Hello Tim,
I understand your previous comment about not using MAC for lookup but the Clearpass Intune Extension looks to be based on the CPPM Endpoint DB which is indexed by MAC.
Also I have searched more about the 24 hours MAC Randomization on iOS and it seems that was only enabled on beta version of version 14. At this moment you are correct but it may be implemented by default in the future.
I did the following tests:
CPPM Setup- Intune Entension installed and active
- RADIUS SSID 802.1x using PEAP
Authentication Source = Local User DB
Authorization Source = Local User DB + Intune HTTP (using Filter "%{Connection:Client-Mac-Address-Hyphen}")
Role Mapping with (Authorization:Intune:Intune Device Registration State EQUALS registered)
Enforcement following above Role Mapping that doesn't allow access if device not registered in Intune
1st test using Laptop which doesn't support MAC Randomization (old Wifi NIC)1 - connect to Home Wifi (PSK)
2 - register Laptop to Intune, wait until it is fully discovered and CPPM Intune Extension has synchronized the new device
Device is added to the Endpoint DB using it's HW MAC Address & Intune attributes are updated OK
3 - connect to RADIUS SSID and get network access since it was sucessussfully registered to Intune
2nd test using Laptop which is supporting MAC Randomization1 - connect to Home Wifi (PSK)and enable "Random Hardware Address" only on this SSID
2 - Try to connect to RADIUS SSID but unsuccessfull since the device is not registered to Intune (normal)
3 - reconnect to Home Wifi (PSK)
4 - register Laptop to Intune, wait until it is fully discovered and CPPM Intune Extension has synchronized the new device
Device is added to the Endpoint DB using it's Random MAC Address & Intune attributes are updated OK
5 - connect to RADIUS SSID using it's HW MAC Address and Laptop access is rejected
The Endpoint DB contains now 2 entries for same PC, 1 for Random MAC (used when registering to Intune with Intune attributes set OK)
and 1 for HW MAC when connecting to RADIUS SSID without Intune attributes
Intune Extension has queried Intune Cloud using HW MAC and got back MAC Address <HW MAC> does not have an "Intune ID"
6 - reconnect to Home SSID (PSK) but using HW MAC this time and force Intune resync
7 - reconnect to RADIUS SSID using it's HW MAC Address and Laptop access is accepted this time since the Endpoint DB has been updated by Intune
Attached is the Intune Extension log with comments.
My customer scenario is to use Intune to allow Onboarding of only Corporate devices which are registered to Intune. Then at this step we don't have any Certificate to check with Intune when connecting to the Guest SSID (dual SSID Onboarding) or when using PEAP (single SSID Onboarding) at the start the Onboarding procedure
I have also look at the video serie "ClearPass integration with Intune and Azure AD" but not found any relevant information.
Please advise how to use Intune with MAC Randomization.
Thanks & kind regards
------------------------------
Christian Chautems
------------------------------
Original Message:
Sent: Apr 15, 2021 11:10 AM
From: Christian Chautems
Subject: clearpass and microsoft intune
Then we must adjust the Filter Query of the Intune HTTP Auth source to what ?
I am referring to the latest Clearpass - Intune integration guide (03-2021) pg 27
Thanks & kind regards
------------------------------
Christian Chautems
Original Message:
Sent: Apr 15, 2021 11:02 AM
From: Tim C
Subject: clearpass and microsoft intune
In general, MAC should never be used as a lookup value. You should use the device ID from the client certificate for any kind of lookup value.
------------------------------
Tim C
Original Message:
Sent: Apr 15, 2021 10:57 AM
From: Christian Chautems
Subject: clearpass and microsoft intune
I have found conflicting comments via Google on this 24 hours topic, but I have reports from customers about more problems about MAC caching on Guest Wifi since iOS 14 that seems related to MAC randomization
But anyway even if the random MAC stay the same when connected to a specific SSID overtime what is the MAC registered to Intune, the physical one of the random MAC. What when the user connect his iPhone to another SSID and Intune infos are updated ?
Thanks for help
Regards
------------------------------
Christian Chautems
Original Message:
Sent: Apr 15, 2021 10:30 AM
From: Tim C
Subject: clearpass and microsoft intune
MAC addresses do not change every 24 hours in iOS.
