Security

Hello all,

Now I know this is a lot of text, but I am just trying to get as much detail in as possible. I have read Aruba guides and watched the videos countless times, but I do have a few lingering questions.

Our org has started moving over staff devices to InTune, we still have a large presence of BYOD and student devices.

Our setup today is pretty simple. Users log into their Windows machines and it all automatically logs them in to the wireless.

Bump

------------------------------
Zack Shore
------------------------------

Original Message:
Sent: Feb 01, 2021 12:12 AM
From: Zack Shore
Subject: Clearpass + Intune

Hello all,

Now I know this is a lot of text, but I am just trying to get as much detail in as possible. I have read Aruba guides and watched the videos countless times, but I do have a few lingering questions.

Our org has started moving over staff devices to InTune, we still have a large presence of BYOD and student devices.

Our setup today is pretty simple. Users log into their Windows machines and it all automatically logs them in to the wireless.

Now with a recent directive from the powers above, we are moving devices (starting with staff) over to InTune management and are beefing up security practice. I really want to take advantage of the InTune Extension in Clearpass, as I feel that coupled with Defender ATP extension would be a great value add.

This is a rough draft of what I would like to do with our wireless auth moving forward.

Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.

So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.

Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)


I appreciate any help or insight on this.

I assume your using V5 of the InTune Extension?? 

Why do you have it running on two nodes, offset.... sync on one node and sync more regularly, when you sync on a SUB it will have to write the data to the PUB first. 

Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.

So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.
{djj} - Yes, this workflow is achievable, in terms of using InTune data and D-ATP data as authZ content.

Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
{djj} - This really depends on how you want to authN the user/device, if you have WIN10 and run TEAP you can do both.

Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
{djj} - Not if you ingesting the endpoint into the CPPM EndpointDb and using that data as an authZ souce to make you first check, is this endpoint enrolled/known to InTune.

Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)
{djj} - Sure, that's the autHn portion, the Intune/D-ATP is more the authZ part. One of the huge benefits of CPPM is that authN & authZ can be separated to different identity stores/repositories.

------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message:
Sent: Feb 01, 2021 12:12 AM
From: Zack Shore
Subject: Clearpass + Intune

Hello all,

Now I know this is a lot of text, but I am just trying to get as much detail in as possible. I have read Aruba guides and watched the videos countless times, but I do have a few lingering questions.

Our org has started moving over staff devices to InTune, we still have a large presence of BYOD and student devices.

Our setup today is pretty simple. Users log into their Windows machines and it all automatically logs them in to the wireless.

Now with a recent directive from the powers above, we are moving devices (starting with staff) over to InTune management and are beefing up security practice. I really want to take advantage of the InTune Extension in Clearpass, as I feel that coupled with Defender ATP extension would be a great value add.

This is a rough draft of what I would like to do with our wireless auth moving forward.

Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.

So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.

Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)


I appreciate any help or insight on this.

I appreciate the response! Big fan of your advice on this forum. 

So I think I have the cert piece down. I currently push a user and device SCEP cert to my InTune devices. Then I set up an InTune Wi-Fi profile that specifies user or machine auth. This allows our laptops to connect at the sign in screen using machine auth and then when the user logs in it uses their creds. So far this is working great  

The issue that I'm dealing with right now is a little strange. At the end of my enforcement policy, I have it set to look at the endpoint DB, and if InTune Registered is NOT__EXIST it will bump that device to the student VLAN. This doesn't seem to work very well and won't connect my personal devices when I test. BUT it will connect them sometimes if MAC randomization is on.

is there a better way to get my devices with no InTune registration onto that student VLAN as shown in the flow chart?

------------------------------
Zack Shore
------------------------------

Original Message:
Sent: Feb 04, 2021 01:43 AM
From: Danny Jump
Subject: Clearpass + Intune

I assume your using V5 of the InTune Extension?? 

Why do you have it running on two nodes, offset.... sync on one node and sync more regularly, when you sync on a SUB it will have to write the data to the PUB first. 

Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.

So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.
{djj} - Yes, this workflow is achievable, in terms of using InTune data and D-ATP data as authZ content.

Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
{djj} - This really depends on how you want to authN the user/device, if you have WIN10 and run TEAP you can do both.

Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
{djj} - Not if you ingesting the endpoint into the CPPM EndpointDb and using that data as an authZ souce to make you first check, is this endpoint enrolled/known to InTune.

Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)
{djj} - Sure, that's the autHn portion, the Intune/D-ATP is more the authZ part. One of the huge benefits of CPPM is that authN & authZ can be separated to different identity stores/repositories.

