Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

clearpass and microsoft intune

Jump to Best Answer

  • 1.  clearpass and microsoft intune

    Posted Jan 06, 2021 06:43 AM
    Hi, i know there's a guide for intune and clearpass.

    My question is, can you have more than 1 intune instance as a authentication source? we need at least 2.

    ! for our normal domain and 1 for our education domain.

    is it as easy as installing 2 extensions? and how do you select them in the authentication source? with each there ip adress

    ------------------------------
    Morten Johannsen
    ------------------------------


  • 2.  RE: clearpass and microsoft intune

    Posted Jan 06, 2021 08:56 AM
    Do each of your domains share the same tenantID or clientID or are they different?

    ------------------------------
    Craig Syme
    ------------------------------

    Original Message


  • 3.  RE: clearpass and microsoft intune
    Best Answer

    Posted Jan 06, 2021 01:51 PM
    Hey Morten,

    Ensure you look at the latest version of the Intune integration guide, the latest version was a pivot from Aruba to move away from 'real-time' authZ + cache to an full-ingest of all endpoint, even though the authZ still exists its capabilities changed a little to only being check for already-known endpoints as there needs to be a process of convert mac-address to azuredID before its queried real-time.

    See the latest guide here https://support.hpe.com/hpesc/public/docDisplay?docId=a00106086en_us written by some ex-aruba dude apparently.

    and YES, as per Craigs point, two extension IF they are using different creds to auth into InTune/Azure.

    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------

    Original Message


  • 4.  RE: clearpass and microsoft intune

    Posted Jan 07, 2021 01:45 AM
    Hi Danny an Craig.

    They are on two different tenants so it should be possible then.

    Thx Danny, i'll take a look on the new guide, i just need the intergration so i can use eap-tls with authorization so ill look into it, its only a poc on our education network so ill try following your recommendation

    thx both of you.

    ------------------------------
    Morten Johannsen
    ------------------------------

    Original Message


  • 5.  RE: clearpass and microsoft intune

    Posted Jan 25, 2021 05:04 AM
    Hi.

    I can see it works with 2 different tenant, just 2 different ip adresses, but after reading the new V5 intune intergration, im not sure if the thing i want is the "correct" way to do it.
    So the senario is that my app team want to use intune insted of sccm so the computer object is created in intune and not our local domain, the certificate is still pulled from our local ca, and right now im using EAP-TLS with "Authorization Required" and it fails right now cause the object is not in our local domain, so could i use the intune extension with EAP-TLS authorization to see if the object is in our intune and the allow is, and is the even the right way? i like the "authorization required" cause it gives a second layer of security and checks the object and if it is  active/deactive. Should i keep the EAP-TLS authorization? its a issue that the intune extension sync all the device down cause out domain allready sync all its device to intune so its a duplicate of min endpoints.
    Hope you can help with my senario.
    Morten

    ------------------------------
    Morten Johannsen
    ------------------------------

    Original Message


  • 6.  RE: clearpass and microsoft intune

    Posted Jan 26, 2021 09:12 PM
    I think I've accomplished this, I've just pinged an SE in Netherlands to see if he can chime in on this thread to help.

    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------

    Original Message


  • 7.  RE: clearpass and microsoft intune

    Posted Jan 27, 2021 12:34 PM
    Don't use authorization in the EAP method. Add your checks to the enforcement policy as part of your rules...

    ------------------------------
    Tim C
    ------------------------------

    Original Message


  • 8.  RE: clearpass and microsoft intune

    Posted Jan 29, 2021 01:34 AM
    Hi Tim.

    Thats actuly a good idea, the i just do a validation more inder my enforcement policy that says something like, exits in domain x.

    ill try that, it's actuly faster for the clearpass cause it only need to look in the domain where the certificate came from.

    Thx

    ------------------------------
    Morten Johannsen
    ------------------------------

    Original Message


  • 9.  RE: clearpass and microsoft intune

    Posted Jan 29, 2021 04:01 AM
    Hi Morten,

    The new V5 Intune Extension stores a lot of information in the endpoint database. You could make some additional checks/compares based on the provided certificate and the information in the endpoint database with a SQL statement like:

    1. SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND attributes->>'Intune Azure AD Device Id' = LOWER('%{Authentication:Username}')

    That would at least allow you to enforce authorization. That being said, you could also make a role mapping:

    Regards,

    Mitchell
    ;
    Original Message


  • 10.  RE: clearpass and microsoft intune

    Posted Jan 29, 2021 09:36 AM
    You should always be using this method. Never use the default MAC address-based integration.

    ------------------------------
    Tim C
    ------------------------------

    Original Message