Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
706
Views
1
Helpful
1
Replies

CWA chaining

Go to solution
vkirchev
Cisco Employee
Cisco Employee

‎12-20-2017 07:11 AM

Hello team,

We have a customer that requires to check both device certificate (to prevent access of non-corporate laptops) and user identity (username and password). They don't have AD and would like to store the identity in the internal ISE DB. One of the possible solutions discussed was to chain EAP-TLS and CWA but we still have a doubt regarding group information. The attribute we use for that is CWA_ExternalGroups but would it be populated with user group if internal users DB is used for the CWA auth instead of LDAP / AD?

Thanks,

Viktor Kirchev

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎12-20-2017 08:21 AM

The CWA identity is assigned the identity used to perform CWA.  It is that value which would be used for group lookup.  As the common use case is to perform lookup to one of the defined external ID stores, so not sure if specific testing performed for InternalUser>IdentityGroup, but would suggest trying it.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Craig Hyps
Level 10
Level 10

‎12-20-2017 08:21 AM

The CWA identity is assigned the identity used to perform CWA.  It is that value which would be used for group lookup.  As the common use case is to perform lookup to one of the defined external ID stores, so not sure if specific testing performed for InternalUser>IdentityGroup, but would suggest trying it.

0 Helpful
Customers Also Viewed These Support Documents