Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

clearpass and microsoft intune

Jump to Best Answer
This thread has been viewed 141 times
  • 1.  clearpass and microsoft intune

    Posted Jan 06, 2021 06:43 AM
    Hi, i know there's a guide for intune and clearpass.

    My question is, can you have more than 1 intune instance as a authentication source? we need at least 2.

    ! for our normal domain and 1 for our education domain.

    is it as easy as installing 2 extensions? and how do you select them in the authentication source? with each there ip adress

    ------------------------------
    Morten Johannsen
    ------------------------------


  • 2.  RE: clearpass and microsoft intune

    Posted Jan 06, 2021 08:56 AM
    Do each of your domains share the same tenantID or clientID or are they different?

    ------------------------------
    Craig Syme
    ------------------------------



  • 3.  RE: clearpass and microsoft intune
    Best Answer

    Posted Jan 06, 2021 01:51 PM
    Hey Morten,

    Ensure you look at the latest version of the Intune integration guide, the latest version was a pivot from Aruba to move away from 'real-time' authZ + cache to an full-ingest of all endpoint, even though the authZ still exists its capabilities changed a little to only being check for already-known endpoints as there needs to be a process of convert mac-address to azuredID before its queried real-time.

    See the latest guide here https://support.hpe.com/hpesc/public/docDisplay?docId=a00106086en_us written by some ex-aruba dude apparently.

    and YES, as per Craigs point, two extension IF they are using different creds to auth into InTune/Azure.

    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------



  • 4.  RE: clearpass and microsoft intune

    Posted Jan 07, 2021 01:45 AM
    Hi Danny an Craig.

    They are on two different tenants so it should be possible then.

    Thx Danny, i'll take a look on the new guide, i just need the intergration so i can use eap-tls with authorization so ill look into it, its only a poc on our education network so ill try following your recommendation

    thx both of you.

    ------------------------------
    Morten Johannsen
    ------------------------------



  • 5.  RE: clearpass and microsoft intune

    Posted Jan 25, 2021 05:04 AM
    Hi.

    I can see it works with 2 different tenant, just 2 different ip adresses, but after reading the new V5 intune intergration, im not sure if the thing i want is the "correct" way to do it.
    So the senario is that my app team want to use intune insted of sccm so the computer object is created in intune and not our local domain, the certificate is still pulled from our local ca, and right now im using EAP-TLS with "Authorization Required" and it fails right now cause the object is not in our local domain, so could i use the intune extension with EAP-TLS authorization to see if the object is in our intune and the allow is, and is the even the right way? i like the "authorization required" cause it gives a second layer of security and checks the object and if it is  active/deactive. Should i keep the EAP-TLS authorization? its a issue that the intune extension sync all the device down cause out domain allready sync all its device to intune so its a duplicate of min endpoints.
    Hope you can help with my senario.
    Morten

    ------------------------------
    Morten Johannsen
    ------------------------------



  • 6.  RE: clearpass and microsoft intune

    Posted Jan 26, 2021 09:12 PM
    I think I've accomplished this, I've just pinged an SE in Netherlands to see if he can chime in on this thread to help.

    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------



  • 7.  RE: clearpass and microsoft intune

    Posted Jan 27, 2021 12:34 PM
    Don't use authorization in the EAP method. Add your checks to the enforcement policy as part of your rules...

    ------------------------------
    Tim C
    ------------------------------



  • 8.  RE: clearpass and microsoft intune

    Posted Jan 29, 2021 01:34 AM
    Hi Tim.

    Thats actuly a good idea, the i just do a validation more inder my enforcement policy that says something like, exits in domain x.

    ill try that, it's actuly faster for the clearpass cause it only need to look in the domain where the certificate came from.

    Thx

    ------------------------------
    Morten Johannsen
    ------------------------------



  • 9.  RE: clearpass and microsoft intune

    Posted Jan 29, 2021 04:01 AM
    Hi Morten,

    The new V5 Intune Extension stores a lot of information in the endpoint database. You could make some additional checks/compares based on the provided certificate and the information in the endpoint database with a SQL statement like:

    1. SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}') AND attributes->>'Intune Azure AD Device Id' = LOWER('%{Authentication:Username}')

    That would at least allow you to enforce authorization. That being said, you could also make a role mapping:

    Regards,

    Mitchell
    ;


  • 10.  RE: clearpass and microsoft intune

    Posted Jan 29, 2021 09:36 AM
    You should always be using this method. Never use the default MAC address-based integration.

    ------------------------------
    Tim C
    ------------------------------



  • 11.  RE: clearpass and microsoft intune

    Posted Apr 15, 2021 10:25 AM
    What is the implication of MAC Randomization (every 24 hours on iOS) with Intune v5 since the query to Intune is based on MAC ?

    ------------------------------
    Christian Chautems
    ------------------------------



  • 12.  RE: clearpass and microsoft intune

    Posted Apr 15, 2021 10:30 AM
    MAC addresses do not change every 24 hours in iOS.

    ------------------------------
    Tim C
    ------------------------------



  • 13.  RE: clearpass and microsoft intune

    Posted Apr 15, 2021 10:58 AM
    I have found conflicting comments via Google on this 24 hours topic, but I have reports from customers about more problems about MAC caching on Guest Wifi since iOS 14 that seems related to MAC randomization

    But anyway even if the random MAC stay the same when connected to a specific SSID overtime what is the MAC registered to Intune, the physical one of the random MAC. What when the user connect his iPhone to another SSID and Intune infos are updated ?

    Thanks for help
    Regards

    ------------------------------
    Christian Chautems
    ------------------------------



  • 14.  RE: clearpass and microsoft intune

    Posted Apr 15, 2021 11:03 AM
    In general, MAC should never be used as a lookup value. You should use the device ID from the client certificate for any kind of lookup value.

    ------------------------------
    Tim C
    ------------------------------



  • 15.  RE: clearpass and microsoft intune

    Posted Apr 15, 2021 11:10 AM

    Then we must adjust the Filter Query of the Intune HTTP Auth source to what ?

    I am referring to the latest Clearpass - Intune integration guide (03-2021) pg 27

    Thanks & kind regards



    ------------------------------
    Christian Chautems
    ------------------------------



  • 16.  RE: clearpass and microsoft intune

    Posted Apr 16, 2021 05:14 AM
      |   view attached
    Hello Tim,

    I understand your previous comment about not using MAC for lookup but the Clearpass Intune Extension looks to be based on the CPPM Endpoint DB which is indexed by MAC.

    Also I have searched more about the 24 hours MAC Randomization on iOS and it seems that was only enabled on beta version of version 14. At this moment you are correct but it may be implemented by default in the future.

    I did the following tests:

    CPPM Setup

    - Intune Entension installed and active

    - RADIUS SSID 802.1x using PEAP
    Authentication Source = Local User DB
    Authorization Source = Local User DB + Intune HTTP (using Filter "%{Connection:Client-Mac-Address-Hyphen}")
    Role Mapping with (Authorization:Intune:Intune Device Registration State EQUALS registered)
    Enforcement following above Role Mapping that doesn't allow access if device not registered in Intune



    1st test using Laptop which doesn't support MAC Randomization (old Wifi NIC)

    1 - connect to Home Wifi (PSK)

    2 - register Laptop to Intune, wait until it is fully discovered and CPPM Intune Extension has synchronized the new device
    Device is added to the Endpoint DB using it's HW MAC Address & Intune attributes are updated OK

    3 - connect to RADIUS SSID and get network access since it was sucessussfully registered to Intune

    2nd test using Laptop which is supporting MAC Randomization

    1 - connect to Home Wifi (PSK)and enable "Random Hardware Address" only on this SSID

    2 - Try to connect to RADIUS SSID but unsuccessfull since the device is not registered to Intune (normal)

    3 - reconnect to Home Wifi (PSK)

    4 - register Laptop to Intune, wait until it is fully discovered and CPPM Intune Extension has synchronized the new device
    Device is added to the Endpoint DB using it's Random MAC Address & Intune attributes are updated OK

    5 - connect to RADIUS SSID using it's HW MAC Address and Laptop access is rejected
    The Endpoint DB contains now 2 entries for same PC, 1 for Random MAC (used when registering to Intune with Intune attributes set OK)
    and 1 for HW MAC when connecting to RADIUS SSID without Intune attributes
    Intune Extension has queried Intune Cloud using HW MAC and got back MAC Address <HW MAC> does not have an "Intune ID"

    6 - reconnect to Home SSID (PSK) but using HW MAC this time and force Intune resync

    7 - reconnect to RADIUS SSID using it's HW MAC Address and Laptop access is accepted this time since the Endpoint DB has been updated by Intune

    Attached is the Intune Extension log with comments.

    My customer scenario is to use Intune to allow Onboarding of only Corporate devices which are registered to Intune. Then at this step we don't have any Certificate to check with Intune when connecting to the Guest SSID (dual SSID Onboarding) or when using PEAP (single SSID Onboarding) at the start the Onboarding procedure

    I have also look at the video serie "ClearPass integration with Intune and Azure AD" but not found any relevant information.

    Please advise how to use Intune with MAC Randomization.

    Thanks & kind regards

    ------------------------------
    Christian Chautems
    ------------------------------

    Attachment(s)

    txt
    Intune-log-WKSCCS05-2.txt   8 KB 1 version


  • 17.  RE: clearpass and microsoft intune

    Posted Apr 16, 2021 08:50 AM
    Onboard is not designed for use with managed devices. A network configuration and identity should be provisioned via Intune.

    ------------------------------
    Tim C
    ------------------------------



  • 18.  RE: clearpass and microsoft intune

    Posted 25 days ago
    @christian.chautems@swisscom.com Did you ever find a solution to your issue?  I'm seeing the same issue now as I'm seeing Intune devices being enrolled with the incorrect MAC address and when CPPM references the Endpoint DB it's looking up the wrong MAC address that has no Intune Attributes.  And thus these devices will not connect.​

    ------------------------------
    Stephen Edwards
    ------------------------------