsor portals.

 

Can anyone describe more in terms of examples like where we can use CWA,LWA, Sponsor portals?

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Re: Difference between BYOD, CWA, LWA, Portals etc functionality

Hi
Byod is there to onboard non corporate devices for known users into your network and give them access to all or some services.

Cwa, lwa and sponsor are mostly related for guest access.
Sponsor is a web portal to create guest users order validate guest users for auto enrolment guest process.
CWA is centralized web portal hosted in the ISE server. This is a portal where guests enter their credentials to get an internet access for example.
LWA has the same role as CWA. The minding for lwa is that device is doing http(s) interception to redirect the user to its own portal or even an external portal (which could also be the ISE web portal).

Is that clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

2 REPLIES 2
Highlighted
VIP Advisor

Re: Difference between BYOD, CWA, LWA, Portals etc functionality

Hi
Byod is there to onboard non corporate devices for known users into your network and give them access to all or some services.

Cwa, lwa and sponsor are mostly related for guest access.
Sponsor is a web portal to create guest users order validate guest users for auto enrolment guest process.
CWA is centralized web portal hosted in the ISE server. This is a portal where guests enter their credentials to get an internet access for example.
LWA has the same role as CWA. The minding for lwa is that device is doing http(s) interception to redirect the user to its own portal or even an external portal (which could also be the ISE web portal).

Is that clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Highlighted
Beginner

Re: Difference between BYOD, CWA, LWA, Portals etc functionality

Web authentication on the wireless network can be done with the help of Cisco ISE server.

2 types of web authentification:

  • Local
     LWA (Local Web Authentication)
     two certificates required: onefor WLC and one for ISE
  • Central
     CWA (Central Web Authentication)
     only one certificate required (for ISE)

First type (LWA) – the WLC redirects HTTP traffic to an internal or external server, where the user is offered the option of entering the credentials. WLC then downloads these credentials (sent via the HTTP GET request, in the case of an external server) and tries RADIUS authentication. In the case of a guest user, an external server is required (eg ISE or NAC Guest Server (NGS)) because the portal provides options such as device registration and self-provisioning.

The LWA process follows the following steps:

  • The user is associated with an SSID that uses web authentication
  • The user opens his browser
  • WLC redirects it to the guest portal (eg ISE or NGS) as soon as a user enters a URL
  • The user is authenticated on the portal
  • The guest portal redirects the user back to the WLC-enabled credentials
  • WLC authenticates a guest user via RADIUS
  • WLC redirects back to the original URL.

This process involves many redirects. LWA also requires 2 certificates; one on the WLC, and the other on the ISE.

The new approach, which simplifies the authentication process, is with the help of central web authentication – CWA (running from ISE version 1.1 and WLC version 7.2 … so long ago).

In this case, only one certificate is required – on the Cisco ISE … because the controller only passes the authentication request.

The CWA process follows the following steps:

  • The user is associated with an SSID that uses web authentication
  • The user opens his browser
  • WLC redirects it to the guest portal
  • The user is authenticated on the portal
  • ISE sends the RADIUS CoA message (Change of Authorization – UDP Port 1700) to emphasize to the WLC that the user has entered credentials correctly and possibly sends RADIUS attributes such as Access Control List (ACL)
  • The user is reminded that it is necessary to re-enter the desired URL.

https://timnetworks.rs/wpe/2019/07/01/lwa-and-cwa-for-cisco-wlc-and-mobility-express/