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Feb 01, 2021 12:12 AM
From: Zack Shore
Subject: Clearpass + Intune

Hello all,

Now I know this is a lot of text, but I am just trying to get as much detail in as possible. I have read Aruba guides and watched the videos countless times, but I do have a few lingering questions.

Our org has started moving over staff devices to InTune, we still have a large presence of BYOD and student devices.

Our setup today is pretty simple. Users log into their Windows machines and it all automatically logs them in to the wireless.

Now with a recent directive from the powers above, we are moving devices (starting with staff) over to InTune management and are beefing up security practice. I really want to take advantage of the InTune Extension in Clearpass, as I feel that coupled with Defender ATP extension would be a great value add.

This is a rough draft of what I would like to do with our wireless auth moving forward.

Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.

So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.

Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)


I appreciate any help or insight on this.

And yes, we enroll all our devices into InTune before distribution. So they are synced to the Endpoint DB and ready by the time the user is ready to join wireless.

------------------------------
Zack Shore
------------------------------

Original Message:
Sent: Feb 04, 2021 01:43 AM
From: Danny Jump
Subject: Clearpass + Intune

I assume your using V5 of the InTune Extension?? 

Why do you have it running on two nodes, offset.... sync on one node and sync more regularly, when you sync on a SUB it will have to write the data to the PUB first. 

Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.

So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.
{djj} - Yes, this workflow is achievable, in terms of using InTune data and D-ATP data as authZ content.

Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
{djj} - This really depends on how you want to authN the user/device, if you have WIN10 and run TEAP you can do both.

Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
{djj} - Not if you ingesting the endpoint into the CPPM EndpointDb and using that data as an authZ souce to make you first check, is this endpoint enrolled/known to InTune.

Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)
{djj} - Sure, that's the autHn portion, the Intune/D-ATP is more the authZ part. One of the huge benefits of CPPM is that authN & authZ can be separated to different identity stores/repositories.

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Feb 01, 2021 12:12 AM
From: Zack Shore
Subject: Clearpass + Intune

Hello all,

Now I know this is a lot of text, but I am just trying to get as much detail in as possible. I have read Aruba guides and watched the videos countless times, but I do have a few lingering questions.

Our org has started moving over staff devices to InTune, we still have a large presence of BYOD and student devices.

Our setup today is pretty simple. Users log into their Windows machines and it all automatically logs them in to the wireless.

Now with a recent directive from the powers above, we are moving devices (starting with staff) over to InTune management and are beefing up security practice. I really want to take advantage of the InTune Extension in Clearpass, as I feel that coupled with Defender ATP extension would be a great value add.

This is a rough draft of what I would like to do with our wireless auth moving forward.

Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.

So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.

Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)


I appreciate any help or insight on this.

Zack,

I can't think why the mac-randomizatin would have any bearing on a device working or not, as you describe. It not like your checking for a known mac-address, or doing mac-auth. However,  if you specifically making an authZ decision on In_Tune registered, when you make this check you'll have to be looking up the endpoint with its mac-address, if randomization is enabled then you're potentially in a pickle when comparing to the physical address reported by InTune that is the Endpoint mac-address......said another way I'd have expected mac-randomization to always drop the endpoint into the student vlan/role.

------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message:
Sent: Feb 04, 2021 01:58 AM
From: Zack Shore
Subject: Clearpass + Intune

And yes, we enroll all our devices into InTune before distribution. So they are synced to the Endpoint DB and ready by the time the user is ready to join wireless.

------------------------------
Zack Shore

Original Message:
Sent: Feb 04, 2021 01:43 AM
From: Danny Jump
Subject: Clearpass + Intune

I assume your using V5 of the InTune Extension?? 

Why do you have it running on two nodes, offset.... sync on one node and sync more regularly, when you sync on a SUB it will have to write the data to the PUB first. 

Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.

So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.
{djj} - Yes, this workflow is achievable, in terms of using InTune data and D-ATP data as authZ content.

Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
{djj} - This really depends on how you want to authN the user/device, if you have WIN10 and run TEAP you can do both.

Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
{djj} - Not if you ingesting the endpoint into the CPPM EndpointDb and using that data as an authZ souce to make you first check, is this endpoint enrolled/known to InTune.

Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)
{djj} - Sure, that's the autHn portion, the Intune/D-ATP is more the authZ part. One of the huge benefits of CPPM is that authN & authZ can be separated to different identity stores/repositories.

