Security

last person joined: 10 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

This thread has been viewed 42 times
  • 1.  CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Jun 30, 2021 10:48 AM
    First of all, I would like to say that the Microsoft Intune v5 documentation and the available videos in the Airheads Broadcasting Youtube channel have been excellent. I have successfully implemented RADIUS access for the majority of my Intune enrolled devices on my WLAN.

    One issue that I have found, however, is that some devices that are enrolled into Microsoft Intune are reporting their Wi-Fi MAC Address incorrectly - they are reporting the MAC address of the Microsoft Wi-Fi Direct Virtual Adapter on the device instead of the hardware Wi-Fi MAC address. This appears to be a known issue (see hyperlinks below) by a few users. This issue means that the Intune extension will create the endpoint with the wrong MAC address in CPPM and the authentication source filter query will not find the device within Intune because it is comparing the correct MAC address with the wrong MAC address that is listed for the device within Intune.

    Ignore Microsoft Wi-Fi Direct Virtual Adapter
    Intune WiFi MAC nonsense

    I have opened a case with Microsoft regarding this issue. In the meantime, is there a secure way that can be applied to work around this issue?

    ------------------------------
    Kevin Kirch
    ------------------------------


  • 2.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Jul 02, 2021 10:15 AM
    The better way to do this is to base your policy (and device lookup) on the Device ID, instead of using the MAC address.

    Check here for some guidance. If I'm informed correctly, there is an update of the Tech Note in the works to cover this as well.

    Here is also a related topic that mentions that the API on the Microsoft side has been updated. I believe the same team working on that Tech Note is checking the new features as well.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Jul 13, 2021 08:30 PM

    Any progress on this?

    I have ran into the same issue when just using Intune as an AuthZ source. Intune has logged the same adapter as the OP as the WIFI MAC address.

    I am doing MAC-AUTH for the service/SSID until the customer has migrated to EAP-TLS for their AzureAD devices. 



    ------------------------------
    ACCX #1239 || ACEP || ACSP || CWNA || CWSP
    ------------------------------



  • 4.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Jul 26, 2021 10:32 AM
    I have not been able to investigate this issue much further and the Microsoft Support agent that took my original case did not appear to take my issue seriously.

    I have found a Microsoft article, however, regarding Network Access Control and it appears that they are making changes to the way their compliance retrieval service works. The issue found with matching on MAC addresses is explicitly mentioned in the article.

    https://techcommunity.microsoft.com/t5/intune-customer-success/new-microsoft-intune-service-for-network-access-control/ba-p/2544696

    Will the Clearpass Intune extension need to be modified to accommodate the changes that Microsoft is anticipating to make with their compliance retrieval service?

    ------------------------------
    Kevin Kirch
    ------------------------------



  • 5.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Aug 25, 2021 09:31 AM
    Is this - ClearPass Integration Guide Microsoft InTune (hpe.com) -  the updated version of the guidance you refer to, as its newer (March 2021) than the version at https://www.arubanetworks.com/clearpassdocs but I only stumbled across it via google.  How do we know what's the latest version of docs?


  • 6.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Aug 25, 2021 04:33 PM
    The DOC's do have version control, the link to the DOC on clearpassdocs should have been updated to point to the new/latest version {I used to do then when I was here :-) ) when posting nw DOC's and removing the older version to remove this exact issue.

    The latest version is the first doc you reference dated March 2021

    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------



  • 7.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted Aug 26, 2021 04:09 AM
    Thanks for pointing out. I reached out to the author, and get the response that the link on the clearpassdocs page was missed due to circumstances like change in the platform that is running the Airheads community.

    The link should be updated soon, and the idea of that single page is to make it easier to find the most actual ClearPass documentation, and that objective still stands.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted 2 days ago
    Has there been any update on this issue?  I'm seeing the same issue now where Intune is pulling the incorrect MAC address and since the CPPM Intune extension is based on the Endpoint DB which is indexed by MAC address, all devices that have the wrong MAC address in Intune are unable to connect to our internal wireless network.

    ------------------------------
    Stephen Edwards
    ------------------------------



  • 9.  RE: CPPM Intune v5 Extension & Incorrect Intune Wi-Fi MAC Addresses

    Posted 2 days ago
    If you have the TLS auth already in place, and if the user certificate has the azure ID in it then we could update the filter query for endpoints database check. Hence, instead of using a mac address to compare, we could fetch intune attributes from endpoints using azure ID which could be used in role mapping or enf.

    ------------------------------
    SANDEEP YADAV
    Global Escalation Center, ACCP
    ------------------------------