Security

Hi,

I've got a ClearPass 6.11.2 deployment using EAP-TLS for user and/or machine wireless authentication and authorisation.

User and machine certificates are issued using SCEP and configuration profiles in Intune, but have an issue with first time login user experience (especially on shared windows devices).

The default Intune device configuration is to use machine certificate prior to login (so device has network access) then once a user is logged in, it connects using the user certificate.

This works fine if the user already has a certificate on that device.

Issue is for first time users on that device, the device has network access so a new user can log into the device using their Azure AD credentials, however after login they drop off the network as there's no user certificate. We then need to connect to another network and sync with Azure AD to get user policy pushed to the device, including the user certificate.

To resolve this poor user experience on shared devices, we thought of deploying an Intune network policy that connects as machine only, but would like to make policy decisions based on device group information.

We are using the Intune v6 extension to get device attributes, but it doesn't include the groups the device is a member of.

Is anyone aware of a method to get device group information from Intune?

You can have a look at TEAP, which allows both computer and user authentication in a combined authentication transaction. One thing this solves is the situation that you describe where a computer certificate is present, but no user certificate. You can create a policy like: TEAP-Method-1 (which is computer) Success and TEAP-Method-2 (user) Failed -> computer role; if both methods succeed -> user role.

If you search on Airheads, there is quite some information on TEAP already. Also I created a video, which is somewhat outdated and for on premises, but the idea for Intune/Entra ID connected devices is similar.

As far as I know, Device Group information is not available, but has been discussed in the past. You could reach out to your Aruba partner or local Aruba SE to get the status on that, or if you are a partner have a look at Aruba Innovation Zone and see if there is an entry there already and vote, or create a new entry.

Hi,

I've got a ClearPass 6.11.2 deployment using EAP-TLS for user and/or machine wireless authentication and authorisation.

User and machine certificates are issued using SCEP and configuration profiles in Intune, but have an issue with first time login user experience (especially on shared windows devices).

The default Intune device configuration is to use machine certificate prior to login (so device has network access) then once a user is logged in, it connects using the user certificate.

This works fine if the user already has a certificate on that device.

Issue is for first time users on that device, the device has network access so a new user can log into the device using their Azure AD credentials, however after login they drop off the network as there's no user certificate. We then need to connect to another network and sync with Azure AD to get user policy pushed to the device, including the user certificate.

To resolve this poor user experience on shared devices, we thought of deploying an Intune network policy that connects as machine only, but would like to make policy decisions based on device group information.

We are using the Intune v6 extension to get device attributes, but it doesn't include the groups the device is a member of.

Is anyone aware of a method to get device group information from Intune?

Thanks Herman for the suggestion, will look further into TEAP.

Given we have users and devices currently connecting with EAP-TLS configuration profile, can you have both authentication methods in the same service?

You can have a look at TEAP, which allows both computer and user authentication in a combined authentication transaction. One thing this solves is the situation that you describe where a computer certificate is present, but no user certificate. You can create a policy like: TEAP-Method-1 (which is computer) Success and TEAP-Method-2 (user) Failed -> computer role; if both methods succeed -> user role.

If you search on Airheads, there is quite some information on TEAP already. Also I created a video, which is somewhat outdated and for on premises, but the idea for Intune/Entra ID connected devices is similar.

As far as I know, Device Group information is not available, but has been discussed in the past. You could reach out to your Aruba partner or local Aruba SE to get the status on that, or if you are a partner have a look at Aruba Innovation Zone and see if there is an entry there already and vote, or create a new entry.

Hi,

I've got a ClearPass 6.11.2 deployment using EAP-TLS for user and/or machine wireless authentication and authorisation.

User and machine certificates are issued using SCEP and configuration profiles in Intune, but have an issue with first time login user experience (especially on shared windows devices).

The default Intune device configuration is to use machine certificate prior to login (so device has network access) then once a user is logged in, it connects using the user certificate.

This works fine if the user already has a certificate on that device.

Issue is for first time users on that device, the device has network access so a new user can log into the device using their Azure AD credentials, however after login they drop off the network as there's no user certificate. We then need to connect to another network and sync with Azure AD to get user policy pushed to the device, including the user certificate.

To resolve this poor user experience on shared devices, we thought of deploying an Intune network policy that connects as machine only, but would like to make policy decisions based on device group information.

We are using the Intune v6 extension to get device attributes, but it doesn't include the groups the device is a member of.

Is anyone aware of a method to get device group information from Intune?

One issue with TEAP and Intune is that the TEAP configuration is only possible to do for wired authentication in the Intune admin GUI. When creating a wireless 802.1x profile TEAP is not and option in the list of authentication methods.

I don't know if this is dependent on any license or agreement level of the tennant in Intune. Have read some information that you can export an XML file with a TEAP profile from a computer where it has been created manually and import it in Intune. But I have never tried that.

Thanks Herman for the suggestion, will look further into TEAP.

Given we have users and devices currently connecting with EAP-TLS configuration profile, can you have both authentication methods in the same service?

You can have a look at TEAP, which allows both computer and user authentication in a combined authentication transaction. One thing this solves is the situation that you describe where a computer certificate is present, but no user certificate. You can create a policy like: TEAP-Method-1 (which is computer) Success and TEAP-Method-2 (user) Failed -> computer role; if both methods succeed -> user role.

If you search on Airheads, there is quite some information on TEAP already. Also I created a video, which is somewhat outdated and for on premises, but the idea for Intune/Entra ID connected devices is similar.

As far as I know, Device Group information is not available, but has been discussed in the past. You could reach out to your Aruba partner or local Aruba SE to get the status on that, or if you are a partner have a look at Aruba Innovation Zone and see if there is an entry there already and vote, or create a new entry.

Hi,

I've got a ClearPass 6.11.2 deployment using EAP-TLS for user and/or machine wireless authentication and authorisation.

User and machine certificates are issued using SCEP and configuration profiles in Intune, but have an issue with first time login user experience (especially on shared windows devices).

The default Intune device configuration is to use machine certificate prior to login (so device has network access) then once a user is logged in, it connects using the user certificate.

This works fine if the user already has a certificate on that device.

Issue is for first time users on that device, the device has network access so a new user can log into the device using their Azure AD credentials, however after login they drop off the network as there's no user certificate. We then need to connect to another network and sync with Azure AD to get user policy pushed to the device, including the user certificate.

To resolve this poor user experience on shared devices, we thought of deploying an Intune network policy that connects as machine only, but would like to make policy decisions based on device group information.

We are using the Intune v6 extension to get device attributes, but it doesn't include the groups the device is a member of.

Is anyone aware of a method to get device group information from Intune?

Hi Jonas,

Was just finding the same issue - no option in the GUI for TEAP. Will have a look to see if I can import an XML with the required settings.

