@Sandeepyadav could you please post the filter needed in an Intune Auth Source using Azure ID in stead of MAC address where Azure ID is found in the Certificate SAN?
I'm looking into this for a customer. Their network is authenticating with certificates so the Intune integration will only be used for enhanced autorization based on complaince etc. Adding the Azure ID in the certificate SAN would be possible although we didn't find how to a add SAN in the SCEP server yet.
Intune Wifi MAC address is a csv (MAC1,MAC2,MAC3, etc) of all wireless network adapters found on a Windows 10 device. Checking on a dozen or so devices it's always 2 Microsoft Wi-Fi Direct Virtual Adapters and the actual Wi-Fi NIC. The Intune extention only uses the first MAC address to create an endpoint record in Clearpass. This is never the MAC address of the actual NIC so there are no Intune Endpoint attributes available when the device authenticates.
IoS and Android smartdevices have a default setting for private mac (mac randomisation) You can turn that off in Intune for IoS but not for Android. The Intune Wi-Fi adapter is the actual MAC address of the device so the Intune extention is creating endpoints with these MAC adresses. When the device authenticates, the endpoint record has no Intune Atributes because the random MAC address is passed on. Let the end-user manually disable privatisation is not an option.
It would be really nice if the Intune Extention would create endpoint records for all the MAC addresses found in the Intune Wifi adapter field. Intune now also sets Status known and IsProfiled=TRUE. In my opinion Status should be set by policy, not by the extention and IsProfiled should be set by the profiling module, not the extention. This way the virtual adapters kan be easily removed during Cleanup
Or go back to an enhanced earlier version where the Extention is used for an Auth lookup only. In that case it would be nice to have documented filter queries
Regards, Erik
Edit to add: In this post
klik the following filter is mentioned
1. SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND attributes->>'Intune Azure AD Device Id' = LOWER('%{Authentication:Username}')but if I read this correctly, it still pulls the Intune Azure AD Device Id from the Intune endpoint attributes which does not exist.
------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------
Original Message:
Sent: Oct 06, 2021 09:52 AM
From: Rikard Berg
Subject: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses
I am experiencing the same issues with Multiple MAC adresses for the same device for devices synced with Intune. Was there any info on how to use the Azure ID instead of MAC as identifier?
------------------------------
Rikard Berg
Original Message:
Sent: Sep 29, 2021 12:54 PM
From: Stephen Edwards
Subject: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses
We do have TLS auth in place and we are using azure ID certificates. What would this filter query look like and where would we configure it in Clearpass?
------------------------------
Stephen Edwards
Original Message:
Sent: Sep 25, 2021 03:54 AM
From: Sandeep Yadav
Subject: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses
If you have the TLS auth already in place, and if the user certificate has the azure ID in it then we could update the filter query for endpoints database check. Hence, instead of using a mac address to compare, we could fetch intune attributes from endpoints using azure ID which could be used in role mapping or enf.
------------------------------
SANDEEP YADAV
Global Escalation Center, ACCP
Original Message:
Sent: Sep 24, 2021 03:03 PM
From: Stephen Edwards
Subject: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses
Has there been any update on this issue? I'm seeing the same issue now where Intune is pulling the incorrect MAC address and since the CPPM Intune extension is based on the Endpoint DB which is indexed by MAC address, all devices that have the wrong MAC address in Intune are unable to connect to our internal wireless network.
------------------------------
Stephen Edwards
Original Message:
Sent: Jun 29, 2021 02:22 PM
From: Kevin Kirch
Subject: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses
First of all, I would like to say that the Microsoft Intune v5 documentation and the available videos in the Airheads Broadcasting Youtube channel have been excellent. I have successfully implemented RADIUS access for the majority of my Intune enrolled devices on my WLAN.
One issue that I have found, however, is that some devices that are enrolled into Microsoft Intune are reporting their Wi-Fi MAC Address incorrectly - they are reporting the MAC address of the Microsoft Wi-Fi Direct Virtual Adapter on the device instead of the hardware Wi-Fi MAC address. This appears to be a known issue (see hyperlinks below) by a few users. This issue means that the Intune extension will create the endpoint with the wrong MAC address in CPPM and the authentication source filter query will not find the device within Intune because it is comparing the correct MAC address with the wrong MAC address that is listed for the device within Intune.
Ignore Microsoft Wi-Fi Direct Virtual Adapter
Intune WiFi MAC nonsense
I have opened a case with Microsoft regarding this issue. In the meantime, is there a secure way that can be applied to work around this issue?
------------------------------
Kevin Kirch
------------------------------