Security

I am going through the process of integration of Microsoft Intune V5 with Clearpass policy manager. 
Added the authentication source as Intune--type HTTP..with only one filter..

1. %{Connection:Client-Mac-Address-Hyphen}

It is ok upto here...and can see the device from configuration > endpoint putting intune as source...that means clear pass is getting the device information.

At the moment, we have corp wifi which authenticates users from on-premise AD..should I modify the service such that I add Intune as additional authentication source or I need to create new service for intune and apply that to policies ?

What happens now, is every time when I connect the device, it connects to wifi, get the attribute from On-preme AD, not from Intune..
Can anyone help me please.


------------------------------
Binod Ranabhat
------------------------------

Hi, 

Try to enable Authorization in your service and add Intune as additional Authorization source. You will authenticate against on-prem AD, but will get additional attributes (for authorization) from Intune Extension, which can be used in Role mapping and/or enforcement.


This scenario will actively ask Intune Extension for attributes.

You also can add [Endpoint Repository] instead of Intune as Additional authorization source and use Endpoint attributes already added from Intune.

Good luck!

------------------------------
Kestutis Virsilas
------------------------------

Original Message:
Sent: Dec 05, 2021 04:51 AM
From: Binod Ranabhat
Subject: Clearpass Intune Integration

I am going through the process of integration of Microsoft Intune V5 with Clearpass policy manager. 
Added the authentication source as Intune--type HTTP..with only one filter..

1. %{Connection:Client-Mac-Address-Hyphen}

It is ok upto here...and can see the device from configuration > endpoint putting intune as source...that means clear pass is getting the device information.

At the moment, we have corp wifi which authenticates users from on-premise AD..should I modify the service such that I add Intune as additional authentication source or I need to create new service for intune and apply that to policies ?

What happens now, is every time when I connect the device, it connects to wifi, get the attribute from On-preme AD, not from Intune..
Can anyone help me please.


------------------------------
Binod Ranabhat
------------------------------

Hello, I am having a similar issue as binodranabhat and was wondering if someone may be able to assist.

I am in this same position from binodranabhat's post: "I am going through the process of integration of Microsoft Intune V5 with Clearpass policy manager. 
Added the authentication source as Intune--type HTTP..with only one filter..

1. %{Connection:Client-Mac-Address-Hyphen}

It is ok up to here...and can see the device from configuration > endpoint putting intune as source...that means clear pass is getting the device information." 

My endpoint pulling Intune info:


However, I am getting this error in access tracker. Failed to get value for attributes:  

I am thinking I have something wrong with my Role Mappings. Below is what I have spelled out:

Can someone please let me know if this is configured correctly? It would be greatly appreciated. 



------------------------------
Oliver Aceves
------------------------------

Original Message:
Sent: Dec 06, 2021 02:36 AM
From: Kestutis Virsilas
Subject: Clearpass Intune Integration

Hi, 

Try to enable Authorization in your service and add Intune as additional Authorization source. You will authenticate against on-prem AD, but will get additional attributes (for authorization) from Intune Extension, which can be used in Role mapping and/or enforcement.


This scenario will actively ask Intune Extension for attributes.

You also can add [Endpoint Repository] instead of Intune as Additional authorization source and use Endpoint attributes already added from Intune.

Good luck!

------------------------------
Kestutis Virsilas

Original Message:
Sent: Dec 05, 2021 04:51 AM
From: Binod Ranabhat
Subject: Clearpass Intune Integration

I am going through the process of integration of Microsoft Intune V5 with Clearpass policy manager. 
Added the authentication source as Intune--type HTTP..with only one filter..

1. %{Connection:Client-Mac-Address-Hyphen}

It is ok upto here...and can see the device from configuration > endpoint putting intune as source...that means clear pass is getting the device information.

At the moment, we have corp wifi which authenticates users from on-premise AD..should I modify the service such that I add Intune as additional authentication source or I need to create new service for intune and apply that to policies ?

What happens now, is every time when I connect the device, it connects to wifi, get the attribute from On-preme AD, not from Intune..
Can anyone help me please.


------------------------------
Binod Ranabhat
------------------------------

Error Message: Access denied by Policy, this means that the auth itself was successful but was rejected due to policy evaluation rules. The values for these attributes are not seen in your screenshots and is what i would check next:

Authentication:Status
Authorization:[Endpoints Repository]:Intune-DeviceRegsitrationState

------------------------------
Mathew George
------------------------------

Original Message:
Sent: Jan 05, 2022 01:48 PM
From: Oliver Aceves
Subject: Clearpass Intune Integration

Hello, I am having a similar issue as binodranabhat and was wondering if someone may be able to assist.

