Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Intune - User attributes

This thread has been viewed 96 times

  • 1.  Clearpass Intune - User attributes

    Posted Oct 30, 2020 09:51 AM
    Hi
    Does anyone knows, if its possible to extend the Intune Extension V5, to get for example the "department" attribute of the assigned user in addition to the information already available (Display Name, ID etc)

    Thanks.

    ------------------------------
    Andreas Odermatt
    ------------------------------


  • 2.  RE: Clearpass Intune - User attributes

    Posted Oct 30, 2020 10:06 AM
    Edit


    ------------------------------
    Victor Fabian
    ------------------------------

    Original Message


  • 3.  RE: Clearpass Intune - User attributes

    Posted Oct 30, 2020 03:39 PM
    Hey Andreas,

    I've looked into this today and we can add this as an optional switch in the extension config, it makes a lot of sense to be able to tie the device to some abstracted group for access rights.

    But, I'd like to grab a zoom meeting with you to ensure I understand what you want exactly, I'm in California, currently CET +8 {guessing CET from your name if you don't mind}, but after this weekend I'm back to CET +9.....

    You can email me direct jump@hpe.com and we can set up a convenient time to talk.

    Cheers


    ------------------------------
    Danny Jump
    ClearPass Policy Manager - Product Manager
    ------------------------------

    Original Message


  • 4.  RE: Clearpass Intune - User attributes

    Posted Sep 08, 2021 02:44 AM

    Hello, Danny,

     

    Are there any updates, according this topic?

    Currently we are looking for basically same functionality – to get additional User attributes with Intune Extension to enforce different user access rights.

     

    With Intune Extension we have some User attributes. One of it is "Intune User ID", it would be useful to also get User "Groups" or "Department" for the same "Intune User ID".

     

    Thanks!



    ------------------------------
    kestutis@whitebit.lt
    ------------------------------

    Original Message


  • 5.  RE: Clearpass Intune - User attributes

    Posted Sep 08, 2021 10:03 AM
    There is no user context for a device. Intune is for device identity only.

    ------------------------------
    Tim C
    ------------------------------

    Original Message


  • 6.  RE: Clearpass Intune - User attributes

    Posted Sep 09, 2021 06:17 AM

    Hi Tim,

     

    Thanks for your reply,

     

    I do understand that MS Intune is for device identity.

    But according to Aruba ClearPass Intune integration guide (V5), we have to grant "User.Read" (Sing in and read user profile) permission in Azure Microsoft Graph API, that is used for Intune Extension. And indeed, when Intune extension creates Endpoint there is information about curent User in the Endpoint Attributes:

    Intune Extension Endpoint User Atributes
    Thanks!



    ------------------------------
    Kestutis Virsilas
    kestutis@whitebit.lt
    ------------------------------

    Original Message


  • 7.  RE: Clearpass Intune - User attributes

    Posted Sep 09, 2021 07:13 AM
    That is the user who the device is assigned to and is not relevant to the active session.





    Original Message


  • 8.  RE: Clearpass Intune - User attributes

    Posted Sep 10, 2021 02:22 AM
    Hi Kestutis
    I had last year the chance to talk with Danny Jump. There are other very big companies requesting exactly the same feature.
    I don't know the current status but I also hope, we can have access to AAD Users and Groups information soon.

    Best regards,
    Andreas



    ------------------------------
    Andreas Odermatt
    ------------------------------

    Original Message


  • 9.  RE: Clearpass Intune - User attributes

    Posted Sep 10, 2021 05:43 AM

    Hi, Andreas,

    Thanks for your reply,

    As Tim mentioned, User attributes in Intune Extension is for user who the device is assigned, so it is irrelevant to use it for user authorization..

    I know, that Azure AD User group information "memberOf" can be called from MS graph API using "GET https://graph.microsoft.com/v1.0/users/{id}/memberOf" after OAuth2 authentication. As I understand and can see from Guest Application logs, ClearPass Guest Social login use OAuth and get User group membership this way.

     

    I found this post of Danny about ClearPass Universal Authentication Proxy Extension: https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=18935

    Maybe it could be adapted for OAuth communication with Azure AD. And then use the extension as HTTP Auth source like it is done with Intune.

    Unfortunately, I haven't found much information according cppm UAP Extension.

     

    Regards



    ------------------------------
    Kestutis Virsilas
    ------------------------------

    Original Message


  • 10.  RE: Clearpass Intune - User attributes

    Posted Sep 10, 2021 05:56 AM
    Hi Kestutis

    Thanks for the addition information about UAP. I will check it out.
    Each device in Intune also has a primary user assigned. I need additional information of group-memberships from the primary user and not that user, who registered the device and synct by Clearpass Extension.
    Maybe I have to build my own Sync Script with MS Graph API and Clearpass API... 

    Andreas



    ------------------------------
    Andreas Odermatt
    ------------------------------

    Original Message


  • 11.  RE: Clearpass Intune - User attributes

    Posted Sep 29, 2021 12:09 AM
    If you use Azure AD as a social login in the guest portal and tick Group Membership, social_groups is populated in the endpoint. Not particularly useful since you want it directly from Intune, but might be a workaround for the time being?

    ------------------------------
    James Andrewartha
    ------------------------------

    Original Message