Security

 View Only
last person joined: 22 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Intune Integration

This thread has been viewed 81 times
  • 1.  ClearPass Intune Integration

    Posted Feb 18, 2022 05:43 AM
    Hi All,

    We're getting lots of the following messages in the intune logs:

    [WARN] Intune - The device "deviceName" (AzureDeviceID} does not have a MAC Address. Unable to process it.

    The users device appears in the endpoint repo but with no Intune details.

    This doesn't occur for every user.  Any ideas?

    ------------------------------
    James Whitehead
    ------------------------------


  • 2.  RE: ClearPass Intune Integration

    Posted Feb 19, 2022 11:39 AM
    Make sure MAC Randomization is disabled.

    Also, we've had issues when the device was loaded into Intune from a different network adapter such as a wired docking station.


  • 3.  RE: ClearPass Intune Integration

    Posted Feb 23, 2022 01:08 PM
    Unless I'm mistaken this appears to be due to Intune not, since October, storing Android Wi-Fi MAC address details. I'm only seeing the issue on Android devices.

    Sauce: https://docs.microsoft.com/en-us/mem/intune/remote-actions/device-inventory
    NOTE: As of October 2021, Intune doesn't display Wi-Fi MAC addresses for newly enrolled personally-owned work profile devices and devices managed with device administrator running Android 9 and above.

    The ClearPass intune extension needs a MAC address of the intune device so it can store the devices' intune details in the endpoint repo.

    ------------------------------
    James Whitehead
    ------------------------------



  • 4.  RE: ClearPass Intune Integration

    Posted Feb 24, 2022 09:09 AM
    It would be nice if we could send the DeviceID from the certificate CN rather than the MAC address. 
    The extension looks up the device by the AzureID anyway, but references by MAC address. 

    Not sure if changing the filter query would work. 

    Upvote the Feature request, I've got plenty of use cases for this too. 
    https://innovate.arubanetworks.com/ideas/SEC-I-1781


  • 5.  RE: ClearPass Intune Integration

    Posted Feb 24, 2022 10:46 AM
    I thought that too and tried it out.

    [2022-02-24T15:39:37.396] [WARN] Intune - No endpoint with the MAC Address bdb303f7-a377-4d1e-99c9-76517775aea3 was found in ClearPass.
    
    Will upvote the feature request.

    ------------------------------
    James Whitehead
    ------------------------------



  • 6.  RE: ClearPass Intune Integration

    Posted Feb 25, 2022 08:00 AM
    Hi,

    If you want to use Intune Id instead of MAC in your Intune HTTP Authentication source, you have to edit "Base URL" to "http://{extension IP}/device/info/id/" and in the filter use appropriate variable, matching "Intune ID" value (Not Azure ID value).
    Example:


    ------------------------------
    Kestutis Virsilas
    ------------------------------



  • 7.  RE: ClearPass Intune Integration

    Posted Feb 25, 2022 09:00 AM
    Yeah I managed to work that out and I've got it setup so that the Intune HTTP Source base URL includes the additional /id/.

    I'm trying to use the Certificate CN which, in my case, is the Intune ID but It doesn't work. The extension logs show the Intune ID as undefined.

    [datetime] [INFO] Intune - [/device/info/id/:intuneId] request received from ::ffff:172.17.0.1.
    [datetime] [DEBUG] Intune - Request "GET '/endpoint'" took 90 ms.
    [datetime] [WARN] Intune - No endpoint with the Intune ID undefined was found in ClearPass.​​



    ------------------------------
    James Whitehead
    ------------------------------



  • 8.  RE: ClearPass Intune Integration

    Posted Feb 25, 2022 09:23 AM
    Try to double check does your Certificate CN is really "Intune ID" attribute.
    According to Feature request description: "Subject name format: CN={{AAD_Device_ID}}", I think this will be "Azure AD Device ID" value.

    Each Intune device has both these 
    attributes "Intune ID" and "Intune Azure AD Device ID". Both attributes are in similar format:

    For Intune Extension to work, you have to use "Intune ID" as the variable. It will not work with the "Intune Azure AD Device ID" attribute.

    ------------------------------
    Kestutis Virsilas
    ------------------------------



  • 9.  RE: ClearPass Intune Integration

    Posted Feb 25, 2022 10:12 AM
    It's definitely the Intune ID. NOTE that this device doesn't sync to the Endpoint repo as it has no Wi-Fi MAC address in Intune.



    ------------------------------
    James Whitehead
    ------------------------------



  • 10.  RE: ClearPass Intune Integration

    Posted Apr 28, 2022 02:39 PM

    I'm seeing the same issue on CPPM 6.9.7 and Intune 5.0.0.

    We have HTTP Source pointing to http://172.17.0.2/device/info/id/ and passing the {{AAD_Device_ID}} via %{Certificate:Subject-CN}.

    Intune extension fails to assign the parameter to :intuneId and shows "undefined".

    So I set up a dummy http server to see what was being passed and it seems to be passing the ID correctly.



    ------------------------------
    Nicholas Hickman
    ------------------------------



  • 11.  RE: ClearPass Intune Integration

    Posted Apr 29, 2022 09:57 AM
    I don't think you can use the AAD ID, you have to use the Intune ID.
    Pass the Intune Device ID with {{DeviceId}} in either the CN or the SANs.
    You could also possibly use the L={{DeviceId}} and update the the look up to use the Location on the certificate if you were already using the SAN's fields, and needed AAD Device ID as the CN.

    After talking with the folks at Atmosphere there should be some news in the near future, but in the mean time, changing to http://<IP>/device/info/id/ and using the Intune Device ID is the way, and not the AAD Device ID.



  • 12.  RE: ClearPass Intune Integration

    Posted May 09, 2022 02:07 PM

    You are correct about using the {{DeviceID}} instead of {{AAD_Device_ID}}.  The official plugin still fails with "undefined".  We've written our own middleware to work around this until the plugin receives an update.  The app is a simple python-flask application using Microsoft msal module.

    Our solution in the end is:
    - Set up the InTune certificate to insert {{DeivceId}} in to the AltName-URL property.
    - We pull the {{DeviceID} from %{Certificate:Subject-AltName-URI} when devices connect.
    - Send the request to http://<internal app server>/device/info/id/{{deviceId}}
    - Lookup with GraphAPI to https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{{deviceId}}
    - Return formatted json to Clearpass to match what we had configured for the plugin.



    ------------------------------
    Nicholas Hickman
    ------------------------------



  • 13.  RE: ClearPass Intune Integration

    Posted 18 days ago
    I noticed that version 6.0.0 of the InTune extension has been released in May. The new v6 integration guide suggests to use the Filter Query "%{Certificate:Subject-CN}" in the ClearPass auth source config and Subject name format "CN={{DeviceId}}" as well as Subject alternativ name URI "IntuneDeviceId://{{DeviceId}}" within the machine certificates (see Appendix E of the guide).

    Do you think that this is really needed? I didn't test this, yet, but my customer doesn't want to change the CN of the enrolled certificates. The customer plans to pull the DeviceID by using the Filter Query "%{Certificate:Subject-AltName-URI}".

    Anyone here who can confirm that this should work with the new v6 InTune extension?

    Thanks,
     Andreas