I am in this same position from binodranabhat's post: "I am going through the process of integration of Microsoft Intune V5 with Clearpass policy manager. 
Added the authentication source as Intune--type HTTP..with only one filter..

1. %{Connection:Client-Mac-Address-Hyphen}

It is ok up to here...and can see the device from configuration > endpoint putting intune as source...that means clear pass is getting the device information." 

My endpoint pulling Intune info:


However, I am getting this error in access tracker. Failed to get value for attributes:  

I am thinking I have something wrong with my Role Mappings. Below is what I have spelled out:

Can someone please let me know if this is configured correctly? It would be greatly appreciated. 



------------------------------
Oliver Aceves

Original Message:
Sent: Dec 06, 2021 02:36 AM
From: Kestutis Virsilas
Subject: Clearpass Intune Integration

Hi, 

Try to enable Authorization in your service and add Intune as additional Authorization source. You will authenticate against on-prem AD, but will get additional attributes (for authorization) from Intune Extension, which can be used in Role mapping and/or enforcement.


This scenario will actively ask Intune Extension for attributes.

You also can add [Endpoint Repository] instead of Intune as Additional authorization source and use Endpoint attributes already added from Intune.

Good luck!

------------------------------
Kestutis Virsilas

Original Message:
Sent: Dec 05, 2021 04:51 AM
From: Binod Ranabhat
Subject: Clearpass Intune Integration

I am going through the process of integration of Microsoft Intune V5 with Clearpass policy manager. 
Added the authentication source as Intune--type HTTP..with only one filter..

1. %{Connection:Client-Mac-Address-Hyphen}

It is ok upto here...and can see the device from configuration > endpoint putting intune as source...that means clear pass is getting the device information.

At the moment, we have corp wifi which authenticates users from on-premise AD..should I modify the service such that I add Intune as additional authentication source or I need to create new service for intune and apply that to policies ?

What happens now, is every time when I connect the device, it connects to wifi, get the attribute from On-preme AD, not from Intune..
Can anyone help me please.


------------------------------
Binod Ranabhat
------------------------------

Have you changed the Authentication method to one EAP-TLS where 'Authorization' is disabled?
With the v5 extension for Intune, there should not be a need to have the Authentication Source. You can pull the synchronized attributes from the Endpoint database, which you should add as an authorization source.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 05, 2022 01:48 PM
From: Oliver Aceves
Subject: Clearpass Intune Integration

Hello, I am having a similar issue as binodranabhat and was wondering if someone may be able to assist.

I am in this same position from binodranabhat's post: "I am going through the process of integration of Microsoft Intune V5 with Clearpass policy manager. 
Added the authentication source as Intune--type HTTP..with only one filter..

1. %{Connection:Client-Mac-Address-Hyphen}

It is ok up to here...and can see the device from configuration > endpoint putting intune as source...that means clear pass is getting the device information." 

My endpoint pulling Intune info:


However, I am getting this error in access tracker. Failed to get value for attributes:  

I am thinking I have something wrong with my Role Mappings. Below is what I have spelled out:

Can someone please let me know if this is configured correctly? It would be greatly appreciated. 



------------------------------
Oliver Aceves

Original Message:
Sent: Dec 06, 2021 02:36 AM
From: Kestutis Virsilas
Subject: Clearpass Intune Integration

Hi, 

Try to enable Authorization in your service and add Intune as additional Authorization source. You will authenticate against on-prem AD, but will get additional attributes (for authorization) from Intune Extension, which can be used in Role mapping and/or enforcement.


This scenario will actively ask Intune Extension for attributes.

You also can add [Endpoint Repository] instead of Intune as Additional authorization source and use Endpoint attributes already added from Intune.

Good luck!

------------------------------
Kestutis Virsilas

Original Message:
Sent: Dec 05, 2021 04:51 AM
From: Binod Ranabhat
Subject: Clearpass Intune Integration

I am going through the process of integration of Microsoft Intune V5 with Clearpass policy manager. 
Added the authentication source as Intune--type HTTP..with only one filter..

1. %{Connection:Client-Mac-Address-Hyphen}

It is ok upto here...and can see the device from configuration > endpoint putting intune as source...that means clear pass is getting the device information.

At the moment, we have corp wifi which authenticates users from on-premise AD..should I modify the service such that I add Intune as additional authentication source or I need to create new service for intune and apply that to policies ?

What happens now, is every time when I connect the device, it connects to wifi, get the attribute from On-preme AD, not from Intune..
Can anyone help me please.


------------------------------
Binod Ranabhat
------------------------------

Thank you mattAruba and Herman for responding. I was able to get this resolved with TAC. We have an authentication source for our on-prem AD. We we able to get this resolved by changing the role mappings.