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Feb 01, 2021 12:12 AM
From: Zack Shore
Subject: Clearpass + Intune

Hello all,

Now I know this is a lot of text, but I am just trying to get as much detail in as possible. I have read Aruba guides and watched the videos countless times, but I do have a few lingering questions.

Our org has started moving over staff devices to InTune, we still have a large presence of BYOD and student devices.

Our setup today is pretty simple. Users log into their Windows machines and it all automatically logs them in to the wireless.

Now with a recent directive from the powers above, we are moving devices (starting with staff) over to InTune management and are beefing up security practice. I really want to take advantage of the InTune Extension in Clearpass, as I feel that coupled with Defender ATP extension would be a great value add.

This is a rough draft of what I would like to do with our wireless auth moving forward.

Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.

So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.

Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)


I appreciate any help or insight on this.

Hi Community members,

I am on the same situation, we are using Clearpass Intune ext v 5. Using the query filter
%{Connection:Client-Mac-Address-Hyphen}

At this point, all the attributes Clearpass is getting is related to Device, not the user. If we pick one attribute, for example 'Intune Azure AD Registered' eq true--assign for example staff role, that means students getting staff vlan.

Is there any query filter , that gets user information, so that we can use that in policy ? It's quite hard to distinguish staff and student at this point.
Please share your thought/view.

-BINOD
Original Message:
Sent: Feb 04, 2021 01:23 PM
From: Danny Jump
Subject: Clearpass + Intune

Zack,

I can't think why the mac-randomizatin would have any bearing on a device working or not, as you describe. It not like your checking for a known mac-address, or doing mac-auth. However,  if you specifically making an authZ decision on In_Tune registered, when you make this check you'll have to be looking up the endpoint with its mac-address, if randomization is enabled then you're potentially in a pickle when comparing to the physical address reported by InTune that is the Endpoint mac-address......said another way I'd have expected mac-randomization to always drop the endpoint into the student vlan/role.

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Feb 04, 2021 01:58 AM
From: Zack Shore
Subject: Clearpass + Intune

And yes, we enroll all our devices into InTune before distribution. So they are synced to the Endpoint DB and ready by the time the user is ready to join wireless.

------------------------------
Zack Shore

Original Message:
Sent: Feb 04, 2021 01:43 AM
From: Danny Jump
Subject: Clearpass + Intune

I assume your using V5 of the InTune Extension?? 

Why do you have it running on two nodes, offset.... sync on one node and sync more regularly, when you sync on a SUB it will have to write the data to the PUB first. 

Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.

So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.
{djj} - Yes, this workflow is achievable, in terms of using InTune data and D-ATP data as authZ content.

Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
{djj} - This really depends on how you want to authN the user/device, if you have WIN10 and run TEAP you can do both.

Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
{djj} - Not if you ingesting the endpoint into the CPPM EndpointDb and using that data as an authZ souce to make you first check, is this endpoint enrolled/known to InTune.

Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)
{djj} - Sure, that's the autHn portion, the Intune/D-ATP is more the authZ part. One of the huge benefits of CPPM is that authN & authZ can be separated to different identity stores/repositories.

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Feb 01, 2021 12:12 AM
From: Zack Shore
Subject: Clearpass + Intune

Hello all,

Now I know this is a lot of text, but I am just trying to get as much detail in as possible. I have read Aruba guides and watched the videos countless times, but I do have a few lingering questions.

Our org has started moving over staff devices to InTune, we still have a large presence of BYOD and student devices.

Our setup today is pretty simple. Users log into their Windows machines and it all automatically logs them in to the wireless.

Now with a recent directive from the powers above, we are moving devices (starting with staff) over to InTune management and are beefing up security practice. I really want to take advantage of the InTune Extension in Clearpass, as I feel that coupled with Defender ATP extension would be a great value add.

This is a rough draft of what I would like to do with our wireless auth moving forward.

Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.

So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.

Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)


I appreciate any help or insight on this.

Hello,

We ran into this as we are considering adding staff devices to InTune, but haven't yet. Luckily the staff and students use a different type of device, so you could make use of the attribute Endpoint:Intune Model in this case.
Original Message:
Sent: Nov 28, 2022 07:41 PM
From: Binod Ranabhat
Subject: Clearpass + Intune

Hi Community members,

I am on the same situation, we are using Clearpass Intune ext v 5. Using the query filter
%{Connection:Client-Mac-Address-Hyphen}

At this point, all the attributes Clearpass is getting is related to Device, not the user. If we pick one attribute, for example 'Intune Azure AD Registered' eq true--assign for example staff role, that means students getting staff vlan.

