Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass and Intune device groups

This thread has been viewed 66 times
  • 1.  ClearPass and Intune device groups

    Posted Feb 23, 2024 03:38 AM

    Hi,

    I've got a ClearPass 6.11.2 deployment using EAP-TLS for user and/or machine wireless authentication and authorisation.

    User and machine certificates are issued using SCEP and configuration profiles in Intune, but have an issue with first time login user experience (especially on shared windows devices).

    The default Intune device configuration is to use machine certificate prior to login (so device has network access) then once a user is logged in, it connects using the user certificate.

    This works fine if the user already has a certificate on that device.

    Issue is for first time users on that device, the device has network access so a new user can log into the device using their Azure AD credentials, however after login they drop off the network as there's no user certificate. We then need to connect to another network and sync with Azure AD to get user policy pushed to the device, including the user certificate.

    To resolve this poor user experience on shared devices, we thought of deploying an Intune network policy that connects as machine only, but would like to make policy decisions based on device group information.

    We are using the Intune v6 extension to get device attributes, but it doesn't include the groups the device is a member of.

    Is anyone aware of a method to get device group information from Intune?



  • 2.  RE: ClearPass and Intune device groups

    Posted Feb 23, 2024 03:46 AM

    You can have a look at TEAP, which allows both computer and user authentication in a combined authentication transaction. One thing this solves is the situation that you describe where a computer certificate is present, but no user certificate. You can create a policy like: TEAP-Method-1 (which is computer) Success and TEAP-Method-2 (user) Failed -> computer role; if both methods succeed -> user role.

    If you search on Airheads, there is quite some information on TEAP already. Also I created a video, which is somewhat outdated and for on premises, but the idea for Intune/Entra ID connected devices is similar.

    As far as I know, Device Group information is not available, but has been discussed in the past. You could reach out to your Aruba partner or local Aruba SE to get the status on that, or if you are a partner have a look at Aruba Innovation Zone and see if there is an entry there already and vote, or create a new entry.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ClearPass and Intune device groups

    Posted Feb 23, 2024 05:56 AM

    Thanks Herman for the suggestion, will look further into TEAP.

    Given we have users and devices currently connecting with EAP-TLS configuration profile, can you have both authentication methods in the same service?




  • 4.  RE: ClearPass and Intune device groups

    Posted Feb 23, 2024 06:19 AM

    One issue with TEAP and Intune is that the TEAP configuration is only possible to do for wired authentication in the Intune admin GUI. When creating a wireless 802.1x profile TEAP is not and option in the list of authentication methods.

    I don't know if this is dependent on any license or agreement level of the tennant in Intune. Have read some information that you can export an XML file with a TEAP profile from a computer where it has been created manually and import it in Intune. But I have never tried that.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: ClearPass and Intune device groups

    Posted Feb 23, 2024 06:35 AM

    Hi Jonas,

    Was just finding the same issue - no option in the GUI for TEAP. Will have a look to see if I can import an XML with the required settings.




  • 6.  RE: ClearPass and Intune device groups

    Posted Feb 23, 2024 07:35 AM

    XML with the network profile is the way to go indeed for TEAP.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: ClearPass and Intune device groups

    Posted Feb 29, 2024 11:00 PM

    Hi Herman,

    I've followed your series on Aruba ClearPass Workshop (Video Series 2021) | Security (arubanetworks.com) and configured TEAP using certificates for both outer and inner methods.

    https://youtu.be/nTHQsBgRjb4?si=M8UT7BesEADd0Anv

    I kept EAP-TLS as an authentication method and is still working, but whenever I change to TEAP I get the following on a Windows 10 (21H2) device:

    ERROR RadiusServer.Radius - rlm_eap_teap: Client sent a valid identity 'anonymous' in outer request, and is sending another identity 'host/<VALUE>' in inner, rejecting the request.

    Enable identity privacy is not ticked in the TEAP properties.

    Any ideas why it would still be sending it?

    Regards

    Tobi




  • 8.  RE: ClearPass and Intune device groups

    Posted Mar 01, 2024 08:10 AM

    So further testing today:

    I found another article having issues with TEAP when the [Endpoints Repository] is configured as an authentication source.

    Using EAP-TEAP and EAP-TLS on the same service | Security (arubanetworks.com) 

    Looking at the logs on the rejected request in my environment I can see:

    2024-03-01 22:42:37,199 [Th 41 Req 52 SessId R00000007-01-65e1c635] INFO RadiusServer.Radius - rlm_sql: searching for user anonymous in Local:localhost
    2024-03-01 22:42:37,199 [Th 41 Req 52 SessId R00000007-01-65e1c635] INFO RadiusServer.Radius - rlm_sql: found user anonymous in Local:localhost
    2024-03-01 22:42:37,199 [Th 41 Req 52 SessId R00000007-01-65e1c635] INFO RadiusServer.Radius - SQL User lookup time = 0 ms
    2024-03-01 22:42:37,199 [Th 41 Req 52 SessId R00000007-01-65e1c635] INFO RadiusServer.Radius - rlm_eap_teap: Initiate

    then later in the log:

    2024-03-01 22:42:37,341 [Th 42 Req 59 SessId R00000007-01-65e1c635] ERROR RadiusServer.Radius - rlm_eap_teap: Client sent a valid identity 'anonymous' in outer request, and is sending another identity 'host/<INTUNE DEVICE ID>' in inner, rejecting the request
    2024-03-01 22:42:37,341 [Th 42 Req 59 SessId R00000007-01-65e1c635] INFO RadiusServer.Radius - rlm_eap_teap: Sending next identity

    I have the default [Endpoints Repository] as the Authentication Source, with Active Directory as an additional authorization source for role mappings when user authentication is used.

    It was setup this way as our devices are NOT ACTIVE DIRECTORY DOMAIN JOINED (all are Intune or JAMF MDM) so as I understand it TEAP outer (machine) would always fail if we tried to use AD as the authentication source.

    If configure AD as the authentication source, I get timeouts and no successful connections:

    2024-03-01 23:34:56,291 [Th 43 Req 147 SessId R00000015-01-65e1d278] INFO RadiusServer.Radius - rlm_ldap: searching for user anonymous in AD:10.xx.xx.xx

    later in the log

    2024-03-01 23:34:56,877 [Th 42 Req 154 SessId R00000015-01-65e1d278] INFO RadiusServer.Radius - rlm_ldap: searching for user host/<INTUNE DEVICE ID> in AD:10.xx.xx.xx

    I don't understand why anonymous is initially sent from the Windows device when the enable identity privacy is not ticked.




  • 9.  RE: ClearPass and Intune device groups

    Posted Mar 05, 2024 01:12 PM

    I was just tackling this in my lab this morning. Create two different services (one TEAP and one TLS), use a custom outer identity (I used "teap") then add a condition on your TEAP service with "Radius:IETF User-Name EQUALS teap".




  • 10.  RE: ClearPass and Intune device groups

    MVP
    Posted Mar 06, 2024 08:25 AM

    I do not recommend that choice for a custom outer identity. According to the EAP-TLS RFC the outer identity is used for routing to the proper RADIUS realm (domain). We use eduroam Wi-Fi and they are based on that.

    We have set our EAP-TLS anonymous outer identity to "@liberty.edu" which is about as anonymous as you can get and permits routing to thr proper RADIUS realm.

    BTW, Intune SCEp can do both Device & User SCEP. We have it working in out Lab environment with a third party onboard provider.

    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 11.  RE: ClearPass and Intune device groups

    Posted Mar 11, 2024 04:28 AM

    Using something like teap@your.doma.in as outer identity may indeed be better, especially in eduroam or other multi-domain environments.

    By selecting the service based on the anonymous identity, you do use it for routing purposes. It routes the request to a certain service, and the authentication/authorization is done based on the certificate information. What the RFC wants to tell (in my reading/view) is that you should never authorize/trust based on the identity sent in an EAP-TLS authentication while authenticating based on the certificate sent, which is a good recommendation as the identity can be freely chosen by the client:

       Since the identity presented in the EAP-Response/Identity need not be
       related to the identity presented in the peer certificate, EAP-TLS
       implementations SHOULD NOT require that they be identical.  However,
       if they are not identical, the identity presented in the EAP-
       Response/Identity is unauthenticated information, and SHOULD NOT be
       used for access control or accounting purposes.

    As a followup on the original question, in my video I disabled Identity Privacy because at that point in time I couldn't make TEAP work with it enabled. Recent versions of Windows 10/11 require the anonymous identity to be enabled, and it also works now with it enabled, while I don't exactly know what has changed and why it didn't work in the past. But for TEAP Identity Privacy / Anonymous Identity can/should be enabled in my view.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 12.  RE: ClearPass and Intune device groups

    MVP
    Posted Mar 11, 2024 08:05 AM

    Since the EAP-TLS RFS recommends NOt using theOuter Identity for authentication, do you expect ClearPass to default to Certificate Subject-CN for EAP-TLS authentication? I know we can set that up manually but, IMO, default behaviour that is not recommended by the standard is not too good for security.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 13.  RE: ClearPass and Intune device groups

    Posted Mar 11, 2024 10:13 AM

    Not sure if I fully understand your concert, but the identity sent by the client is never used for authentication in ClearPass as the certificate (or it's keypair) is used for the authentication. It's just used in the example above to get the authentication request routed to the right service. The identity provided should be checked against the CN or one of the SAN values to make sure there is no spoofing of identity.

    Not sure why that would not be good for security, would like to better understand that.

    With TEAP there is an additional Anonymous Identity, which is just used for routing in ClearPass.

    You can store the User Principle Name in a SAN attribute, which then automatically sets the identity sent in the EAP-TLS authentication for Windows clients. This works perfect for me with TEAP, where the Subject is set to the Intune DeviceID, but the client sends the UPN:



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 14.  RE: ClearPass and Intune device groups

    MVP
    Posted Mar 11, 2024 10:29 AM

    Thanks, Herman.

     

    I guess that was more along the lines that. The default EAP-TLS sources require authorization and the authorization sources either default to the outer identity or, if using ClearPass Onboard, query Onboard for the username. In neither case is the certificate used without custom sources.

     

    I have it working using the certificate information but it took much customization is not possible using Azure on 6.11.

     

    Thanks again,

     

    Bruce

     






  • 15.  RE: ClearPass and Intune device groups

    Posted Mar 11, 2024 11:42 AM

    I agree that the default EAP-TLS settings are more for on-premises AD, and custom authentication sources and methods are needed for a proper Entra ID/Intune deployment. Personally I prefer not to use default methods/services/mapping, but customized copies from those, so you have full control and can think of each of the options. That will take some understanding, but reading what you have posted in the past that should not be an issue. Also insights may change and develop over time, like I suggested to disable anonymous identity in the past, but not today. Airheads is a great platform to share such insights, ideas and experience.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------