Security

Reply
Highlighted
Contributor II

CPPM Extentions Intune Integration V3.0

Hi,

 

I need some help with how to use Intune as a Autorization source. I was asked to implement Clearpass at a customer. They use MSFT Azure and Intune for a majority oif their devices put still have a Generic MSFT AD infrastructure too.

 

Side Note, I'm new to Intune and Azure. I stopped administating MSFT AD at W2003 and never heard of Intune or Azure before this project. The deadline is pretty steep too (delivery end of this week) but I have found a work around which is less secure.

 

I got the integration working, following the Technote Extensions Intune Integration V3.0 written by Danny Jump. I see communication in the API logs and the Intune admin confirmed seeing communication too so I'm guessing that I did it right. I fail to use the Intune Authentication in my enforcement policy though.

 

I'm doing dot1x (wired and wireless), use the AD for user authentication (tips role equals [user authenticated] and want to check if the computer is Intune Managed or the Owner is the organisation or something similar to make a difference in Enforcing a Ccompany owned or a BYOD device that was set for 802.1X. Like you would check for tips role equals [machine autheticated] in a generic AD.

The windows authentication tab is set for user or computer authentication so I see the Dot1x requests in the Access Tracker

Using the attributes created as per technote, fails. The next valid enforcement rule is successfully enforced.

 

Is there another document specifing what the attributes are and what else is out there (like a RADIUS dictionary)? I cannot find it on Airheads or the web.

Is there a way to check if an attribute is picked up and what the value would be? It's not showing in the Access Tracker (since the enforcement rule is skipped)

Wouldn't some of these Attribute datatypes need to be Boolean since they are true or false (like msft_isManaged)

Does anyone have some pointers where to go next?

 

Thanks, Erik

 

 

Guru Elite

Re: CPPM Extentions Intune Integration V3.0

Put the extension into debug mode and then take a look at the logs (GET /extension/instance/{id}/log)

 

Regarding the attributes, the data types shown in the technote are correct.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Moderator

Re: CPPM Extentions Intune Integration V3.0

When a user authN's, what do you see on the INPUT tab under authorization?

 

Here if you define the HTTP authZ correctly you will see the returned values from InTune.


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Contributor II

Re: CPPM Extentions Intune Integration V3.0

Today we figured it out. I wasn't aware you need to configure the Extentions on all Clearpass nodes. 

 

When checking the Authorization in the access tracker I noticed the Intune field are filled. The boolean attribute I added to check was also written. Later today I tried again and connecting to the HTTP authentication source internal IP address failed. Then I noticed the client was authenticated against the second CPPM.

We added the extentions to the second node and all is good.

 

Thanks for pointing this out, Herman Robers.

 

rgds, Erik

Contributor II

Re: CPPM Extentions Intune Integration V3.0

Today we encountered some issues with Intune Authorisation. Although the Authorisation Attributes are shown and are right in the access tracker, the condition is not met.

 

The attributes used are msft_deviceOwner and msft_isManaged. Removing the isManaged=true condition solved the issue. The isManaged value in the Access Tracker record is shown as true so the Condition should have met.

 

API log shows communication with Intune for the device. Both attributes are also used in the wireless enforcement policy which are still in place and authorisation works as designed.

 

Yesterday a firewall was added for local guest traffic routing. When a computer does mac-auth it is marked as a guest device and receives the guest vlan enforcement profile. The Azure managed device is doing mac-auth before hitting CrtlAltDel. Could this have broken the Authorisation? 

 

Note, connection Clearpass/Intune hasn't been changed. Intune API hasn't been changed either and has been running for 6 days now. Only the local guest network routing was changed.

 

Any other ideas? 

 

thanks, Erik

 

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: