Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

clearpass and microsoft intune

This thread has been viewed 289 times

  • 1.  clearpass and microsoft intune

    Posted Jan 06, 2021 06:43 AM
    Hi, i know there's a guide for intune and clearpass.

    My question is, can you have more than 1 intune instance as a authentication source? we need at least 2.

    ! for our normal domain and 1 for our education domain.

    is it as easy as installing 2 extensions? and how do you select them in the authentication source? with each there ip adress

    ------------------------------
    Morten Johannsen
    ------------------------------


  • 2.  RE: clearpass and microsoft intune

    MVP EXPERT
    Posted Jan 06, 2021 08:56 AM
    Do each of your domains share the same tenantID or clientID or are they different?

    ------------------------------
    Craig Syme
    ------------------------------

    Original Message


  • 3.  RE: clearpass and microsoft intune
    Best Answer

    MVP
    Posted Jan 06, 2021 01:51 PM
    Hey Morten,

    Ensure you look at the latest version of the Intune integration guide, the latest version was a pivot from Aruba to move away from 'real-time' authZ + cache to an full-ingest of all endpoint, even though the authZ still exists its capabilities changed a little to only being check for already-known endpoints as there needs to be a process of convert mac-address to azuredID before its queried real-time.

    See the latest guide here https://support.hpe.com/hpesc/public/docDisplay?docId=a00106086en_us written by some ex-aruba dude apparently.

    and YES, as per Craigs point, two extension IF they are using different creds to auth into InTune/Azure.

    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------

    Original Message


  • 4.  RE: clearpass and microsoft intune

    Posted Jan 07, 2021 01:45 AM
    Hi Danny an Craig.

    They are on two different tenants so it should be possible then.

    Thx Danny, i'll take a look on the new guide, i just need the intergration so i can use eap-tls with authorization so ill look into it, its only a poc on our education network so ill try following your recommendation

    thx both of you.

    ------------------------------
    Morten Johannsen
    ------------------------------

    Original Message


  • 5.  RE: clearpass and microsoft intune

    Posted Jan 25, 2021 05:04 AM
    Hi.

    I can see it works with 2 different tenant, just 2 different ip adresses, but after reading the new V5 intune intergration, im not sure if the thing i want is the "correct" way to do it.
    So the senario is that my app team want to use intune insted of sccm so the computer object is created in intune and not our local domain, the certificate is still pulled from our local ca, and right now im using EAP-TLS with "Authorization Required" and it fails right now cause the object is not in our local domain, so could i use the intune extension with EAP-TLS authorization to see if the object is in our intune and the allow is, and is the even the right way? i like the "authorization required" cause it gives a second layer of security and checks the object and if it is  active/deactive. Should i keep the EAP-TLS authorization? its a issue that the intune extension sync all the device down cause out domain allready sync all its device to intune so its a duplicate of min endpoints.
    Hope you can help with my senario.
    Morten

    ------------------------------
    Morten Johannsen
    ------------------------------

    Original Message


  • 6.  RE: clearpass and microsoft intune

    MVP
    Posted Jan 26, 2021 09:12 PM
    I think I've accomplished this, I've just pinged an SE in Netherlands to see if he can chime in on this thread to help.

    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------

    Original Message


  • 7.  RE: clearpass and microsoft intune

    MVP EXPERT
    Posted Jan 27, 2021 12:34 PM
    Don't use authorization in the EAP method. Add your checks to the enforcement policy as part of your rules...

    ------------------------------
    Tim C
    ------------------------------

    Original Message


  • 8.  RE: clearpass and microsoft intune

    Posted Jan 29, 2021 01:34 AM
    Hi Tim.

    Thats actuly a good idea, the i just do a validation more inder my enforcement policy that says something like, exits in domain x.

    ill try that, it's actuly faster for the clearpass cause it only need to look in the domain where the certificate came from.