------------------------------
Tim C
Original Message:
Sent: Apr 15, 2021 10:24 AM
From: Christian Chautems
Subject: clearpass and microsoft intune
What is the implication of MAC Randomization (every 24 hours on iOS) with Intune v5 since the query to Intune is based on MAC ?
------------------------------
Christian Chautems
Original Message:
Sent: Jan 29, 2021 09:35 AM
From: Tim C
Subject: clearpass and microsoft intune
You should always be using this method. Never use the default MAC address-based integration.
------------------------------
Tim C
Original Message:
Sent: Jan 29, 2021 04:00 AM
From: Mitchell Pompe
Subject: clearpass and microsoft intune
Hi Morten,
The new V5 Intune Extension stores a lot of information in the endpoint database. You could make some additional checks/compares based on the provided certificate and the information in the endpoint database with a SQL statement like:
1. SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND attributes->>'Intune Azure AD Device Id' = LOWER('%{Authentication:Username}')
That would at least allow you to enforce authorization. That being said, you could also make a role mapping:
Regards,
Mitchell
;
Original Message:
Sent: Jan 29, 2021 01:33 AM
From: Morten Johannsen
Subject: clearpass and microsoft intune
Hi Tim.
Thats actuly a good idea, the i just do a validation more inder my enforcement policy that says something like, exits in domain x.
ill try that, it's actuly faster for the clearpass cause it only need to look in the domain where the certificate came from.
Thx
------------------------------
Morten Johannsen
Original Message:
Sent: Jan 27, 2021 12:33 PM
From: Tim C
Subject: clearpass and microsoft intune
Don't use authorization in the EAP method. Add your checks to the enforcement policy as part of your rules...
------------------------------
Tim C
Original Message:
Sent: Jan 25, 2021 05:03 AM
From: Morten Johannsen
Subject: clearpass and microsoft intune
Hi.
I can see it works with 2 different tenant, just 2 different ip adresses, but after reading the new V5 intune intergration, im not sure if the thing i want is the "correct" way to do it.
So the senario is that my app team want to use intune insted of sccm so the computer object is created in intune and not our local domain, the certificate is still pulled from our local ca, and right now im using EAP-TLS with "Authorization Required" and it fails right now cause the object is not in our local domain, so could i use the intune extension with EAP-TLS authorization to see if the object is in our intune and the allow is, and is the even the right way? i like the "authorization required" cause it gives a second layer of security and checks the object and if it is active/deactive. Should i keep the EAP-TLS authorization? its a issue that the intune extension sync all the device down cause out domain allready sync all its device to intune so its a duplicate of min endpoints.
Hope you can help with my senario.
Morten
------------------------------
Morten Johannsen
Original Message:
Sent: Jan 07, 2021 01:44 AM
From: Morten Johannsen
Subject: clearpass and microsoft intune
Hi Danny an Craig.
They are on two different tenants so it should be possible then.
Thx Danny, i'll take a look on the new guide, i just need the intergration so i can use eap-tls with authorization so ill look into it, its only a poc on our education network so ill try following your recommendation
thx both of you.
------------------------------
Morten Johannsen
Original Message:
Sent: Jan 06, 2021 01:50 PM
From: Danny Jump
Subject: clearpass and microsoft intune
Hey Morten,
Ensure you look at the latest version of the Intune integration guide, the latest version was a pivot from Aruba to move away from 'real-time' authZ + cache to an full-ingest of all endpoint, even though the authZ still exists its capabilities changed a little to only being check for already-known endpoints as there needs to be a process of convert mac-address to azuredID before its queried real-time.
See the latest guide here https://support.hpe.com/hpesc/public/docDisplay?docId=a00106086en_us written by some ex-aruba dude apparently.
and YES, as per Craigs point, two extension IF they are using different creds to auth into InTune/Azure.
------------------------------
Danny Jump
"Passionate about CPPM"
Original Message:
Sent: Jan 06, 2021 06:43 AM
From: Morten Johannsen
Subject: clearpass and microsoft intune
Hi, i know there's a guide for intune and clearpass.
My question is, can you have more than 1 intune instance as a authentication source? we need at least 2.
! for our normal domain and 1 for our education domain.
is it as easy as installing 2 extensions? and how do you select them in the authentication source? with each there ip adress
------------------------------
Morten Johannsen
------------------------------