Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Intune Extension HTTP authentication source errors

This thread has been viewed 66 times

  • 1.  ClearPass Intune Extension HTTP authentication source errors

    Posted Oct 15, 2021 05:08 AM
    Hi,

    I am having some problems when trying to fetch role mappings from the Intune authentication source.

    A few pictures on how it is set up. The Intune Extension is up and running with the IP address 172.17.0.2


    In the Access Tracker the information computed with Intune is and it seems to fetch that from the Endpoint database:


    The HTTP Authentication is set up
    I have two filters, one that used to be original and one I tried to update based on the document from v5 (reference under)
    Support Center
    Hpe remove preview
    Support Center
    View this on Hpe >

    For the service I have added the HTTP auth source as well as the Endpoint database (hence the Endpoint: Intune attributes)


    I have tried to update the filters based on the documentation following Appendix A


    The Alert I get in the tracker is this:
    I must be doing something wrong, but I am unable to see where the issue is. Does anyone have a clue what it could be?

    Troubleshooting steps:
    * Restarted Extension
    * Stop/Start Extension Service from Server Manager
    * Verified IP address used.
    * Read the documentation carefully, previously I had a different filtering and no /device/info/ based on earlier in the documentation.

    The extension itself shows no errors while in debug mode and updates endpoints according to the logs.




    Thanks,
    ------------------------------
    Rikard Berg
    ------------------------------


  • 2.  RE: ClearPass Intune Extension HTTP authentication source errors

    Posted Oct 15, 2021 07:27 AM
    I tried now to delete the old Authentication Source and create a new one step-by-step from the guide.

    The difference now was that I got a different error: Policy server HTTP attribute query returned error=500

    ------------------------------
    Rikard Berg
    ------------------------------

    Original Message


  • 3.  RE: ClearPass Intune Extension HTTP authentication source errors

    MVP
    Posted Oct 23, 2021 02:53 PM
    I'm not sure if there's a difference in V4 vs V5, but we have Intune in place as well and it's operating normally. Our URL in the Authentication Source is only http://172.17.0.2  without the path defined. Can you try removing the /device/info/ from the end of the URL and see if that makes any difference?

    ------------------------------
    Michael Haring

    AirHeads MVP 2017, 2019-2021
    ------------------------------

    Original Message


  • 4.  RE: ClearPass Intune Extension HTTP authentication source errors

    MVP
    Posted Oct 24, 2021 08:18 AM

    I'm working through a similar issue.I think the v5 intune extension is different in the way it operates and you can not query it like you are doing. That is from v4.  

    Look at the latest guide and see the auth-n vs auth-z section. 


    It seems as though you can not query the intune attributes directly. Instead, you have to query Endpoint:Intune attributes. Because of this, it's not exactly real time info. 


    Perhaps someone with more knowledge  could shed more light? I haven't got mine working yet, but I did figure that's why I kept getting http errors. 



    ------------------------------
    Phillip Horn
    ------------------------------

    Original Message


  • 5.  RE: ClearPass Intune Extension HTTP authentication source errors
    Best Answer

    Posted Oct 25, 2021 10:16 AM
    Hi,

    For Extension V5, is it in Cluster deployment or standalone? Because, if it is in cluster (Extension on both nodes), Extension IP should be the same in both nodes. 
    Info from manual:
    "HTTP Authorization Source Mode
    In this mode we configure an HTTP Auth source that results in a TCP call to InTune during endpoint authorization.
    In this deployment model the extension must be installed on every cluster node that process authentications.
    Also in this scenario every cluster member's extension must be set to the exact same IP address during installation time, as the HTTP Auth source configuration is propagated globally across all cluster members."

    Intune as HTTP auth source is working (in my environment, cppm version 6.9.7.131609) when Base URL is http://extension_ip/device/info/ and filter is:
    %{Connection:Client-Mac-Address-Hyphen}
    In this case, check if the calling station MAC is present in Intune, because Intune uses only WiFi MAC and creates Endpoints according to WiFi MAC.

    Intune as http Auth source also works when Base ULR is:
    http://172.17.8.2/device/info/id/
    But then you have to use "Intune ID" value (not MAC), which you can take from already Extension created Endpoints. eg filter - %{Endpoint:Intune ID}:

    Attributes in both scenarios are:

    Also try to enable Endpoint cache in Extension configuration :

    *(I also created API User for Extension, but according to manual it should not be used)

    Also, check if the Extension subnet is allowed (added) to cppm Application Access Control > ClearPass API, if You are using Application Access Control.

    When you add the Intune Auth source as Additional Authorization source, You should see additional info in the Access Tracker Request Detail Input and use that info for role mapping:

    Hope this info could help somehow :)
    Regards

    ------------------------------
    Kestutis Virsilas
    ------------------------------

    Original Message


  • 6.  RE: ClearPass Intune Extension HTTP authentication source errors

    Posted Oct 29, 2021 09:07 AM
    Hi Kestutis,

    Thank you for your great answer with screenshots pointing out exactly what I was wondering about.
    The first one with use of MAC address I managed to get to work sometimes, but not every client as Intune clearly has multiple Wifi MAC addresses, some clients have around 2-3 different Wifi MAC addresses and that can point to expired information in the Endpoint database.

    Using the Azure ID is what I am looking for that I believe will solve the issue. I had all the information except the filter query as you stated 
    %{Endpoint: Intune ID}

    I added this information and I get this error:

    The alert tab is no longer displayed so that is good.

    The way I understand this is that it will now look into the endpoint database based on the Intune ID instead of the MAC address as previously.

    This brings me to my second issue with empty Attribute fields in the endpoint database.
    When installing the Extension the first time a lot of Endpoints got added with lots of information from Intune. If I delete a Endpoint now it comes up with blank attributes, this has been an issue for quiet some time.

    These are Intune managed devices and ends up with nothing so I am not sure how to repopulate this data.
    I thought the Extension would update the database with this information? 

    The ones that work looks like this and was added a long time ago.

    Any input on that issue would be greatly appreciated :)


    Regards,



    ------------------------------
    Rikard Berg
    ------------------------------

    Original Message