Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

This thread has been viewed 161 times

  • 1.  CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Jun 30, 2021 10:48 AM
    First of all, I would like to say that the Microsoft Intune v5 documentation and the available videos in the Airheads Broadcasting Youtube channel have been excellent. I have successfully implemented RADIUS access for the majority of my Intune enrolled devices on my WLAN.

    One issue that I have found, however, is that some devices that are enrolled into Microsoft Intune are reporting their Wi-Fi MAC Address incorrectly - they are reporting the MAC address of the Microsoft Wi-Fi Direct Virtual Adapter on the device instead of the hardware Wi-Fi MAC address. This appears to be a known issue (see hyperlinks below) by a few users. This issue means that the Intune extension will create the endpoint with the wrong MAC address in CPPM and the authentication source filter query will not find the device within Intune because it is comparing the correct MAC address with the wrong MAC address that is listed for the device within Intune.

    Ignore Microsoft Wi-Fi Direct Virtual Adapter
    Intune WiFi MAC nonsense

    I have opened a case with Microsoft regarding this issue. In the meantime, is there a secure way that can be applied to work around this issue?

    ------------------------------
    Kevin Kirch
    ------------------------------


  • 2.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    EMPLOYEE
    Posted Jul 02, 2021 10:15 AM
    The better way to do this is to base your policy (and device lookup) on the Device ID, instead of using the MAC address.

    Check here for some guidance. If I'm informed correctly, there is an update of the Tech Note in the works to cover this as well.

    Here is also a related topic that mentions that the API on the Microsoft side has been updated. I believe the same team working on that Tech Note is checking the new features as well.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Jul 13, 2021 08:30 PM

    Any progress on this?

    I have ran into the same issue when just using Intune as an AuthZ source. Intune has logged the same adapter as the OP as the WIFI MAC address.

    I am doing MAC-AUTH for the service/SSID until the customer has migrated to EAP-TLS for their AzureAD devices. 



    ------------------------------
    ACCX #1239 || ACEP || ACSP || CWNA || CWSP
    ------------------------------

    Original Message


  • 4.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Jul 26, 2021 10:32 AM
    I have not been able to investigate this issue much further and the Microsoft Support agent that took my original case did not appear to take my issue seriously.

    I have found a Microsoft article, however, regarding Network Access Control and it appears that they are making changes to the way their compliance retrieval service works. The issue found with matching on MAC addresses is explicitly mentioned in the article.

    https://techcommunity.microsoft.com/t5/intune-customer-success/new-microsoft-intune-service-for-network-access-control/ba-p/2544696

    Will the Clearpass Intune extension need to be modified to accommodate the changes that Microsoft is anticipating to make with their compliance retrieval service?

    ------------------------------
    Kevin Kirch
    ------------------------------

    Original Message


  • 5.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Aug 25, 2021 09:31 AM
    Is this - ClearPass Integration Guide Microsoft InTune (hpe.com) -  the updated version of the guidance you refer to, as its newer (March 2021) than the version at https://www.arubanetworks.com/clearpassdocs but I only stumbled across it via google.  How do we know what's the latest version of docs?
    Original Message


  • 6.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    MVP
    Posted Aug 25, 2021 04:33 PM
    The DOC's do have version control, the link to the DOC on clearpassdocs should have been updated to point to the new/latest version {I used to do then when I was here :-) ) when posting nw DOC's and removing the older version to remove this exact issue.

    The latest version is the first doc you reference dated March 2021

    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------

    Original Message


  • 7.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    EMPLOYEE
    Posted Aug 26, 2021 04:09 AM
    Thanks for pointing out. I reached out to the author, and get the response that the link on the clearpassdocs page was missed due to circumstances like change in the platform that is running the Airheads community.

    The link should be updated soon, and the idea of that single page is to make it easier to find the most actual ClearPass documentation, and that objective still stands.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 8.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Nov 09, 2021 05:21 PM

    I was able to make this work by adding an Intune query (thanks to @Herman Robers) to the [Endpoint Repository] Authentication Source.