One issue with TEAP and Intune is that the TEAP configuration is only possible to do for wired authentication in the Intune admin GUI. When creating a wireless 802.1x profile TEAP is not and option in the list of authentication methods.

I don't know if this is dependent on any license or agreement level of the tennant in Intune. Have read some information that you can export an XML file with a TEAP profile from a computer where it has been created manually and import it in Intune. But I have never tried that.

Thanks Herman for the suggestion, will look further into TEAP.

Given we have users and devices currently connecting with EAP-TLS configuration profile, can you have both authentication methods in the same service?

You can have a look at TEAP, which allows both computer and user authentication in a combined authentication transaction. One thing this solves is the situation that you describe where a computer certificate is present, but no user certificate. You can create a policy like: TEAP-Method-1 (which is computer) Success and TEAP-Method-2 (user) Failed -> computer role; if both methods succeed -> user role.

If you search on Airheads, there is quite some information on TEAP already. Also I created a video, which is somewhat outdated and for on premises, but the idea for Intune/Entra ID connected devices is similar.

As far as I know, Device Group information is not available, but has been discussed in the past. You could reach out to your Aruba partner or local Aruba SE to get the status on that, or if you are a partner have a look at Aruba Innovation Zone and see if there is an entry there already and vote, or create a new entry.

Hi,

I've got a ClearPass 6.11.2 deployment using EAP-TLS for user and/or machine wireless authentication and authorisation.

User and machine certificates are issued using SCEP and configuration profiles in Intune, but have an issue with first time login user experience (especially on shared windows devices).

The default Intune device configuration is to use machine certificate prior to login (so device has network access) then once a user is logged in, it connects using the user certificate.

This works fine if the user already has a certificate on that device.

Issue is for first time users on that device, the device has network access so a new user can log into the device using their Azure AD credentials, however after login they drop off the network as there's no user certificate. We then need to connect to another network and sync with Azure AD to get user policy pushed to the device, including the user certificate.

To resolve this poor user experience on shared devices, we thought of deploying an Intune network policy that connects as machine only, but would like to make policy decisions based on device group information.

We are using the Intune v6 extension to get device attributes, but it doesn't include the groups the device is a member of.

Is anyone aware of a method to get device group information from Intune?

XML with the network profile is the way to go indeed for TEAP.

Hi Jonas,

Was just finding the same issue - no option in the GUI for TEAP. Will have a look to see if I can import an XML with the required settings.

One issue with TEAP and Intune is that the TEAP configuration is only possible to do for wired authentication in the Intune admin GUI. When creating a wireless 802.1x profile TEAP is not and option in the list of authentication methods.

I don't know if this is dependent on any license or agreement level of the tennant in Intune. Have read some information that you can export an XML file with a TEAP profile from a computer where it has been created manually and import it in Intune. But I have never tried that.

Thanks Herman for the suggestion, will look further into TEAP.

Given we have users and devices currently connecting with EAP-TLS configuration profile, can you have both authentication methods in the same service?

You can have a look at TEAP, which allows both computer and user authentication in a combined authentication transaction. One thing this solves is the situation that you describe where a computer certificate is present, but no user certificate. You can create a policy like: TEAP-Method-1 (which is computer) Success and TEAP-Method-2 (user) Failed -> computer role; if both methods succeed -> user role.

If you search on Airheads, there is quite some information on TEAP already. Also I created a video, which is somewhat outdated and for on premises, but the idea for Intune/Entra ID connected devices is similar.

As far as I know, Device Group information is not available, but has been discussed in the past. You could reach out to your Aruba partner or local Aruba SE to get the status on that, or if you are a partner have a look at Aruba Innovation Zone and see if there is an entry there already and vote, or create a new entry.

Hi,

I've got a ClearPass 6.11.2 deployment using EAP-TLS for user and/or machine wireless authentication and authorisation.

User and machine certificates are issued using SCEP and configuration profiles in Intune, but have an issue with first time login user experience (especially on shared windows devices).

The default Intune device configuration is to use machine certificate prior to login (so device has network access) then once a user is logged in, it connects using the user certificate.

This works fine if the user already has a certificate on that device.

Issue is for first time users on that device, the device has network access so a new user can log into the device using their Azure AD credentials, however after login they drop off the network as there's no user certificate. We then need to connect to another network and sync with Azure AD to get user policy pushed to the device, including the user certificate.

To resolve this poor user experience on shared devices, we thought of deploying an Intune network policy that connects as machine only, but would like to make policy decisions based on device group information.

We are using the Intune v6 extension to get device attributes, but it doesn't include the groups the device is a member of.

Is anyone aware of a method to get device group information from Intune?

Hi Herman,

I've followed your series on Aruba ClearPass Workshop (Video Series 2021) | Security (arubanetworks.com) and configured TEAP using certificates for both outer and inner methods.

https://youtu.be/nTHQsBgRjb4?si=M8UT7BesEADd0Anv

I kept EAP-TLS as an authentication method and is still working, but whenever I change to TEAP I get the following on a Windows 10 (21H2) device:

ERROR RadiusServer.Radius - rlm_eap_teap: Client sent a valid identity 'anonymous' in outer request, and is sending another identity 'host/<VALUE>' in inner, rejecting the request.

Enable identity privacy is not ticked in the TEAP properties.

Any ideas why it would still be sending it?

Regards

Tobi

XML with the network profile is the way to go indeed for TEAP.

Hi Jonas,

Was just finding the same issue - no option in the GUI for TEAP. Will have a look to see if I can import an XML with the required settings.

One issue with TEAP and Intune is that the TEAP configuration is only possible to do for wired authentication in the Intune admin GUI. When creating a wireless 802.1x profile TEAP is not and option in the list of authentication methods.

I don't know if this is dependent on any license or agreement level of the tennant in Intune. Have read some information that you can export an XML file with a TEAP profile from a computer where it has been created manually and import it in Intune. But I have never tried that.

Thanks Herman for the suggestion, will look further into TEAP.

Given we have users and devices currently connecting with EAP-TLS configuration profile, can you have both authentication methods in the same service?

You can have a look at TEAP, which allows both computer and user authentication in a combined authentication transaction. One thing this solves is the situation that you describe where a computer certificate is present, but no user certificate. You can create a policy like: TEAP-Method-1 (which is computer) Success and TEAP-Method-2 (user) Failed -> computer role; if both methods succeed -> user role.

If you search on Airheads, there is quite some information on TEAP already. Also I created a video, which is somewhat outdated and for on premises, but the idea for Intune/Entra ID connected devices is similar.

As far as I know, Device Group information is not available, but has been discussed in the past. You could reach out to your Aruba partner or local Aruba SE to get the status on that, or if you are a partner have a look at Aruba Innovation Zone and see if there is an entry there already and vote, or create a new entry.

Hi,

I've got a ClearPass 6.11.2 deployment using EAP-TLS for user and/or machine wireless authentication and authorisation.

User and machine certificates are issued using SCEP and configuration profiles in Intune, but have an issue with first time login user experience (especially on shared windows devices).

The default Intune device configuration is to use machine certificate prior to login (so device has network access) then once a user is logged in, it connects using the user certificate.

This works fine if the user already has a certificate on that device.

Issue is for first time users on that device, the device has network access so a new user can log into the device using their Azure AD credentials, however after login they drop off the network as there's no user certificate. We then need to connect to another network and sync with Azure AD to get user policy pushed to the device, including the user certificate.

To resolve this poor user experience on shared devices, we thought of deploying an Intune network policy that connects as machine only, but would like to make policy decisions based on device group information.

We are using the Intune v6 extension to get device attributes, but it doesn't include the groups the device is a member of.

Is anyone aware of a method to get device group information from Intune?

So further testing today:

I found another article having issues with TEAP when the [Endpoints Repository] is configured as an authentication source.

Using EAP-TEAP and EAP-TLS on the same service | Security (arubanetworks.com) 

Looking at the logs on the rejected request in my environment I can see:

then later in the log:

I have the default [Endpoints Repository] as the Authentication Source, with Active Directory as an additional authorization source for role mappings when user authentication is used.

It was setup this way as our devices are NOT ACTIVE DIRECTORY DOMAIN JOINED (all are Intune or JAMF MDM) so as I understand it TEAP outer (machine) would always fail if we tried to use AD as the authentication source.

If configure AD as the authentication source, I get timeouts and no successful connections:

later in the log

I don't understand why anonymous is initially sent from the Windows device when the enable identity privacy is not ticked.

Hi Herman,

I've followed your series on Aruba ClearPass Workshop (Video Series 2021) | Security (arubanetworks.com) and configured TEAP using certificates for both outer and inner methods.

https://youtu.be/nTHQsBgRjb4?si=M8UT7BesEADd0Anv

I kept EAP-TLS as an authentication method and is still working, but whenever I change to TEAP I get the following on a Windows 10 (21H2) device:

ERROR RadiusServer.Radius - rlm_eap_teap: Client sent a valid identity 'anonymous' in outer request, and is sending another identity 'host/<VALUE>' in inner, rejecting the request.

Enable identity privacy is not ticked in the TEAP properties.

Any ideas why it would still be sending it?

Regards

Tobi

XML with the network profile is the way to go indeed for TEAP.

Hi Jonas,

Was just finding the same issue - no option in the GUI for TEAP. Will have a look to see if I can import an XML with the required settings.

One issue with TEAP and Intune is that the TEAP configuration is only possible to do for wired authentication in the Intune admin GUI. When creating a wireless 802.1x profile TEAP is not and option in the list of authentication methods.

I don't know if this is dependent on any license or agreement level of the tennant in Intune. Have read some information that you can export an XML file with a TEAP profile from a computer where it has been created manually and import it in Intune. But I have never tried that.

Thanks Herman for the suggestion, will look further into TEAP.

Given we have users and devices currently connecting with EAP-TLS configuration profile, can you have both authentication methods in the same service?

You can have a look at TEAP, which allows both computer and user authentication in a combined authentication transaction. One thing this solves is the situation that you describe where a computer certificate is present, but no user certificate. You can create a policy like: TEAP-Method-1 (which is computer) Success and TEAP-Method-2 (user) Failed -> computer role; if both methods succeed -> user role.

If you search on Airheads, there is quite some information on TEAP already. Also I created a video, which is somewhat outdated and for on premises, but the idea for Intune/Entra ID connected devices is similar.

As far as I know, Device Group information is not available, but has been discussed in the past. You could reach out to your Aruba partner or local Aruba SE to get the status on that, or if you are a partner have a look at Aruba Innovation Zone and see if there is an entry there already and vote, or create a new entry.

Hi,

I've got a ClearPass 6.11.2 deployment using EAP-TLS for user and/or machine wireless authentication and authorisation.

User and machine certificates are issued using SCEP and configuration profiles in Intune, but have an issue with first time login user experience (especially on shared windows devices).

The default Intune device configuration is to use machine certificate prior to login (so device has network access) then once a user is logged in, it connects using the user certificate.

This works fine if the user already has a certificate on that device.

Issue is for first time users on that device, the device has network access so a new user can log into the device using their Azure AD credentials, however after login they drop off the network as there's no user certificate. We then need to connect to another network and sync with Azure AD to get user policy pushed to the device, including the user certificate.

To resolve this poor user experience on shared devices, we thought of deploying an Intune network policy that connects as machine only, but would like to make policy decisions based on device group information.

We are using the Intune v6 extension to get device attributes, but it doesn't include the groups the device is a member of.

Is anyone aware of a method to get device group information from Intune?

I was just tackling this in my lab this morning. Create two different services (one TEAP and one TLS), use a custom outer identity (I used "teap") then add a condition on your TEAP service with "Radius:IETF User-Name EQUALS teap".

Original Message:
Sent: Mar 01, 2024 08:09 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

So further testing today:

I found another article having issues with TEAP when the [Endpoints Repository] is configured as an authentication source.

Using EAP-TEAP and EAP-TLS on the same service | Security (arubanetworks.com) 

Looking at the logs on the rejected request in my environment I can see:

then later in the log:

I have the default [Endpoints Repository] as the Authentication Source, with Active Directory as an additional authorization source for role mappings when user authentication is used.

It was setup this way as our devices are NOT ACTIVE DIRECTORY DOMAIN JOINED (all are Intune or JAMF MDM) so as I understand it TEAP outer (machine) would always fail if we tried to use AD as the authentication source.

If configure AD as the authentication source, I get timeouts and no successful connections:

later in the log

I don't understand why anonymous is initially sent from the Windows device when the enable identity privacy is not ticked.

Original Message:
Sent: Feb 29, 2024 10:59 PM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi Herman,

I've followed your series on Aruba ClearPass Workshop (Video Series 2021) | Security (arubanetworks.com) and configured TEAP using certificates for both outer and inner methods.

https://youtu.be/nTHQsBgRjb4?si=M8UT7BesEADd0Anv

I kept EAP-TLS as an authentication method and is still working, but whenever I change to TEAP I get the following on a Windows 10 (21H2) device:

ERROR RadiusServer.Radius - rlm_eap_teap: Client sent a valid identity 'anonymous' in outer request, and is sending another identity 'host/<VALUE>' in inner, rejecting the request.

Enable identity privacy is not ticked in the TEAP properties.

Any ideas why it would still be sending it?

Regards

Tobi

Original Message:
Sent: Feb 23, 2024 07:34 AM
From: Herman Robers
Subject: ClearPass and Intune device groups

XML with the network profile is the way to go indeed for TEAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 23, 2024 06:35 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi Jonas,

Was just finding the same issue - no option in the GUI for TEAP. Will have a look to see if I can import an XML with the required settings.

Original Message:
Sent: Feb 23, 2024 06:18 AM
From: jonas.hammarback
Subject: ClearPass and Intune device groups

One issue with TEAP and Intune is that the TEAP configuration is only possible to do for wired authentication in the Intune admin GUI. When creating a wireless 802.1x profile TEAP is not and option in the list of authentication methods.

I don't know if this is dependent on any license or agreement level of the tennant in Intune. Have read some information that you can export an XML file with a TEAP profile from a computer where it has been created manually and import it in Intune. But I have never tried that.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Feb 23, 2024 05:56 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Thanks Herman for the suggestion, will look further into TEAP.

Given we have users and devices currently connecting with EAP-TLS configuration profile, can you have both authentication methods in the same service?

Original Message:
Sent: Feb 23, 2024 03:46 AM
From: Herman Robers
Subject: ClearPass and Intune device groups

You can have a look at TEAP, which allows both computer and user authentication in a combined authentication transaction. One thing this solves is the situation that you describe where a computer certificate is present, but no user certificate. You can create a policy like: TEAP-Method-1 (which is computer) Success and TEAP-Method-2 (user) Failed -> computer role; if both methods succeed -> user role.

If you search on Airheads, there is quite some information on TEAP already. Also I created a video, which is somewhat outdated and for on premises, but the idea for Intune/Entra ID connected devices is similar.

As far as I know, Device Group information is not available, but has been discussed in the past. You could reach out to your Aruba partner or local Aruba SE to get the status on that, or if you are a partner have a look at Aruba Innovation Zone and see if there is an entry there already and vote, or create a new entry.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 23, 2024 02:48 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi,

I've got a ClearPass 6.11.2 deployment using EAP-TLS for user and/or machine wireless authentication and authorisation.

User and machine certificates are issued using SCEP and configuration profiles in Intune, but have an issue with first time login user experience (especially on shared windows devices).

The default Intune device configuration is to use machine certificate prior to login (so device has network access) then once a user is logged in, it connects using the user certificate.

This works fine if the user already has a certificate on that device.

Issue is for first time users on that device, the device has network access so a new user can log into the device using their Azure AD credentials, however after login they drop off the network as there's no user certificate. We then need to connect to another network and sync with Azure AD to get user policy pushed to the device, including the user certificate.

To resolve this poor user experience on shared devices, we thought of deploying an Intune network policy that connects as machine only, but would like to make policy decisions based on device group information.

We are using the Intune v6 extension to get device attributes, but it doesn't include the groups the device is a member of.

Is anyone aware of a method to get device group information from Intune?

I do not recommend that choice for a custom outer identity. According to the EAP-TLS RFC the outer identity is used for routing to the proper RADIUS realm (domain). We use eduroam Wi-Fi and they are based on that.

We have set our EAP-TLS anonymous outer identity to "@liberty.edu" which is about as anonymous as you can get and permits routing to thr proper RADIUS realm.

BTW, Intune SCEp can do both Device & User SCEP. We have it working in out Lab environment with a third party onboard provider.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Mar 04, 2024 11:27 AM
From: jfasselin
Subject: ClearPass and Intune device groups

I was just tackling this in my lab this morning. Create two different services (one TEAP and one TLS), use a custom outer identity (I used "teap") then add a condition on your TEAP service with "Radius:IETF User-Name EQUALS teap".

Original Message:
Sent: Mar 01, 2024 08:09 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

So further testing today:

I found another article having issues with TEAP when the [Endpoints Repository] is configured as an authentication source.

Using EAP-TEAP and EAP-TLS on the same service | Security (arubanetworks.com) 

Looking at the logs on the rejected request in my environment I can see:

then later in the log:

I have the default [Endpoints Repository] as the Authentication Source, with Active Directory as an additional authorization source for role mappings when user authentication is used.

It was setup this way as our devices are NOT ACTIVE DIRECTORY DOMAIN JOINED (all are Intune or JAMF MDM) so as I understand it TEAP outer (machine) would always fail if we tried to use AD as the authentication source.

If configure AD as the authentication source, I get timeouts and no successful connections:

later in the log

I don't understand why anonymous is initially sent from the Windows device when the enable identity privacy is not ticked.

Original Message:
Sent: Feb 29, 2024 10:59 PM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi Herman,

I've followed your series on Aruba ClearPass Workshop (Video Series 2021) | Security (arubanetworks.com) and configured TEAP using certificates for both outer and inner methods.

https://youtu.be/nTHQsBgRjb4?si=M8UT7BesEADd0Anv

I kept EAP-TLS as an authentication method and is still working, but whenever I change to TEAP I get the following on a Windows 10 (21H2) device:

ERROR RadiusServer.Radius - rlm_eap_teap: Client sent a valid identity 'anonymous' in outer request, and is sending another identity 'host/<VALUE>' in inner, rejecting the request.

Enable identity privacy is not ticked in the TEAP properties.

Any ideas why it would still be sending it?

Regards

Tobi

Original Message:
Sent: Feb 23, 2024 07:34 AM
From: Herman Robers
Subject: ClearPass and Intune device groups

XML with the network profile is the way to go indeed for TEAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 23, 2024 06:35 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi Jonas,

Was just finding the same issue - no option in the GUI for TEAP. Will have a look to see if I can import an XML with the required settings.

Original Message:
Sent: Feb 23, 2024 06:18 AM
From: jonas.hammarback
Subject: ClearPass and Intune device groups

One issue with TEAP and Intune is that the TEAP configuration is only possible to do for wired authentication in the Intune admin GUI. When creating a wireless 802.1x profile TEAP is not and option in the list of authentication methods.

I don't know if this is dependent on any license or agreement level of the tennant in Intune. Have read some information that you can export an XML file with a TEAP profile from a computer where it has been created manually and import it in Intune. But I have never tried that.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Feb 23, 2024 05:56 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Thanks Herman for the suggestion, will look further into TEAP.

Given we have users and devices currently connecting with EAP-TLS configuration profile, can you have both authentication methods in the same service?

Original Message:
Sent: Feb 23, 2024 03:46 AM
From: Herman Robers
Subject: ClearPass and Intune device groups

You can have a look at TEAP, which allows both computer and user authentication in a combined authentication transaction. One thing this solves is the situation that you describe where a computer certificate is present, but no user certificate. You can create a policy like: TEAP-Method-1 (which is computer) Success and TEAP-Method-2 (user) Failed -> computer role; if both methods succeed -> user role.

If you search on Airheads, there is quite some information on TEAP already. Also I created a video, which is somewhat outdated and for on premises, but the idea for Intune/Entra ID connected devices is similar.

As far as I know, Device Group information is not available, but has been discussed in the past. You could reach out to your Aruba partner or local Aruba SE to get the status on that, or if you are a partner have a look at Aruba Innovation Zone and see if there is an entry there already and vote, or create a new entry.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 23, 2024 02:48 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi,

I've got a ClearPass 6.11.2 deployment using EAP-TLS for user and/or machine wireless authentication and authorisation.

User and machine certificates are issued using SCEP and configuration profiles in Intune, but have an issue with first time login user experience (especially on shared windows devices).

The default Intune device configuration is to use machine certificate prior to login (so device has network access) then once a user is logged in, it connects using the user certificate.

This works fine if the user already has a certificate on that device.

Issue is for first time users on that device, the device has network access so a new user can log into the device using their Azure AD credentials, however after login they drop off the network as there's no user certificate. We then need to connect to another network and sync with Azure AD to get user policy pushed to the device, including the user certificate.

To resolve this poor user experience on shared devices, we thought of deploying an Intune network policy that connects as machine only, but would like to make policy decisions based on device group information.

We are using the Intune v6 extension to get device attributes, but it doesn't include the groups the device is a member of.

Is anyone aware of a method to get device group information from Intune?

Using something like teap@your.doma.in as outer identity may indeed be better, especially in eduroam or other multi-domain environments.

By selecting the service based on the anonymous identity, you do use it for routing purposes. It routes the request to a certain service, and the authentication/authorization is done based on the certificate information. What the RFC wants to tell (in my reading/view) is that you should never authorize/trust based on the identity sent in an EAP-TLS authentication while authenticating based on the certificate sent, which is a good recommendation as the identity can be freely chosen by the client:

   Since the identity presented in the EAP-Response/Identity need not be   related to the identity presented in the peer certificate, EAP-TLS   implementations SHOULD NOT require that they be identical.  However,   if they are not identical, the identity presented in the EAP-   Response/Identity is unauthenticated information, and SHOULD NOT be   used for access control or accounting purposes.

As a followup on the original question, in my video I disabled Identity Privacy because at that point in time I couldn't make TEAP work with it enabled. Recent versions of Windows 10/11 require the anonymous identity to be enabled, and it also works now with it enabled, while I don't exactly know what has changed and why it didn't work in the past. But for TEAP Identity Privacy / Anonymous Identity can/should be enabled in my view.

I do not recommend that choice for a custom outer identity. According to the EAP-TLS RFC the outer identity is used for routing to the proper RADIUS realm (domain). We use eduroam Wi-Fi and they are based on that.

We have set our EAP-TLS anonymous outer identity to "@liberty.edu" which is about as anonymous as you can get and permits routing to thr proper RADIUS realm.

BTW, Intune SCEp can do both Device & User SCEP. We have it working in out Lab environment with a third party onboard provider.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Mar 04, 2024 11:27 AM
From: jfasselin
Subject: ClearPass and Intune device groups

I was just tackling this in my lab this morning. Create two different services (one TEAP and one TLS), use a custom outer identity (I used "teap") then add a condition on your TEAP service with "Radius:IETF User-Name EQUALS teap".

Original Message:
Sent: Mar 01, 2024 08:09 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

So further testing today:

I found another article having issues with TEAP when the [Endpoints Repository] is configured as an authentication source.

Using EAP-TEAP and EAP-TLS on the same service | Security (arubanetworks.com) 

Looking at the logs on the rejected request in my environment I can see:

then later in the log:

I have the default [Endpoints Repository] as the Authentication Source, with Active Directory as an additional authorization source for role mappings when user authentication is used.

It was setup this way as our devices are NOT ACTIVE DIRECTORY DOMAIN JOINED (all are Intune or JAMF MDM) so as I understand it TEAP outer (machine) would always fail if we tried to use AD as the authentication source.

If configure AD as the authentication source, I get timeouts and no successful connections:

later in the log

I don't understand why anonymous is initially sent from the Windows device when the enable identity privacy is not ticked.

Original Message:
Sent: Feb 29, 2024 10:59 PM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi Herman,

I've followed your series on Aruba ClearPass Workshop (Video Series 2021) | Security (arubanetworks.com) and configured TEAP using certificates for both outer and inner methods.

https://youtu.be/nTHQsBgRjb4?si=M8UT7BesEADd0Anv

I kept EAP-TLS as an authentication method and is still working, but whenever I change to TEAP I get the following on a Windows 10 (21H2) device:

ERROR RadiusServer.Radius - rlm_eap_teap: Client sent a valid identity 'anonymous' in outer request, and is sending another identity 'host/<VALUE>' in inner, rejecting the request.

Enable identity privacy is not ticked in the TEAP properties.

Any ideas why it would still be sending it?

Regards

Tobi

Original Message:
Sent: Feb 23, 2024 07:34 AM
From: Herman Robers
Subject: ClearPass and Intune device groups

XML with the network profile is the way to go indeed for TEAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 23, 2024 06:35 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi Jonas,

Was just finding the same issue - no option in the GUI for TEAP. Will have a look to see if I can import an XML with the required settings.

Original Message:
Sent: Feb 23, 2024 06:18 AM
From: jonas.hammarback
Subject: ClearPass and Intune device groups

One issue with TEAP and Intune is that the TEAP configuration is only possible to do for wired authentication in the Intune admin GUI. When creating a wireless 802.1x profile TEAP is not and option in the list of authentication methods.

I don't know if this is dependent on any license or agreement level of the tennant in Intune. Have read some information that you can export an XML file with a TEAP profile from a computer where it has been created manually and import it in Intune. But I have never tried that.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Feb 23, 2024 05:56 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Thanks Herman for the suggestion, will look further into TEAP.

Given we have users and devices currently connecting with EAP-TLS configuration profile, can you have both authentication methods in the same service?

Original Message:
Sent: Feb 23, 2024 03:46 AM
From: Herman Robers
Subject: ClearPass and Intune device groups

You can have a look at TEAP, which allows both computer and user authentication in a combined authentication transaction. One thing this solves is the situation that you describe where a computer certificate is present, but no user certificate. You can create a policy like: TEAP-Method-1 (which is computer) Success and TEAP-Method-2 (user) Failed -> computer role; if both methods succeed -> user role.

If you search on Airheads, there is quite some information on TEAP already. Also I created a video, which is somewhat outdated and for on premises, but the idea for Intune/Entra ID connected devices is similar.

As far as I know, Device Group information is not available, but has been discussed in the past. You could reach out to your Aruba partner or local Aruba SE to get the status on that, or if you are a partner have a look at Aruba Innovation Zone and see if there is an entry there already and vote, or create a new entry.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 23, 2024 02:48 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi,

I've got a ClearPass 6.11.2 deployment using EAP-TLS for user and/or machine wireless authentication and authorisation.

User and machine certificates are issued using SCEP and configuration profiles in Intune, but have an issue with first time login user experience (especially on shared windows devices).

The default Intune device configuration is to use machine certificate prior to login (so device has network access) then once a user is logged in, it connects using the user certificate.

This works fine if the user already has a certificate on that device.

Issue is for first time users on that device, the device has network access so a new user can log into the device using their Azure AD credentials, however after login they drop off the network as there's no user certificate. We then need to connect to another network and sync with Azure AD to get user policy pushed to the device, including the user certificate.

To resolve this poor user experience on shared devices, we thought of deploying an Intune network policy that connects as machine only, but would like to make policy decisions based on device group information.

We are using the Intune v6 extension to get device attributes, but it doesn't include the groups the device is a member of.

Is anyone aware of a method to get device group information from Intune?

Since the EAP-TLS RFS recommends NOt using theOuter Identity for authentication, do you expect ClearPass to default to Certificate Subject-CN for EAP-TLS authentication? I know we can set that up manually but, IMO, default behaviour that is not recommended by the standard is not too good for security.

Using something like teap@your.doma.in as outer identity may indeed be better, especially in eduroam or other multi-domain environments.

By selecting the service based on the anonymous identity, you do use it for routing purposes. It routes the request to a certain service, and the authentication/authorization is done based on the certificate information. What the RFC wants to tell (in my reading/view) is that you should never authorize/trust based on the identity sent in an EAP-TLS authentication while authenticating based on the certificate sent, which is a good recommendation as the identity can be freely chosen by the client:

   Since the identity presented in the EAP-Response/Identity need not be   related to the identity presented in the peer certificate, EAP-TLS   implementations SHOULD NOT require that they be identical.  However,   if they are not identical, the identity presented in the EAP-   Response/Identity is unauthenticated information, and SHOULD NOT be   used for access control or accounting purposes.

As a followup on the original question, in my video I disabled Identity Privacy because at that point in time I couldn't make TEAP work with it enabled. Recent versions of Windows 10/11 require the anonymous identity to be enabled, and it also works now with it enabled, while I don't exactly know what has changed and why it didn't work in the past. But for TEAP Identity Privacy / Anonymous Identity can/should be enabled in my view.

I do not recommend that choice for a custom outer identity. According to the EAP-TLS RFC the outer identity is used for routing to the proper RADIUS realm (domain). We use eduroam Wi-Fi and they are based on that.

We have set our EAP-TLS anonymous outer identity to "@liberty.edu" which is about as anonymous as you can get and permits routing to thr proper RADIUS realm.

BTW, Intune SCEp can do both Device & User SCEP. We have it working in out Lab environment with a third party onboard provider.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Mar 04, 2024 11:27 AM
From: jfasselin
Subject: ClearPass and Intune device groups

I was just tackling this in my lab this morning. Create two different services (one TEAP and one TLS), use a custom outer identity (I used "teap") then add a condition on your TEAP service with "Radius:IETF User-Name EQUALS teap".

Original Message:
Sent: Mar 01, 2024 08:09 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

So further testing today:

I found another article having issues with TEAP when the [Endpoints Repository] is configured as an authentication source.

Using EAP-TEAP and EAP-TLS on the same service | Security (arubanetworks.com) 

Looking at the logs on the rejected request in my environment I can see:

then later in the log:

I have the default [Endpoints Repository] as the Authentication Source, with Active Directory as an additional authorization source for role mappings when user authentication is used.

It was setup this way as our devices are NOT ACTIVE DIRECTORY DOMAIN JOINED (all are Intune or JAMF MDM) so as I understand it TEAP outer (machine) would always fail if we tried to use AD as the authentication source.

If configure AD as the authentication source, I get timeouts and no successful connections:

later in the log

I don't understand why anonymous is initially sent from the Windows device when the enable identity privacy is not ticked.

Original Message:
Sent: Feb 29, 2024 10:59 PM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi Herman,

I've followed your series on Aruba ClearPass Workshop (Video Series 2021) | Security (arubanetworks.com) and configured TEAP using certificates for both outer and inner methods.

https://youtu.be/nTHQsBgRjb4?si=M8UT7BesEADd0Anv

I kept EAP-TLS as an authentication method and is still working, but whenever I change to TEAP I get the following on a Windows 10 (21H2) device:

ERROR RadiusServer.Radius - rlm_eap_teap: Client sent a valid identity 'anonymous' in outer request, and is sending another identity 'host/<VALUE>' in inner, rejecting the request.

Enable identity privacy is not ticked in the TEAP properties.

Any ideas why it would still be sending it?

Regards

Tobi

Original Message:
Sent: Feb 23, 2024 07:34 AM
From: Herman Robers
Subject: ClearPass and Intune device groups

XML with the network profile is the way to go indeed for TEAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 23, 2024 06:35 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi Jonas,

Was just finding the same issue - no option in the GUI for TEAP. Will have a look to see if I can import an XML with the required settings.

Original Message:
Sent: Feb 23, 2024 06:18 AM
From: jonas.hammarback
Subject: ClearPass and Intune device groups

One issue with TEAP and Intune is that the TEAP configuration is only possible to do for wired authentication in the Intune admin GUI. When creating a wireless 802.1x profile TEAP is not and option in the list of authentication methods.

I don't know if this is dependent on any license or agreement level of the tennant in Intune. Have read some information that you can export an XML file with a TEAP profile from a computer where it has been created manually and import it in Intune. But I have never tried that.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Feb 23, 2024 05:56 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Thanks Herman for the suggestion, will look further into TEAP.

Given we have users and devices currently connecting with EAP-TLS configuration profile, can you have both authentication methods in the same service?

Original Message:
Sent: Feb 23, 2024 03:46 AM
From: Herman Robers
Subject: ClearPass and Intune device groups

You can have a look at TEAP, which allows both computer and user authentication in a combined authentication transaction. One thing this solves is the situation that you describe where a computer certificate is present, but no user certificate. You can create a policy like: TEAP-Method-1 (which is computer) Success and TEAP-Method-2 (user) Failed -> computer role; if both methods succeed -> user role.

If you search on Airheads, there is quite some information on TEAP already. Also I created a video, which is somewhat outdated and for on premises, but the idea for Intune/Entra ID connected devices is similar.

As far as I know, Device Group information is not available, but has been discussed in the past. You could reach out to your Aruba partner or local Aruba SE to get the status on that, or if you are a partner have a look at Aruba Innovation Zone and see if there is an entry there already and vote, or create a new entry.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 23, 2024 02:48 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi,

I've got a ClearPass 6.11.2 deployment using EAP-TLS for user and/or machine wireless authentication and authorisation.

User and machine certificates are issued using SCEP and configuration profiles in Intune, but have an issue with first time login user experience (especially on shared windows devices).

The default Intune device configuration is to use machine certificate prior to login (so device has network access) then once a user is logged in, it connects using the user certificate.

This works fine if the user already has a certificate on that device.

Issue is for first time users on that device, the device has network access so a new user can log into the device using their Azure AD credentials, however after login they drop off the network as there's no user certificate. We then need to connect to another network and sync with Azure AD to get user policy pushed to the device, including the user certificate.

To resolve this poor user experience on shared devices, we thought of deploying an Intune network policy that connects as machine only, but would like to make policy decisions based on device group information.

We are using the Intune v6 extension to get device attributes, but it doesn't include the groups the device is a member of.

Is anyone aware of a method to get device group information from Intune?

Not sure if I fully understand your concert, but the identity sent by the client is never used for authentication in ClearPass as the certificate (or it's keypair) is used for the authentication. It's just used in the example above to get the authentication request routed to the right service. The identity provided should be checked against the CN or one of the SAN values to make sure there is no spoofing of identity.

Not sure why that would not be good for security, would like to better understand that.

With TEAP there is an additional Anonymous Identity, which is just used for routing in ClearPass.

You can store the User Principle Name in a SAN attribute, which then automatically sets the identity sent in the EAP-TLS authentication for Windows clients. This works perfect for me with TEAP, where the Subject is set to the Intune DeviceID, but the client sends the UPN:

Since the EAP-TLS RFS recommends NOt using theOuter Identity for authentication, do you expect ClearPass to default to Certificate Subject-CN for EAP-TLS authentication? I know we can set that up manually but, IMO, default behaviour that is not recommended by the standard is not too good for security.

Using something like teap@your.doma.in as outer identity may indeed be better, especially in eduroam or other multi-domain environments.

By selecting the service based on the anonymous identity, you do use it for routing purposes. It routes the request to a certain service, and the authentication/authorization is done based on the certificate information. What the RFC wants to tell (in my reading/view) is that you should never authorize/trust based on the identity sent in an EAP-TLS authentication while authenticating based on the certificate sent, which is a good recommendation as the identity can be freely chosen by the client:

   Since the identity presented in the EAP-Response/Identity need not be   related to the identity presented in the peer certificate, EAP-TLS   implementations SHOULD NOT require that they be identical.  However,   if they are not identical, the identity presented in the EAP-   Response/Identity is unauthenticated information, and SHOULD NOT be   used for access control or accounting purposes.

As a followup on the original question, in my video I disabled Identity Privacy because at that point in time I couldn't make TEAP work with it enabled. Recent versions of Windows 10/11 require the anonymous identity to be enabled, and it also works now with it enabled, while I don't exactly know what has changed and why it didn't work in the past. But for TEAP Identity Privacy / Anonymous Identity can/should be enabled in my view.

I do not recommend that choice for a custom outer identity. According to the EAP-TLS RFC the outer identity is used for routing to the proper RADIUS realm (domain). We use eduroam Wi-Fi and they are based on that.

We have set our EAP-TLS anonymous outer identity to "@liberty.edu" which is about as anonymous as you can get and permits routing to thr proper RADIUS realm.

BTW, Intune SCEp can do both Device & User SCEP. We have it working in out Lab environment with a third party onboard provider.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Mar 04, 2024 11:27 AM
From: jfasselin
Subject: ClearPass and Intune device groups

I was just tackling this in my lab this morning. Create two different services (one TEAP and one TLS), use a custom outer identity (I used "teap") then add a condition on your TEAP service with "Radius:IETF User-Name EQUALS teap".

Original Message:
Sent: Mar 01, 2024 08:09 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

So further testing today:

I found another article having issues with TEAP when the [Endpoints Repository] is configured as an authentication source.

Using EAP-TEAP and EAP-TLS on the same service | Security (arubanetworks.com) 

Looking at the logs on the rejected request in my environment I can see:

then later in the log:

I have the default [Endpoints Repository] as the Authentication Source, with Active Directory as an additional authorization source for role mappings when user authentication is used.

It was setup this way as our devices are NOT ACTIVE DIRECTORY DOMAIN JOINED (all are Intune or JAMF MDM) so as I understand it TEAP outer (machine) would always fail if we tried to use AD as the authentication source.

If configure AD as the authentication source, I get timeouts and no successful connections:

later in the log

I don't understand why anonymous is initially sent from the Windows device when the enable identity privacy is not ticked.

Original Message:
Sent: Feb 29, 2024 10:59 PM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi Herman,

I've followed your series on Aruba ClearPass Workshop (Video Series 2021) | Security (arubanetworks.com) and configured TEAP using certificates for both outer and inner methods.

https://youtu.be/nTHQsBgRjb4?si=M8UT7BesEADd0Anv

I kept EAP-TLS as an authentication method and is still working, but whenever I change to TEAP I get the following on a Windows 10 (21H2) device:

ERROR RadiusServer.Radius - rlm_eap_teap: Client sent a valid identity 'anonymous' in outer request, and is sending another identity 'host/<VALUE>' in inner, rejecting the request.

Enable identity privacy is not ticked in the TEAP properties.

Any ideas why it would still be sending it?

Regards

Tobi

Original Message:
Sent: Feb 23, 2024 07:34 AM
From: Herman Robers
Subject: ClearPass and Intune device groups

XML with the network profile is the way to go indeed for TEAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 23, 2024 06:35 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi Jonas,

Was just finding the same issue - no option in the GUI for TEAP. Will have a look to see if I can import an XML with the required settings.

Original Message:
Sent: Feb 23, 2024 06:18 AM
From: jonas.hammarback
Subject: ClearPass and Intune device groups

One issue with TEAP and Intune is that the TEAP configuration is only possible to do for wired authentication in the Intune admin GUI. When creating a wireless 802.1x profile TEAP is not and option in the list of authentication methods.

I don't know if this is dependent on any license or agreement level of the tennant in Intune. Have read some information that you can export an XML file with a TEAP profile from a computer where it has been created manually and import it in Intune. But I have never tried that.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Feb 23, 2024 05:56 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Thanks Herman for the suggestion, will look further into TEAP.

Given we have users and devices currently connecting with EAP-TLS configuration profile, can you have both authentication methods in the same service?