    Thx

    ------------------------------
    Morten Johannsen
    ------------------------------

    Original Message


  • 9.  RE: clearpass and microsoft intune

    EMPLOYEE
    Posted Jan 29, 2021 04:01 AM
    Hi Morten,

    The new V5 Intune Extension stores a lot of information in the endpoint database. You could make some additional checks/compares based on the provided certificate and the information in the endpoint database with a SQL statement like:

    1. SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND attributes->>'Intune Azure AD Device Id' = LOWER('%{Authentication:Username}')

    That would at least allow you to enforce authorization. That being said, you could also make a role mapping:

    Regards,

    Mitchell
    ;
    Original Message


  • 10.  RE: clearpass and microsoft intune

    MVP EXPERT
    Posted Jan 29, 2021 09:36 AM
    You should always be using this method. Never use the default MAC address-based integration.

    ------------------------------
    Tim C
    ------------------------------

    Original Message


  • 11.  RE: clearpass and microsoft intune

    Posted Apr 15, 2021 10:25 AM
    What is the implication of MAC Randomization (every 24 hours on iOS) with Intune v5 since the query to Intune is based on MAC ?

    ------------------------------
    Christian Chautems
    ------------------------------

    Original Message


  • 12.  RE: clearpass and microsoft intune

    MVP EXPERT
    Posted Apr 15, 2021 10:30 AM
    MAC addresses do not change every 24 hours in iOS.

    ------------------------------
    Tim C
    ------------------------------

    Original Message


  • 13.  RE: clearpass and microsoft intune

    Posted Apr 15, 2021 10:58 AM
    I have found conflicting comments via Google on this 24 hours topic, but I have reports from customers about more problems about MAC caching on Guest Wifi since iOS 14 that seems related to MAC randomization

    But anyway even if the random MAC stay the same when connected to a specific SSID overtime what is the MAC registered to Intune, the physical one of the random MAC. What when the user connect his iPhone to another SSID and Intune infos are updated ?

    Thanks for help
    Regards

    ------------------------------
    Christian Chautems
    ------------------------------

    Original Message


  • 14.  RE: clearpass and microsoft intune

    MVP EXPERT
    Posted Apr 15, 2021 11:03 AM
    In general, MAC should never be used as a lookup value. You should use the device ID from the client certificate for any kind of lookup value.

    ------------------------------
    Tim C
    ------------------------------

    Original Message


  • 15.  RE: clearpass and microsoft intune

    Posted Apr 15, 2021 11:10 AM

    Then we must adjust the Filter Query of the Intune HTTP Auth source to what ?

    I am referring to the latest Clearpass - Intune integration guide (03-2021) pg 27

    Thanks & kind regards



    ------------------------------
    Christian Chautems
    ------------------------------

    Original Message


  • 16.  RE: clearpass and microsoft intune

    Posted Apr 16, 2021 05:14 AM
      |   view attached
    Hello Tim,

    I understand your previous comment about not using MAC for lookup but the Clearpass Intune Extension looks to be based on the CPPM Endpoint DB which is indexed by MAC.

    Also I have searched more about the 24 hours MAC Randomization on iOS and it seems that was only enabled on beta version of version 14. At this moment you are correct but it may be implemented by default in the future.

    I did the following tests:

    CPPM Setup

    - Intune Entension installed and active

    - RADIUS SSID 802.1x using PEAP
    Authentication Source = Local User DB
    Authorization Source = Local User DB + Intune HTTP (using Filter "%{Connection:Client-Mac-Address-Hyphen}")
    Role Mapping with (Authorization:Intune:Intune Device Registration State EQUALS registered)
    Enforcement following above Role Mapping that doesn't allow access if device not registered in Intune



    1st test using Laptop which doesn't support MAC Randomization (old Wifi NIC)

    1 - connect to Home Wifi (PSK)

    2 - register Laptop to Intune, wait until it is fully discovered and CPPM Intune Extension has synchronized the new device
    Device is added to the Endpoint DB using it's HW MAC Address & Intune attributes are updated OK

