Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5151
Views
6
Helpful
2
Replies

Difference between BYOD, CWA, LWA, Portals etc functionality

Go to solution
Capricorn
Level 1
Level 1

‎12-17-2017 04:12 AM - edited ‎02-21-2020 10:41 AM

Hi!

 

Although I understand the main concept but I have confusion about why there are so many web related things available in ISE. I beleive BYOD is the best thing that you register your device to ISE and its easy to go. I havent checked the full configuration of BYOD but go through CWA,LWA and sponsor portals.

 

Can anyone describe more in terms of examples like where we can use CWA,LWA, Sponsor portals?

 

Thanks

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-17-2017 02:48 PM

Hi
Byod is there to onboard non corporate devices for known users into your network and give them access to all or some services.

Cwa, lwa and sponsor are mostly related for guest access.
Sponsor is a web portal to create guest users order validate guest users for auto enrolment guest process.
CWA is centralized web portal hosted in the ISE server. This is a portal where guests enter their credentials to get an internet access for example.
LWA has the same role as CWA. The minding for lwa is that device is doing http(s) interception to redirect the user to its own portal or even an external portal (which could also be the ISE web portal).

Is that clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

2 Replies 2

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-17-2017 02:48 PM

Hi
Byod is there to onboard non corporate devices for known users into your network and give them access to all or some services.

Cwa, lwa and sponsor are mostly related for guest access.
Sponsor is a web portal to create guest users order validate guest users for auto enrolment guest process.
CWA is centralized web portal hosted in the ISE server. This is a portal where guests enter their credentials to get an internet access for example.
LWA has the same role as CWA. The minding for lwa is that device is doing http(s) interception to redirect the user to its own portal or even an external portal (which could also be the ISE web portal).

Is that clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
JustTakeTheFirstStep
Level 4
Level 4

‎03-29-2020 10:06 PM - edited ‎03-29-2020 10:07 PM

Web authentication on the wireless network can be done with the help of Cisco ISE server.

2 types of web authentification:

  • Local
     LWA (Local Web Authentication)
     two certificates required: onefor WLC and one for ISE
  • Central
     CWA (Central Web Authentication)
     only one certificate required (for ISE)

First type (LWA) – the WLC redirects HTTP traffic to an internal or external server, where the user is offered the option of entering the credentials. WLC then downloads these credentials (sent via the HTTP GET request, in the case of an external server) and tries RADIUS authentication. In the case of a guest user, an external server is required (eg ISE or NAC Guest Server (NGS)) because the portal provides options such as device registration and self-provisioning.

The LWA process follows the following steps:

  • The user is associated with an SSID that uses web authentication
  • The user opens his browser
  • WLC redirects it to the guest portal (eg ISE or NGS) as soon as a user enters a URL
  • The user is authenticated on the portal
  • The guest portal redirects the user back to the WLC-enabled credentials
  • WLC authenticates a guest user via RADIUS
  • WLC redirects back to the original URL.

This process involves many redirects. LWA also requires 2 certificates; one on the WLC, and the other on the ISE.

The new approach, which simplifies the authentication process, is with the help of central web authentication – CWA (running from ISE version 1.1 and WLC version 7.2 … so long ago).

In this case, only one certificate is required – on the Cisco ISE … because the controller only passes the authentication request.

The CWA process follows the following steps:

  • The user is associated with an SSID that uses web authentication
  • The user opens his browser
  • WLC redirects it to the guest portal
  • The user is authenticated on the portal
  • ISE sends the RADIUS CoA message (Change of Authorization – UDP Port 1700) to emphasize to the WLC that the user has entered credentials correctly and possibly sends RADIUS attributes such as Access Control List (ACL)
  • The user is reminded that it is necessary to re-enter the desired URL.

https://timnetworks.rs/wpe/2019/07/01/lwa-and-cwa-for-cisco-wlc-and-mobility-express/

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents