The solution involves just RADIUS server processing, regardless of the client OS.
Original Message:
Sent: May 10, 2024 12:56 PM
From: ecasillas
Subject: 802.1x Authentication with intune
was this the solution for macOS/IOS devices as well? was there any ClearPass and Intune integration required?
Original Message:
Sent: Mar 01, 2023 09:27 AM
From: JD9
Subject: 802.1x Authentication with intune
This is great, thank you so much, it's the tick box in the authentication method that I was completely missing. I will have a proper look at what you've sent now, as I think it could be what I'm looking for. Thanks again.
Original Message:
Sent: Feb 28, 2023 07:57 AM
From: bosborne
Subject: 802.1x Authentication with intune
Here is what I am crafting in our Lab as a solution for TLS with eduroam. It has not yet been deployed into production. We are currently using Active Directory for Authorization.
I made an Authentication Method for TLS Certificate Only Notice the "Authorization Required box is NOT checked.
I had to make a custom Active Directory Authentication Source for Authorization using the Certificate Subject & User Principal Name instead of the outer identity & sAMAccountName.
You must have any CAs involved in issuing the certificates in the Trust List trusted for EAP.
in the service,
- I set the condition RADIUS:IETF User-Name ENDS_WITH @[domain name]
- checked the Authorization box.
- Under Authentication, I just select the TLS Authentication method I created.
- Under Authorization, I select the AD Authentication Source I created
For Role Mapping, you can have rules like this:
I also have rules such as Authorization:[your source]:Groups EQUALS Staff mapping to Staff CPPM Role
In Enforcement, I have made a Reject Profile that sets the RADIUS:IETF User-Name to the Certificate Identity to aid in Access Tracker identification,
We also add that Attribute to our other Enforcement Profiles so clients can be identified.
I think I have mentioned everything here/
------------------------------
Bruce Osborne ACCP ACMP
Liberty University
The views expressed here are my personal views and not those of my employer
Original Message:
Sent: Feb 28, 2023 04:36 AM
From: JD9
Subject: 802.1x Authentication with intune
How would I create a TLS authentication with no user authentication? However I try and do it, it always requests that I select a source. I've also tried setting an enforcement policy to set the username, but the connection still uses the hostname as the outer identity and then changes it to the name in the policy.
Original Message:
Sent: Feb 27, 2023 11:21 AM
From: bosborne
Subject: 802.1x Authentication with intune
The default EAP-TLS authentication method requires user authentication too. You can create a TLS authentication method with that unchecked. The RADIUS:IETF Username will be the Outer Identity unless you set an enforcement policy to change it.
------------------------------
Bruce Osborne ACCP ACMP
Liberty University
The views expressed here are my personal views and not those of my employer
Original Message:
Sent: Feb 27, 2023 10:26 AM
From: JD9
Subject: 802.1x Authentication with intune
I'm not sure if i'm doing something wrong, i'm creating an eap-tls connection, with simple certificate selection and I still get the above issue. I have tried recreating the service from template, but this doesn't resolve it.
Original Message:
Sent: Feb 17, 2023 09:59 AM
From: Herman Robers
Subject: 802.1x Authentication with intune
You can add Endpoint Repository/Admin User/Local Users as authentication source to save the service. If you have authorization disabled, it doesn't really matter what you put in there, as long as it's accepted. Without Authorization in your EAP-TLS method, the authentication source is not really used.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 17, 2023 09:31 AM
From: JD9
Subject: 802.1x Authentication with intune
Thanks for your reply. I have tried removing the authentication source but I just get the following message, I have tried it with authorization enabled and disabled. I have also tried setting Intune HTTP as an authentication source, but it is only supported as an authorization source, so I still need to select something for authentication.
Original Message:
Sent: Feb 17, 2023 09:24 AM
From: Herman Robers
Subject: 802.1x Authentication with intune
If you only have EAP-TLS and disabled Authorization in there, I think you can leave the authentication source empty.
But another option is to put in the endpoint database, of admin user repository, which isn't an issue for EAP-TLS as these users will not be able to authenticate with a certificate.
Using the Intune HTTP Authentication source may indeed get around the synchronization issue as it is a real-time lookup. I have not seen an option to filter the Intune Devices to be synchronized, and you could request that through your Partner or local Aruba SE who have access to Aruba Innovation Zone.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 17, 2023 04:59 AM
From: JD9
Subject: 802.1x Authentication with intune
Hi
I'm trying to setup device authentication on a new Azure domain with devices enrolled in Intune. I have successfully setup the app to bring the devices into the Endpoint database, however the issue I have is that our Intune is shared with other people and we aren't allowed to have all devices being sync'd. Is there a way to only bring down some devices from Intune?
I've also tried setting up Intune as an authorization source over http, but it won't let me leave the authentication source empty. I've read I should be able to leave it empty, is this possible?
Thanks