------------------------------
Oliver Aceves
------------------------------

Original Message:
Sent: Jan 06, 2022 09:56 AM
From: Herman Robers
Subject: Clearpass Intune Integration

Have you changed the Authentication method to one EAP-TLS where 'Authorization' is disabled?
With the v5 extension for Intune, there should not be a need to have the Authentication Source. You can pull the synchronized attributes from the Endpoint database, which you should add as an authorization source.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 05, 2022 01:48 PM
From: Oliver Aceves
Subject: Clearpass Intune Integration

Hello, I am having a similar issue as binodranabhat and was wondering if someone may be able to assist.

I am in this same position from binodranabhat's post: "I am going through the process of integration of Microsoft Intune V5 with Clearpass policy manager. 
Added the authentication source as Intune--type HTTP..with only one filter..

1. %{Connection:Client-Mac-Address-Hyphen}

It is ok up to here...and can see the device from configuration > endpoint putting intune as source...that means clear pass is getting the device information." 

My endpoint pulling Intune info:


However, I am getting this error in access tracker. Failed to get value for attributes:  

I am thinking I have something wrong with my Role Mappings. Below is what I have spelled out:

Can someone please let me know if this is configured correctly? It would be greatly appreciated. 



------------------------------
Oliver Aceves

Original Message:
Sent: Dec 06, 2021 02:36 AM
From: Kestutis Virsilas
Subject: Clearpass Intune Integration

Hi, 

Try to enable Authorization in your service and add Intune as additional Authorization source. You will authenticate against on-prem AD, but will get additional attributes (for authorization) from Intune Extension, which can be used in Role mapping and/or enforcement.


This scenario will actively ask Intune Extension for attributes.

You also can add [Endpoint Repository] instead of Intune as Additional authorization source and use Endpoint attributes already added from Intune.

Good luck!

------------------------------
Kestutis Virsilas

Original Message:
Sent: Dec 05, 2021 04:51 AM
From: Binod Ranabhat
Subject: Clearpass Intune Integration

I am going through the process of integration of Microsoft Intune V5 with Clearpass policy manager. 
Added the authentication source as Intune--type HTTP..with only one filter..

1. %{Connection:Client-Mac-Address-Hyphen}

It is ok upto here...and can see the device from configuration > endpoint putting intune as source...that means clear pass is getting the device information.

At the moment, we have corp wifi which authenticates users from on-premise AD..should I modify the service such that I add Intune as additional authentication source or I need to create new service for intune and apply that to policies ?

What happens now, is every time when I connect the device, it connects to wifi, get the attribute from On-preme AD, not from Intune..
Can anyone help me please.


------------------------------
Binod Ranabhat
------------------------------

Greetings all, I would like to see if anyone has ran across a few of the snags that I've discovered in our Azure-AD joined clients with Intune (now MEM).
First, we are unable to pull in any AAD joined desktops using the Intune v5 extension. If the client does not have a wireless MAC address present, I am getting import errors in the extension since the index is based on the WLAN MAC. If I install a wireless NIC into the desktop, it will successfully import upon the next sync.

Second, has anyone discovered a way to configure or automate useful authorization attributes in Intune/MEM that can be brought into the endpoint db for role mapping and enforcement? I am trying to find a way to separate our devices into business groups for enforcing different VLAN assignments.

Thanks!


------------------------------
Enik Pluimer
------------------------------

Original Message:
Sent: Dec 06, 2021 02:36 AM
From: Kestutis Virsilas
Subject: Clearpass Intune Integration

Hi, 

Try to enable Authorization in your service and add Intune as additional Authorization source. You will authenticate against on-prem AD, but will get additional attributes (for authorization) from Intune Extension, which can be used in Role mapping and/or enforcement.


This scenario will actively ask Intune Extension for attributes.

You also can add [Endpoint Repository] instead of Intune as Additional authorization source and use Endpoint attributes already added from Intune.

Good luck!

------------------------------
Kestutis Virsilas

Original Message:
Sent: Dec 05, 2021 04:51 AM
From: Binod Ranabhat
Subject: Clearpass Intune Integration

I am going through the process of integration of Microsoft Intune V5 with Clearpass policy manager. 
Added the authentication source as Intune--type HTTP..with only one filter..

1. %{Connection:Client-Mac-Address-Hyphen}

It is ok upto here...and can see the device from configuration > endpoint putting intune as source...that means clear pass is getting the device information.

At the moment, we have corp wifi which authenticates users from on-premise AD..should I modify the service such that I add Intune as additional authentication source or I need to create new service for intune and apply that to policies ?

What happens now, is every time when I connect the device, it connects to wifi, get the attribute from On-preme AD, not from Intune..
Can anyone help me please.


------------------------------
Binod Ranabhat
------------------------------