Christiaan,
Can you work with TAC, see if they can do a 'support' session and run this command.....
172.17.0.2 = IP address of your InTune Extension
6C88144947A4 = Wifi mac-address
curl http://172.17.0.2/device/info/6C88144947A4My system returns;
curl
http://172.17.0.2/device/info/6C88144947A4{"Source":"Intune","Intune Last Updated":"2021-01-12 09:48:37","Intune ID":"e44ac315-52f7-4fb0-9459-50cfe1b26679","Intune User ID":"36227ef8-97c0-48b7-afec-3d9f3204b5fc","Intune Device Name":"WYSK-X230","Intune Managed Device Owner Type":"company","Intune Enrolled Date Time":"2020-04-02T20:10:46.9690631Z","Intune Last Sync Date Time":"2020-12-30T19:44:36.7597238Z","Intune Operating System":"Windows","Intune Compliance State":"compliant","Intune Jail Broken":"Unknown","Intune Management Agent":"mdm","Intune OS Version":"10.0.17763.1457","Intune Eas Activated":true,"Intune Eas Device ID":"65C21B37CD11BF43F8FFECE2A89BBB03","Intune Eas Activation Date Time":"2020-04-02T20:11:38.1907571Z","Intune Azure AD Registered":true,"Intune Device Enrollment Type":"userEnrollment","Intune Azure AD Device Id":"470ea3e2-6833-4306-b79f-a5406afbe404","Intune Device Registration State":"registered","Intune Device Category Display Name":"","Intune Is Supervised":false,"Intune Exchange Last Successful Sync Date Time":"0001-01-01T00:00:00Z","Intune Exchange Access State":"none","Intune Exchange Access State Reason":"none","Intune Remote Assistance Session Url":"","Intune Remote Assistance Session Error Details":"","Intune Is Encrypted":false,"Intune User Principal Name":"seel@clearpassrocks.onmicrosoft.com","Intune Model":"2325D83","Intune Manufacturer":"LENOVO","Intune Compliance Grace Period Expiration Date Time":"9999-12-31T23:59:59.9999999Z","Intune Serial Number":"R9YGTAC","Intune User Display Name":"SEEL User","Intune Wi Fi MAC Address":"6C88144947A4","Intune Subscriber Carrier":"","Intune Total Storage Space in Bytes":254697013248,"Intune Free Storage Space in Bytes":196613242880,"Intune Managed Device Name":"SEEL-Win10-demo","Intune Partner Reported Threat State":"unknown"}
HTH
------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------
Original Message:
Sent: Jan 11, 2021 09:26 PM
From: Danny Jump
Subject: ClearPass Intune Extension - Error getting device list
OK, wanted to validate that. Installing only on the PUB is fine.
------------------------------
Danny Jump
"Passionate about CPPM"
Original Message:
Sent: Jan 11, 2021 08:41 PM
From: Christiaan Rossouw
Subject: ClearPass Intune Extension - Error getting device list
Hi Danny
Thanks for involvement to try and get his resolved. There is no proxy configures in CPPM as shown below. I've also tried re-configuring the Intune extension to bypass the proxy when I started debugging which also did not resolve the issue.
------------------------------
Christiaan Rossouw
Original Message:
Sent: Jan 11, 2021 08:15 PM
From: Danny Jump
Subject: ClearPass Intune Extension - Error getting device list
OK... one more proxy question to be completely clear on this area..... does CPPM have a CPPM proxy configured, as the extension by default will inherit as environment variables the proxy config {if one is configured} and try to use that address to communicate to anything.
------------------------------
Danny Jump
"Passionate about CPPM"
Original Message:
Sent: Jan 11, 2021 07:43 PM
From: Christiaan Rossouw
Subject: ClearPass Intune Extension - Error getting device list
Just to double check if the problem is not extension IP related, I've changed the CPPM Extension IP range to 10.10.172.1/24 and re-installed the Intune extension with IP 10.10.172.23. This did not resolve the issue.
To answer your questions, we do not have a web proxy except the one built into the firewall which is bypassed with a firewall rule I created for this scenario. Also, I can see a lot of traffic from CPPM (10.10.10.23) to 40.x.x.x being allowed through the firewall which seems to be exactly every 30 minutes which is the Intune extension's sync interval. The problem though is that it seems that CPPM is not getting a reply back from 40.126.x.x.
------------------------------
Christiaan Rossouw
Original Message:
Sent: Jan 11, 2021 06:52 PM
From: Danny Jump
Subject: ClearPass Intune Extension - Error getting device list
So your in a good place with not having that, that's more if CPPM receives a packet IP=src = 172.17.x.x it wouldn't reply as it would route it locally into the Extension framework.
Two other Q's;
Do you have any web proxy?
When starting the extension, is there any logs showing ANYTHING in the firewall from CPPM going to / trying to connect to the 40.x.x.x address??
------------------------------
Danny Jump
"Passionate about CPPM"
Original Message:
Sent: Jan 11, 2021 06:41 PM
From: Christiaan Rossouw
Subject: ClearPass Intune Extension - Error getting device list
Hi Danny
Thanks for the reply? I was also under the impression that the Extension IP will NAT through the ClearPass IP but just wanted to confirm as we don't have 172.17.x.x in our internal network.
------------------------------
Christiaan Rossouw
Original Message:
Sent: Jan 11, 2021 06:31 PM
From: Danny Jump
Subject: ClearPass Intune Extension - Error getting device list
Christiaan,
The extension will basically NAT through the MGMT port IP-Address. Do you have 172.17.x.x in your internal network?
------------------------------
Danny Jump
"Passionate about CPPM"
Original Message:
Sent: Jan 11, 2021 06:16 PM
From: Christiaan Rossouw
Subject: ClearPass Intune Extension - Error getting device list
Hi Herman
Thank you very much for your response. I've watched several of your videos which were very insightful.
I've been getting the EHOSTUNREACH since I've first installed the extension and it is still present. I tried re-installing the extension but that did not help. I suspected that the EHOSTUNREACH means that ClearPass can't reach the IP but the confusing thing is that I can do a nslookup from ClearPass CLI to graph.windows. net and it succeeds. I can also ping Google DNS servers with success.
------------------------------
Christiaan Rossouw
Original Message:
Sent: Jan 11, 2021 04:19 AM
From: Herman Robers
Subject: ClearPass Intune Extension - Error getting device list
The error EHOSTUNREACH indicates that the ClearPass can't reach that IP address. When I check, that IP seems to host graph.windows.net. Also given the interval of only 2 seconds, there seems to be a routing issue or firewall.
Do you still experience these issues? Or was it intermittent and resolved meanwhile?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Jan 10, 2021 09:20 PM
From: Christiaan Rossouw
Subject: ClearPass Intune Extension - Error getting device list
Hi Everyone
I'm reaching out in the hope that someone had a similar experience or might be able to provide me with some insight/guidance so that I can resolve the following issue.
I've followed the Microsoft Intune Integration Guide for ClearPass (v2020-01) several times. I've installed v5 of the Intune extension in Clearpass and it is running. I've also registered the Azure App and granted the appropriate permissions as shown below:
When the Intune extension is attempted to sync I get the following error:
I've recreated second Azure Application and updated the tenantId, clientId and clientSecret but still getting the same error. I can perform a nslookup to login.microsoft.com on ClearPass and it resolves ok, so connectivity seems to be ok. I've also opened a support ticket with Aruba with but were unable to resolve the issue. Any assistance or additional information that can help would be greatly appreciated!
Kind regards,
------------------------------
Christiaan Rossouw
------------------------------