Security

Hi.

I am trying to work out if the following is possible and if so, how to achieve it.

I want to authentication user devices using EAP-TLS. These devices will be in InTune, so I am going to set up the InTune extension. The devices will range from iOS, Mac and Windows, some domain bound and some not.

I'm looking for a way to check the "Intune User Principal Name" against an AD Group when a device authenticates to the WiFi. Based on the AD Group membership I would then like to assign different roles, i.e. Finance go to VLAN 100 and HR to VLAN 101.

Is this do able?

I think if you use the techniques shown in this video, you can query AD based on the UPN, if the Intune UPN matches the UPN (or other field) in your AD.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 22, 2021 12:51 AM
From: Matthew Collins
Subject: Checking Intune User Principal Name exists within an AD Group

Hi.

I am trying to work out if the following is possible and if so, how to achieve it.

I want to authentication user devices using EAP-TLS. These devices will be in InTune, so I am going to set up the InTune extension. The devices will range from iOS, Mac and Windows, some domain bound and some not.

I'm looking for a way to check the "Intune User Principal Name" against an AD Group when a device authenticates to the WiFi. Based on the AD Group membership I would then like to assign different roles, i.e. Finance go to VLAN 100 and HR to VLAN 101.

Is this do able?

Hi.

Thanks for replying. I have previously seen your video, and it is very helpful. What I think I'm struggling to grasp is how to check the InTune UPN against AD, in particular AD groups membership, as the InTune UPN is stored in Endpoint and it would need to cross-check it AD.
Original Message:
Sent: Oct 22, 2021 11:09 AM
From: Herman Robers
Subject: Checking Intune User Principal Name exists within an AD Group

I think if you use the techniques shown in this video, you can query AD based on the UPN, if the Intune UPN matches the UPN (or other field) in your AD.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 22, 2021 12:51 AM
From: Matthew Collins
Subject: Checking Intune User Principal Name exists within an AD Group

Hi.

I am trying to work out if the following is possible and if so, how to achieve it.

I want to authentication user devices using EAP-TLS. These devices will be in InTune, so I am going to set up the InTune extension. The devices will range from iOS, Mac and Windows, some domain bound and some not.

I'm looking for a way to check the "Intune User Principal Name" against an AD Group when a device authenticates to the WiFi. Based on the AD Group membership I would then like to assign different roles, i.e. Finance go to VLAN 100 and HR to VLAN 101.

Is this do able?

What does the InTune UPN look like? And is (or in which field in AD is) it stored?

This probably is trivial if ones sees it... hard to answer based on this limited information. Would reach out to Aruba Support or your Aruba partner.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 24, 2021 03:56 PM
From: Matthew Collins
Subject: Checking Intune User Principal Name exists within an AD Group

Hi.

Thanks for replying. I have previously seen your video, and it is very helpful. What I think I'm struggling to grasp is how to check the InTune UPN against AD, in particular AD groups membership, as the InTune UPN is stored in Endpoint and it would need to cross-check it AD.
Original Message:
Sent: Oct 22, 2021 11:09 AM
From: Herman Robers
Subject: Checking Intune User Principal Name exists within an AD Group

I think if you use the techniques shown in this video, you can query AD based on the UPN, if the Intune UPN matches the UPN (or other field) in your AD.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 22, 2021 12:51 AM
From: Matthew Collins
Subject: Checking Intune User Principal Name exists within an AD Group

Hi.

I am trying to work out if the following is possible and if so, how to achieve it.

I want to authentication user devices using EAP-TLS. These devices will be in InTune, so I am going to set up the InTune extension. The devices will range from iOS, Mac and Windows, some domain bound and some not.

I'm looking for a way to check the "Intune User Principal Name" against an AD Group when a device authenticates to the WiFi. Based on the AD Group membership I would then like to assign different roles, i.e. Finance go to VLAN 100 and HR to VLAN 101.

Is this do able?