    By matching {Certificate:Subject-CN} to 'Intune ID', I was able to do EAP-TLS Authorization of the Intune endpoint, while the endpoint had MAC Randomization enabled.
    I was not able to match 'Intune Azure AD Device ID', since the certificate common name (CN) did not match with this ID.
    So please note which ID your certificate CN matches and adjust accordingly in the query below (your mileage may vary)

    New filter query [Endoint Repository]:

    select attributes->>'Intune User Principal Name' as "Intune User Principal Name",attributes->>'Intune Model' as "Intune Model",attributes->>'Intune Jail Broken' as "Intune Jail Broken",attributes->>'Intune Operating System' as "Intune Operating System",attributes->>'Intune Managed Device Owner Type' as "Intune Managed Device Owner Type",attributes->>'Intune Management Agent' as "Intune Management Agent",attributes->>'Intune Azure AD Registered' as "Intune Azure AD Registered" FROM tips_endpoints WHERE attributes->>'Intune ID' = LOWER('%{Certificate:Subject-CN}');

     

     

    log1
    endpoint-db-query

     



    ------------------------------
    Thomas G - ACCX#1172
    ------------------------------

    Original Message


  • 9.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    MVP GURU
    Posted Nov 10, 2021 02:22 AM
    Thanks Thomas !

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCL: Powershell Module to use Aruba Central

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------

    Original Message


  • 10.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    EMPLOYEE
    Posted Nov 10, 2021 03:17 AM
    Thomas, thanks a lot for documenting this.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 11.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Nov 10, 2021 04:06 AM
    Thank you Thomas,

    I'm trying to understand how this query works.

    So looking at the query, am I right to say that it pulls the data from the endpoint created by the Intune Extention and adds these attributes to the newly created  endpoint for the random mac address?

    The endpoint record created by the extention for this device would either be the original mac of a smart device or the first wifi mac address of a windows device which would have the endpoint attribute Intune ID written?

    thanks Erik.


    ------------------------------
    Erik Eckhardt
    ACMX #1245, ACDX #968, ACCP, ACSP
    ------------------------------

    Original Message


  • 12.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Nov 10, 2021 04:41 AM
    Hi Erik,

    The query pulls data from Endpoint Repository, looking for "Intune ID" attribute values matching the Certificate Common Name.
    FROM tips_endpoints WHERE attributes->>'Intune ID' = LOWER('%{Certificate:Subject-CN}');

    This query will match the MAC-Address entry in Endpoint Rep. created by the Intune Extension, and then pull the defined attribute values to use for Authorization in the specific session. They are not added to the Endpoint Rep. for the new MAC-Address.
    The new randomized MAC-Address, performing the authentication, will be written to Endpoint Rep. as a new MAC address without any attributes.
    If you want to add Intune attributes to the new endpoint, I guess you could solve that with some custom Enforcement Profiles
    You can also modify the query to pull any Intune Extension attributes you like, just look at all the attributes available on an Intune endpoint.




    ------------------------------
    Thomas G - ACCX#1172
    ------------------------------

    Original Message


  • 13.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Nov 10, 2021 05:41 AM
    Thanks, Tomas,

    If you have "Intune ID" value stored in Certificate:Subject-CN field, I think you can directly call Intune extension and use it as HTTP Authorization source. This is because Intune Extension is using either of the following;
    • GET /device/info/:mac
    or
    • GET /device/info/id/:intuneId
    Using ID, the http authentication source would look like:

    If "Intune ID" is not present in any Certificate field, you can search it in the [Endpoints Repository], matching some attribute values of existing Endpoint, the way Tomas has mentioned.
    For example if "Certificate:Subject-CN" is actual device name, we can search  for "Intune ID" attribute of endpoint in "tipsdb" matching device name:
    1. SELECT attributes->>'Intune ID' AS intune_id FROM tips_endpoints WHERE  attributes->>'Intune Device Name' = '%{Certificate:Subject-CN}'

    Then you can use "Intune ID" attribute value to call Intune Extension.

    Regards,



    ------------------------------
    Kestutis Virsilas
    ------------------------------

    Original Message


  • 14.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Nov 10, 2021 02:11 PM
    Thank you for documenting this Thomas.  I assume one would have to create a new database instead of modifying the Endpoint query if we are using the Endpoint database for devices other than just Intune devices?

    ------------------------------
    Stephen Edwards
    ------------------------------

    Original Message


  • 15.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Sep 24, 2021 03:04 PM
    Has there been any update on this issue?  I'm seeing the same issue now where Intune is pulling the incorrect MAC address and since the CPPM Intune extension is based on the Endpoint DB which is indexed by MAC address, all devices that have the wrong MAC address in Intune are unable to connect to our internal wireless network.