Is there any query filter , that gets user information, so that we can use that in policy ? It's quite hard to distinguish staff and student at this point.
Please share your thought/view.

-BINOD
Original Message:
Sent: Feb 04, 2021 01:23 PM
From: Danny Jump
Subject: Clearpass + Intune

Zack,

I can't think why the mac-randomizatin would have any bearing on a device working or not, as you describe. It not like your checking for a known mac-address, or doing mac-auth. However,  if you specifically making an authZ decision on In_Tune registered, when you make this check you'll have to be looking up the endpoint with its mac-address, if randomization is enabled then you're potentially in a pickle when comparing to the physical address reported by InTune that is the Endpoint mac-address......said another way I'd have expected mac-randomization to always drop the endpoint into the student vlan/role.

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Feb 04, 2021 01:58 AM
From: Zack Shore
Subject: Clearpass + Intune

And yes, we enroll all our devices into InTune before distribution. So they are synced to the Endpoint DB and ready by the time the user is ready to join wireless.

------------------------------
Zack Shore

Original Message:
Sent: Feb 04, 2021 01:43 AM
From: Danny Jump
Subject: Clearpass + Intune

I assume your using V5 of the InTune Extension?? 

Why do you have it running on two nodes, offset.... sync on one node and sync more regularly, when you sync on a SUB it will have to write the data to the PUB first. 

Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.

So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.
{djj} - Yes, this workflow is achievable, in terms of using InTune data and D-ATP data as authZ content.

Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
{djj} - This really depends on how you want to authN the user/device, if you have WIN10 and run TEAP you can do both.

Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
{djj} - Not if you ingesting the endpoint into the CPPM EndpointDb and using that data as an authZ souce to make you first check, is this endpoint enrolled/known to InTune.

Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)
{djj} - Sure, that's the autHn portion, the Intune/D-ATP is more the authZ part. One of the huge benefits of CPPM is that authN & authZ can be separated to different identity stores/repositories.

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Feb 01, 2021 12:12 AM
From: Zack Shore
Subject: Clearpass + Intune

Hello all,

Now I know this is a lot of text, but I am just trying to get as much detail in as possible. I have read Aruba guides and watched the videos countless times, but I do have a few lingering questions.

Our org has started moving over staff devices to InTune, we still have a large presence of BYOD and student devices.

Our setup today is pretty simple. Users log into their Windows machines and it all automatically logs them in to the wireless.

Now with a recent directive from the powers above, we are moving devices (starting with staff) over to InTune management and are beefing up security practice. I really want to take advantage of the InTune Extension in Clearpass, as I feel that coupled with Defender ATP extension would be a great value add.

This is a rough draft of what I would like to do with our wireless auth moving forward.

Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.

So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.

Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)


I appreciate any help or insight on this.

You may add different attributes in the Intune deployed certificates for student vs staff and filter on that; or use a different CA to issue your certificates (may be useful for other applications as well).

If staff devices are Corporate managed, and student devices 'personal', you could use the Intune Managed Device Owner Type to make your policy decision.

You probably should not rely on the client MAC address, rather on the Intune DeviceID that is in the client certificate. A query like the following would do such a thing if the Intune DeviceID is set as Common Name in the certificate:

select attributes->>'Intune User Principal Name' as "Intune User Principal Name",attributes->>'Intune Model' as "Intune Model",attributes->>'Intune Jail Broken' as "Intune Jail Broken",attributes->>'Intune Operating System' as "Intune Operating System",attributes->>'Intune Managed Device Owner Type' as "Intune Managed Device Owner Type",attributes->>'Intune Management Agent' as "Intune Management Agent",attributes->>'Intune Azure AD Registered' as "Intune Azure AD Registered",attributes->>'Intune Compliance State' as "Intune Compliance State",attributes->>'Intune Device Name' as "Intune Device Name",attributes->>'Intune Azure AD Device Id' as "Intune Azure AD Device Id" FROM tips_endpoints WHERE attributes->>'Intune ID' = LOWER('%{Certificate:Subject-CN}')​

This approach avoids MAC spoofing attacks, as well it allows wired clients (as long as clients have at least one WiFi interface) when the lookup is done based on the DeviceID rather than on the MAC address.

And there is a v6 version of the Intune extension; I would not deploy new systems with v5.

With ClearPass 6.11 there now also is an Azure AD authorization source that can directly lookup Azure AD groups based on the Azure AD Username.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 28, 2022 07:41 PM
From: Binod Ranabhat
Subjec