To answer your question, no i don't think they can be classified as the same device given their MAC addresses will be different, in ClearPass and many other systems, this makes it a unique endpoint in the database.
Can you add an attribute to these devices by filtering in the Endpoints Database and then performing a bulk update something like "Corporate Asset = True" and then add that to your Role Mapping policy as an override, just in case this happens? Does the ethernet MAC also live in Intune and receive the Intune attributes? If so, you couldn't leverage the Intune enrollment to keep it out of the captive portal role.
Good luck!
------------------------------
Michael Haring
------------------------------
Original Message:
Sent: May 13, 2022 11:28 AM
From: Chris Sunderland
Subject: Sync of device imported from Intune when it connects via Ethernet
I have the Microsoft Intune integration working properly, and I use SCEPman for EAP-TLS on the Wireless without issue. I was able to get EAP-TLS to work for the wired side as well. I noticed that when I connect a device via Ethernet that is managed by Intune I get 2 entries in the Endpoints database one from Intune and a different one for the same device when it connects via Ethernet. Is there a way to have this as a single entry? I am asking because on the ArubaOS-CX switches when I implement port-access on an interface I try mac-auth first then dot1x, and if the device is not a specific device I add the role of [other] which then enforces a Captive-Portal profile for guest. So that when a random deives is plugged in they get sent to guest. What I am trying to avoid is when a Corporate device is connected I dont want them to get the Captive-Portal at all. The dot1x does authenticate but not before the mac-auth happens which sends them to Captive-Portal.
------------------------------
Chris Sunderland
------------------------------