    ------------------------------
    Stephen Edwards
    ------------------------------

    Original Message


  • 16.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    EMPLOYEE
    Posted Sep 25, 2021 03:55 AM
    If you have the TLS auth already in place, and if the user certificate has the azure ID in it then we could update the filter query for endpoints database check. Hence, instead of using a mac address to compare, we could fetch intune attributes from endpoints using azure ID which could be used in role mapping or enf.

    ------------------------------
    SANDEEP YADAV
    Global Escalation Center, ACCP
    ------------------------------

    Original Message


  • 17.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Sep 29, 2021 12:54 PM
    We do have TLS auth in place and we are using azure ID certificates.  What would this filter query look like and where would we configure it in Clearpass?

    ------------------------------
    Stephen Edwards
    ------------------------------

    Original Message


  • 18.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Oct 06, 2021 09:52 AM
    I am experiencing the same issues with Multiple MAC adresses for the same device for devices synced with Intune. Was there any info on how to use the Azure ID instead of MAC as identifier?

    ------------------------------
    Rikard Berg
    ------------------------------

    Original Message


  • 19.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Oct 20, 2021 08:12 AM
    @Sandeepyadav could you please post the filter needed in an Intune Auth Source using Azure ID in stead of MAC address where Azure ID is found in the Certificate SAN?

    I'm looking into this for a customer. Their network is authenticating with certificates so the Intune integration will only be used for enhanced autorization based on complaince etc. Adding the Azure ID in the certificate SAN would be possible although we didn't find how to a add SAN in the SCEP server yet.

    Intune Wifi MAC address is a csv (MAC1,MAC2,MAC3, etc) of all wireless network adapters found on a Windows 10 device. Checking on a dozen or so devices it's always 2 Microsoft Wi-Fi Direct Virtual Adapters and the actual Wi-Fi NIC. The Intune extention only uses the first MAC address to create an en​dpoint record in Clearpass. This is never the MAC address of the actual NIC so there are no Intune Endpoint attributes available when the device authenticates. 

    IoS and Android smartdevices have a default setting for private mac (mac randomisation) You can turn that off in Intune for IoS but not for Android. The Intune Wi-Fi adapter is the actual MAC address of the device so the Intune extention is creating endpoints with these MAC adresses. When the device authenticates, the endpoint record has no Intune Atributes because the random MAC address is passed on. Let the end-user manually disable privatisation is not an option.

    It would be really nice if the Intune Extention would create endpoint records for all the MAC addresses found in the Intune Wifi adapter field. Intune now also sets Status known and IsProfiled=TRUE. In my opinion Status should be set by policy, not by the extention and IsProfiled should be set by the profiling module, not the extention. This way the virtual adapters kan be easily removed during Cleanup

    Or go back to an enhanced earlier version where the Extention is used for an Auth lookup only. In that case it would be nice to have documented filter queries

    Regards, Erik


    Edit to add: In this post klik the following filter is mentioned
    1. SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND attributes->>'Intune Azure AD Device Id' = LOWER('%{Authentication:Username}')

    but if I read this correctly, it still pulls the Intune Azure AD Device Id from the Intune endpoint attributes which does not exist.



    ------------------------------
    Erik Eckhardt
    ACMX #1245, ACDX #968, ACCP, ACSP
    ------------------------------

    Original Message


  • 20.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Nov 03, 2021 04:59 AM
    Hi Erik,

    Please update this thread if there is any news about this issue. This has been bugging me for months.
    Every time it is multiple MAC adresses when a client connects (usually 2) and the lowest MAC address of the two is empty while the other one is the correct one, but is never being used so I am unable to pull out the azure ID information or anything related to Intune.

    Deleting the empty MAC address resolves nothing, it reappears soon after. It makes the Intune extension useless.

    ------------------------------
    Rikard Berg
    ------------------------------

    Original Message


  • 21.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Sep 28, 2021 08:17 PM
    It's some sort of bug with Intune, if you look up the device with the Graph API you can see it's reporting the wrong MAC address. The worst part is it mostly happens after the initial Intune joim and fixes itself after about a week at most, which is also how long it takes Microsoft support to respond to a case I open so they close it since it's working. Good luck getting it fixed.

    ------------------------------
    James Andrewartha
    ------------------------------

    Original Message