There are some more options, but Cloud Auth as of today is for unmanaged devices, which is why people need to go through the provisioning process. This is similar to Onboard for ClearPass and BYOD.
If you have Intune, it makes the most sense to enroll certificates from there, and with the InTune extension, you can sync ClearPass with Intune and use the
lower part of this post to query the endpoint database, instead of by MAC, as MAC randomization these days breaks validation/mapping based on MAC.
Then the Azure AD Domain Services, as you mention is the same scenario, just with additional authorization.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jan 19, 2022 01:13 PM
From: Jukka Aaltonen
Subject: Azure as identity source for wireless access
Is it possible to use Intune to push Central Cloud Authentication profiles? Or is the only option to go through the laptops and either install the onboarding app or use the web onboarding?
With browser based onboarding, does it give the user some or of profile for newer Windows 10 machine so that the next time user comes to the office (in a week or two, meanwhile uses other SSIDs) they can use the office SSID automatically without going through the onboarding process again? I'd rather not install extra apps on the laptops.
Trying to understand the options we have when using Azure AD as the identity source (in this case we don't have on-prem AD anymore). Seem the options are:
- Use Cloud Auth
- Provision certificates from Intune and do "EAP-TLS no Authentication" with Clearpass and just check the certificate + maybe some Intune parameters like MAC address if it matches
- Use Azure AD Domain Services and configure Clearpass to do LDAPS to Azure (and we still need the certificates for EAP-TLS)