    3 - connect to RADIUS SSID and get network access since it was sucessussfully registered to Intune

    2nd test using Laptop which is supporting MAC Randomization

    1 - connect to Home Wifi (PSK)and enable "Random Hardware Address" only on this SSID

    2 - Try to connect to RADIUS SSID but unsuccessfull since the device is not registered to Intune (normal)

    3 - reconnect to Home Wifi (PSK)

    4 - register Laptop to Intune, wait until it is fully discovered and CPPM Intune Extension has synchronized the new device
    Device is added to the Endpoint DB using it's Random MAC Address & Intune attributes are updated OK

    5 - connect to RADIUS SSID using it's HW MAC Address and Laptop access is rejected
    The Endpoint DB contains now 2 entries for same PC, 1 for Random MAC (used when registering to Intune with Intune attributes set OK)
    and 1 for HW MAC when connecting to RADIUS SSID without Intune attributes
    Intune Extension has queried Intune Cloud using HW MAC and got back MAC Address <HW MAC> does not have an "Intune ID"

    6 - reconnect to Home SSID (PSK) but using HW MAC this time and force Intune resync

    7 - reconnect to RADIUS SSID using it's HW MAC Address and Laptop access is accepted this time since the Endpoint DB has been updated by Intune

    Attached is the Intune Extension log with comments.

    My customer scenario is to use Intune to allow Onboarding of only Corporate devices which are registered to Intune. Then at this step we don't have any Certificate to check with Intune when connecting to the Guest SSID (dual SSID Onboarding) or when using PEAP (single SSID Onboarding) at the start the Onboarding procedure

    I have also look at the video serie "ClearPass integration with Intune and Azure AD" but not found any relevant information.

    Please advise how to use Intune with MAC Randomization.

    Thanks & kind regards

    ------------------------------
    Christian Chautems
    ------------------------------

    Attachment(s)

    txt
    Intune-log-WKSCCS05-2.txt   8 KB 1 version
    Original Message


  • 17.  RE: clearpass and microsoft intune

    MVP EXPERT
    Posted Apr 16, 2021 08:50 AM
    Onboard is not designed for use with managed devices. A network configuration and identity should be provisioned via Intune.

    ------------------------------
    Tim C
    ------------------------------

    Original Message


  • 18.  RE: clearpass and microsoft intune

    Posted Sep 24, 2021 03:12 PM
    @christian.chautems@swisscom.com Did you ever find a solution to your issue?  I'm seeing the same issue now as I'm seeing Intune devices being enrolled with the incorrect MAC address and when CPPM references the Endpoint DB it's looking up the wrong MAC address that has no Intune Attributes.  And thus these devices will not connect.​

    ------------------------------
    Stephen Edwards
    ------------------------------

    Original Message


  • 19.  RE: clearpass and microsoft intune

    Posted Nov 10, 2021 03:10 AM

    I was able to make this work by adding an Intune query (thanks to @Herman Robers) to the [Endpoint Repository] Authentication Source.

    By matching {Certificate:Subject-CN} to 'Intune ID', I was able to do EAP-TLS Authorization of the Intune endpoint, while the endpoint had MAC Randomization enabled.
    Remember to use custom EAP-TLS Authentication method with AuthZ disabled.

    I was not able to match 'Intune Azure AD Device ID', since the certificate common name (CN) did not match with this ID.
    So please note which ID your certificate CN matches and adjust accordingly in the query below (your mileage may vary)

    New filter query [Endoint Repository]:

    select attributes->>'Intune User Principal Name' as "Intune User Principal Name",attributes->>'Intune Model' as "Intune Model",attributes->>'Intune Jail Broken' as "Intune Jail Broken",attributes->>'Intune Operating System' as "Intune Operating System",attributes->>'Intune Managed Device Owner Type' as "Intune Managed Device Owner Type",attributes->>'Intune Management Agent' as "Intune Management Agent",attributes->>'Intune Azure AD Registered' as "Intune Azure AD Registered" FROM tips_endpoints WHERE attributes->>'Intune ID' = LOWER('%{Certificate:Subject-CN}');




    ------------------------------
    Thomas G - ACCX#1172
    ------------------------------

    Original Message


  • 20.  RE: clearpass and microsoft intune

    Posted Nov 30, 2021 10:09 AM
    I'm trying to get this to work as well.
    However I seem to be doing something wrong.

