Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

This thread has been viewed 72 times
  • 1.  CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Jun 30, 2021 10:48 AM
    First of all, I would like to say that the Microsoft Intune v5 documentation and the available videos in the Airheads Broadcasting Youtube channel have been excellent. I have successfully implemented RADIUS access for the majority of my Intune enrolled devices on my WLAN.

    One issue that I have found, however, is that some devices that are enrolled into Microsoft Intune are reporting their Wi-Fi MAC Address incorrectly - they are reporting the MAC address of the Microsoft Wi-Fi Direct Virtual Adapter on the device instead of the hardware Wi-Fi MAC address. This appears to be a known issue (see hyperlinks below) by a few users. This issue means that the Intune extension will create the endpoint with the wrong MAC address in CPPM and the authentication source filter query will not find the device within Intune because it is comparing the correct MAC address with the wrong MAC address that is listed for the device within Intune.

    Ignore Microsoft Wi-Fi Direct Virtual Adapter
    Intune WiFi MAC nonsense

    I have opened a case with Microsoft regarding this issue. In the meantime, is there a secure way that can be applied to work around this issue?

    ------------------------------
    Kevin Kirch
    ------------------------------


  • 2.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Jul 02, 2021 10:15 AM
    The better way to do this is to base your policy (and device lookup) on the Device ID, instead of using the MAC address.

    Check here for some guidance. If I'm informed correctly, there is an update of the Tech Note in the works to cover this as well.

    Here is also a related topic that mentions that the API on the Microsoft side has been updated. I believe the same team working on that Tech Note is checking the new features as well.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted 26 days ago
    Has there been any update on this issue?  I'm seeing the same issue now where Intune is pulling the incorrect MAC address and since the CPPM Intune extension is based on the Endpoint DB which is indexed by MAC address, all devices that have the wrong MAC address in Intune are unable to connect to our internal wireless network.

    ------------------------------
    Stephen Edwards
    ------------------------------



  • 4.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Jul 13, 2021 08:30 PM

    Any progress on this?

    I have ran into the same issue when just using Intune as an AuthZ source. Intune has logged the same adapter as the OP as the WIFI MAC address.

    I am doing MAC-AUTH for the service/SSID until the customer has migrated to EAP-TLS for their AzureAD devices. 



    ------------------------------
    ACCX #1239 || ACEP || ACSP || CWNA || CWSP
    ------------------------------



  • 5.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Aug 25, 2021 09:31 AM
    Is this - ClearPass Integration Guide Microsoft InTune (hpe.com) -  the updated version of the guidance you refer to, as its newer (March 2021) than the version at https://www.arubanetworks.com/clearpassdocs but I only stumbled across it via google.  How do we know what's the latest version of docs?


  • 6.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Jul 26, 2021 10:32 AM
    I have not been able to investigate this issue much further and the Microsoft Support agent that took my original case did not appear to take my issue seriously.

    I have found a Microsoft article, however, regarding Network Access Control and it appears that they are making changes to the way their compliance retrieval service works. The issue found with matching on MAC addresses is explicitly mentioned in the article.

    https://techcommunity.microsoft.com/t5/intune-customer-success/new-microsoft-intune-service-for-network-access-control/ba-p/2544696

    Will the Clearpass Intune extension need to be modified to accommodate the changes that Microsoft is anticipating to make with their compliance retrieval service?

    ------------------------------
    Kevin Kirch
    ------------------------------



  • 7.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Aug 25, 2021 04:33 PM
    The DOC's do have version control, the link to the DOC on clearpassdocs should have been updated to point to the new/latest version {I used to do then when I was here :-) ) when posting nw DOC's and removing the older version to remove this exact issue.

    The latest version is the first doc you reference dated March 2021

    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------



  • 8.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Aug 26, 2021 04:09 AM
    Thanks for pointing out. I reached out to the author, and get the response that the link on the clearpassdocs page was missed due to circumstances like change in the platform that is running the Airheads community.

    The link should be updated soon, and the idea of that single page is to make it easier to find the most actual ClearPass documentation, and that objective still stands.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 9.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted 25 days ago
    If you have the TLS auth already in place, and if the user certificate has the azure ID in it then we could update the filter query for endpoints database check. Hence, instead of using a mac address to compare, we could fetch intune attributes from endpoints using azure ID which could be used in role mapping or enf.

    ------------------------------
    SANDEEP YADAV
    Global Escalation Center, ACCP
    ------------------------------



  • 10.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted 21 days ago
    It's some sort of bug with Intune, if you look up the device with the Graph API you can see it's reporting the wrong MAC address. The worst part is it mostly happens after the initial Intune joim and fixes itself after about a week at most, which is also how long it takes Microsoft support to respond to a case I open so they close it since it's working. Good luck getting it fixed.

    ------------------------------
    James Andrewartha
    ------------------------------



  • 11.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted 21 days ago
    We do have TLS auth in place and we are using azure ID certificates.  What would this filter query look like and where would we configure it in Clearpass?

    ------------------------------
    Stephen Edwards
    ------------------------------



  • 12.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted 14 days ago
    I am experiencing the same issues with Multiple MAC adresses for the same device for devices synced with Intune. Was there any info on how to use the Azure ID instead of MAC as identifier?

    ------------------------------
    Rikard Berg
    ------------------------------



  • 13.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted 10 hours ago
    @Sandeepyadav could you please post the filter needed in an Intune Auth Source using Azure ID in stead of MAC address where Azure ID is found in the Certificate SAN?

    I'm looking into this for a customer. Their network is authenticating with certificates so the Intune integration will only be used for enhanced autorization based on complaince etc. Adding the Azure ID in the certificate SAN would be possible although we didn't find how to a add SAN in the SCEP server yet.

    Intune Wifi MAC address is a csv (MAC1,MAC2,MAC3, etc) of all wireless network adapters found on a Windows 10 device. Checking on a dozen or so devices it's always 2 Microsoft Wi-Fi Direct Virtual Adapters and the actual Wi-Fi NIC. The Intune extention only uses the first MAC address to create an en​dpoint record in Clearpass. This is never the MAC address of the actual NIC so there are no Intune Endpoint attributes available when the device authenticates. 

    IoS and Android smartdevices have a default setting for private mac (mac randomisation) You can turn that off in Intune for IoS but not for Android. The Intune Wi-Fi adapter is the actual MAC address of the device so the Intune extention is creating endpoints with these MAC adresses. When the device authenticates, the endpoint record has no Intune Atributes because the random MAC address is passed on. Let the end-user manually disable privatisation is not an option.

    It would be really nice if the Intune Extention would create endpoint records for all the MAC addresses found in the Intune Wifi adapter field. Intune now also sets Status known and IsProfiled=TRUE. In my opinion Status should be set by policy, not by the extention and IsProfiled should be set by the profiling module, not the extention. This way the virtual adapters kan be easily removed during Cleanup

    Or go back to an enhanced earlier version where the Extention is used for an Auth lookup only. In that case it would be nice to have documented filter queries

    Regards, Erik


    Edit to add: In this post klik the following filter is mentioned
    1. SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND attributes->>'Intune Azure AD Device Id' = LOWER('%{Authentication:Username}')

    but if I read this correctly, it still pulls the Intune Azure AD Device Id from the Intune endpoint attributes which does not exist.



    ------------------------------
    Erik Eckhardt
    ACMX #1245, ACDX #968, ACCP, ACSP
    ------------------------------