Cloud Managed Networks

Is it possible to use Intune to push Central Cloud Authentication profiles? Or is the only option to go through the laptops and either install the onboarding app or use the web onboarding?

With browser based onboarding, does it give the user some or of profile for newer Windows 10 machine so that the next time user comes to the office (in a week or two, meanwhile uses other SSIDs) they can use the office SSID automatically without going through the onboarding process again? I'd rather not install extra apps on the laptops.

Trying to understand the options we have when using Azure AD as the identity source (in this case we don't have on-prem AD anymore). Seem the options are:
- Use Cloud Auth
- Provision certificates from Intune and do "EAP-TLS no Authentication" with Clearpass and just check the certificate + maybe some Intune parameters like MAC address if it matches
- Use Azure AD Domain Services and configure Clearpass to do LDAPS to Azure (and we still need the certificates for EAP-TLS)

There are some more options, but Cloud Auth as of today is for unmanaged devices, which is why people need to go through the provisioning process. This is similar to Onboard for ClearPass and BYOD.

If you have Intune, it makes the most sense to enroll certificates from there, and with the InTune extension, you can sync ClearPass with Intune and use the lower part of this post to query the endpoint database, instead of by MAC, as MAC randomization these days breaks validation/mapping based on MAC.

Then the Azure AD Domain Services, as you mention is the same scenario, just with additional authorization.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 19, 2022 01:13 PM
From: Jukka Aaltonen
Subject: Azure as identity source for wireless access

Is it possible to use Intune to push Central Cloud Authentication profiles? Or is the only option to go through the laptops and either install the onboarding app or use the web onboarding?

With browser based onboarding, does it give the user some or of profile for newer Windows 10 machine so that the next time user comes to the office (in a week or two, meanwhile uses other SSIDs) they can use the office SSID automatically without going through the onboarding process again? I'd rather not install extra apps on the laptops.

Trying to understand the options we have when using Azure AD as the identity source (in this case we don't have on-prem AD anymore). Seem the options are:
- Use Cloud Auth
- Provision certificates from Intune and do "EAP-TLS no Authentication" with Clearpass and just check the certificate + maybe some Intune parameters like MAC address if it matches
- Use Azure AD Domain Services and configure Clearpass to do LDAPS to Azure (and we still need the certificates for EAP-TLS)

I had a bit luck today and learned that all the laptops we have in Intune have already been issued with machine certificates. So I guess our best option would be to do "EAP-TLS no authentication" and match these clients' certificates to a certain CA and then allow them to our WLAN.

Before that I was reading that SCEPMan and EJBCA would be some good alternatives to do certificates with Intune. So if anyone is reading this later on they should look into these too :) Also SecureW2 I heard is a service that could help in this regard.

But for our clients we did have NDES service in our DC that has issued certificates for the clients via SCEP protocol.

Now I guess only thing left is to figure out how to configure EAP-TLS for the clients and to ClearPass. Which should be quite straight forwarded thing. Even though we've have issues with mobile phones and ClearPass only told something like "CA error" or something. I'm thinking it's more about the endpoint and not ClearPass as we have all the CAs trusted. I'm building a lab to see how this works.

Original Message:
Sent: Jan 20, 2022 10:33 AM
From: Herman Robers
Subject: Azure as identity source for wireless access

There are some more options, but Cloud Auth as of today is for unmanaged devices, which is why people need to go through the provisioning process. This is similar to Onboard for ClearPass and BYOD.

If you have Intune, it makes the most sense to enroll certificates from there, and with the InTune extension, you can sync ClearPass with Intune and use the lower part of this post to query the endpoint database, instead of by MAC, as MAC randomization these days breaks validation/mapping based on MAC.

Then the Azure AD Domain Services, as you mention is the same scenario, just with additional authorization.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 19, 2022 01:13 PM
From: Jukka Aaltonen
Subject: Azure as identity source for wireless access

Is it possible to use Intune to push Central Cloud Authentication profiles? Or is the only option to go through the laptops and either install the onboarding app or use the web onboarding?

With browser based onboarding, does it give the user some or of profile for newer Windows 10 machine so that the next time user comes to the office (in a week or two, meanwhile uses other SSIDs) they can use the office SSID automatically without going through the onboarding process again? I'd rather not install extra apps on the laptops.

Trying to understand the options we have when using Azure AD as the identity source (in this case we don't have on-prem AD anymore). Seem the options are:
- Use Cloud Auth
- Provision certificates from Intune and do "EAP-TLS no Authentication" with Clearpass and just check the certificate + maybe some Intune parameters like MAC address if it matches
- Use Azure AD Domain Services and configure Clearpass to do LDAPS to Azure (and we still need the certificates for EAP-TLS)