    I've added the filter to the [Endpoints Repository] source as mentioned.
    I've also checked al my settings in the service.

    However as soon as my test device connects to the network I get an alert stating: "HTTP attribute query returned error=404" if I then take a look at the intune log I see the below output.

    [2021-11-30T16:01:46.734] [INFO] Intune - [/device/info/id/:intuneId] request received from ::ffff:172.17.0.1.
[2021-11-30T16:01:46.824] [DEBUG] Intune - Request "GET '/endpoint'" took 90 ms.
[2021-11-30T16:01:46.825] [WARN] Intune - No endpoint with the Intune ID undefined was found in ClearPass.​

    The intune plugin is syncing without any issue. However if I lookup my test device by it's mac address it's not being populated with any Intune information. 

    The certificate in our environment has the "Azure AD Device ID" as the Subject-CN value.

    Does anyone have any tips on where to look for a solution?



    ------------------------------
    Hans Oele
    ------------------------------

    Original Message


  • 21.  RE: clearpass and microsoft intune

    Posted Feb 25, 2022 06:11 AM

    Hi Hans,

    Did you get anywhere with this? I've been trying to do what you're doing but my extension log shows that it's looking up a mac, even though I send it the certificate CN.

    This is what my log shows. E.g. /device/info:mac but yours shows /device/info:intuneId

    [2022-02-25T10:58:14.101] [INFO] Intune - [/device/info/:mac] request received from ::ffff:172.17.0.1.
[2022-02-25T10:58:14.248] [DEBUG] Intune - Request "GET '/endpoint'" took 146 ms.
[2022-02-25T10:58:14.248] [WARN] Intune - No endpoint with the MAC Address 93fasd1a-7c31-4904-8f64-499a5cf0ed92 was found in ClearPass.



    ------------------------------
    James Whitehead
    ------------------------------

    Original Message


  • 22.  RE: clearpass and microsoft intune

    Posted Feb 25, 2022 06:21 AM
    Hi James,

    Unfortunatly there is no solution at the moment if you are using wired connections for clients without a wireless adapter.
    The Grapp-API doesn't give wired mac-addresses back to the plugin.
    I know that Microsoft is looking into this but there is no time schedule for when this will be changed.

    For our customer we decided to use old fashioned 802.1x for now for wired authentication.

    ------------------------------
    Hans Oele
    ------------------------------

    Original Message


  • 23.  RE: clearpass and microsoft intune

    Posted Feb 25, 2022 06:31 AM
    Edit: found the answer and have the same result as you.


  • 24.  RE: clearpass and microsoft intune

    Posted Feb 25, 2022 07:08 AM

    Hi James,

     

    For the wireless connections we use the mac address.

     

    Kind regards,

    Hans Oele

    Technical Consultant Datacenter

       

                           

           

    T

    E

    W

           

    +31650731467

    Hans.Oele@sltn.nl

    www.sltn.nl


    Colosseum 9
    1213 NN Hilversum
    +31 35 688 84 00

     




    Original Message


  • 25.  RE: clearpass and microsoft intune

    Posted Feb 25, 2022 07:14 AM
    We've encountered a slightly different issue to yours.

    Personal Android devices enrolled in Intune since Oct '21 don't have a Wi-Fi MAC address attribute, so you can't sync them to the endpoint repo.

    I was hoping to do a lookup using the Intune ID rather than the MAC to get things working but, well you know how that went. 

    Thanks for the replies. Sorry to everyone else for hijacking the thread somewhat.

    ------------------------------
    James Whitehead
    ------------------------------

    Original Message