Original Message:
Sent: Feb 23, 2024 03:46 AM
From: Herman Robers
Subject: ClearPass and Intune device groups

You can have a look at TEAP, which allows both computer and user authentication in a combined authentication transaction. One thing this solves is the situation that you describe where a computer certificate is present, but no user certificate. You can create a policy like: TEAP-Method-1 (which is computer) Success and TEAP-Method-2 (user) Failed -> computer role; if both methods succeed -> user role.

If you search on Airheads, there is quite some information on TEAP already. Also I created a video, which is somewhat outdated and for on premises, but the idea for Intune/Entra ID connected devices is similar.

As far as I know, Device Group information is not available, but has been discussed in the past. You could reach out to your Aruba partner or local Aruba SE to get the status on that, or if you are a partner have a look at Aruba Innovation Zone and see if there is an entry there already and vote, or create a new entry.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 23, 2024 02:48 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi,

I've got a ClearPass 6.11.2 deployment using EAP-TLS for user and/or machine wireless authentication and authorisation.

User and machine certificates are issued using SCEP and configuration profiles in Intune, but have an issue with first time login user experience (especially on shared windows devices).

The default Intune device configuration is to use machine certificate prior to login (so device has network access) then once a user is logged in, it connects using the user certificate.

This works fine if the user already has a certificate on that device.

Issue is for first time users on that device, the device has network access so a new user can log into the device using their Azure AD credentials, however after login they drop off the network as there's no user certificate. We then need to connect to another network and sync with Azure AD to get user policy pushed to the device, including the user certificate.

To resolve this poor user experience on shared devices, we thought of deploying an Intune network policy that connects as machine only, but would like to make policy decisions based on device group information.

We are using the Intune v6 extension to get device attributes, but it doesn't include the groups the device is a member of.

Is anyone aware of a method to get device group information from Intune?

Not sure if I fully understand your concert, but the identity sent by the client is never used for authentication in ClearPass as the certificate (or it's keypair) is used for the authentication. It's just used in the example above to get the authentication request routed to the right service. The identity provided should be checked against the CN or one of the SAN values to make sure there is no spoofing of identity.

Not sure why that would not be good for security, would like to better understand that.

With TEAP there is an additional Anonymous Identity, which is just used for routing in ClearPass.

You can store the User Principle Name in a SAN attribute, which then automatically sets the identity sent in the EAP-TLS authentication for Windows clients. This works perfect for me with TEAP, where the Subject is set to the Intune DeviceID, but the client sends the UPN:

Since the EAP-TLS RFS recommends NOt using theOuter Identity for authentication, do you expect ClearPass to default to Certificate Subject-CN for EAP-TLS authentication? I know we can set that up manually but, IMO, default behaviour that is not recommended by the standard is not too good for security.

Using something like teap@your.doma.in as outer identity may indeed be better, especially in eduroam or other multi-domain environments.

By selecting the service based on the anonymous identity, you do use it for routing purposes. It routes the request to a certain service, and the authentication/authorization is done based on the certificate information. What the RFC wants to tell (in my reading/view) is that you should never authorize/trust based on the identity sent in an EAP-TLS authentication while authenticating based on the certificate sent, which is a good recommendation as the identity can be freely chosen by the client:

   Since the identity presented in the EAP-Response/Identity need not be   related to the identity presented in the peer certificate, EAP-TLS   implementations SHOULD NOT require that they be identical.  However,   if they are not identical, the identity presented in the EAP-   Response/Identity is unauthenticated information, and SHOULD NOT be   used for access control or accounting purposes.

As a followup on the original question, in my video I disabled Identity Privacy because at that point in time I couldn't make TEAP work with it enabled. Recent versions of Windows 10/11 require the anonymous identity to be enabled, and it also works now with it enabled, while I don't exactly know what has changed and why it didn't work in the past. But for TEAP Identity Privacy / Anonymous Identity can/should be enabled in my view.

I do not recommend that choice for a custom outer identity. According to the EAP-TLS RFC the outer identity is used for routing to the proper RADIUS realm (domain). We use eduroam Wi-Fi and they are based on that.

We have set our EAP-TLS anonymous outer identity to "@liberty.edu" which is about as anonymous as you can get and permits routing to thr proper RADIUS realm.

BTW, Intune SCEp can do both Device & User SCEP. We have it working in out Lab environment with a third party onboard provider.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Mar 04, 2024 11:27 AM
From: jfasselin
Subject: ClearPass and Intune device groups

I was just tackling this in my lab this morning. Create two different services (one TEAP and one TLS), use a custom outer identity (I used "teap") then add a condition on your TEAP service with "Radius:IETF User-Name EQUALS teap".

Original Message:
Sent: Mar 01, 2024 08:09 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

So further testing today:

I found another article having issues with TEAP when the [Endpoints Repository] is configured as an authentication source.

Using EAP-TEAP and EAP-TLS on the same service | Security (arubanetworks.com) 

Looking at the logs on the rejected request in my environment I can see:

then later in the log:

I have the default [Endpoints Repository] as the Authentication Source, with Active Directory as an additional authorization source for role mappings when user authentication is used.

It was setup this way as our devices are NOT ACTIVE DIRECTORY DOMAIN JOINED (all are Intune or JAMF MDM) so as I understand it TEAP outer (machine) would always fail if we tried to use AD as the authentication source.

If configure AD as the authentication source, I get timeouts and no successful connections:

later in the log

I don't understand why anonymous is initially sent from the Windows device when the enable identity privacy is not ticked.

Original Message:
Sent: Feb 29, 2024 10:59 PM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi Herman,

I've followed your series on Aruba ClearPass Workshop (Video Series 2021) | Security (arubanetworks.com) and configured TEAP using certificates for both outer and inner methods.

https://youtu.be/nTHQsBgRjb4?si=M8UT7BesEADd0Anv

I kept EAP-TLS as an authentication method and is still working, but whenever I change to TEAP I get the following on a Windows 10 (21H2) device:

ERROR RadiusServer.Radius - rlm_eap_teap: Client sent a valid identity 'anonymous' in outer request, and is sending another identity 'host/<VALUE>' in inner, rejecting the request.

Enable identity privacy is not ticked in the TEAP properties.

Any ideas why it would still be sending it?

Regards

Tobi

Original Message:
Sent: Feb 23, 2024 07:34 AM
From: Herman Robers
Subject: ClearPass and Intune device groups

XML with the network profile is the way to go indeed for TEAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 23, 2024 06:35 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi Jonas,

Was just finding the same issue - no option in the GUI for TEAP. Will have a look to see if I can import an XML with the required settings.

Original Message:
Sent: Feb 23, 2024 06:18 AM
From: jonas.hammarback
Subject: ClearPass and Intune device groups

One issue with TEAP and Intune is that the TEAP configuration is only possible to do for wired authentication in the Intune admin GUI. When creating a wireless 802.1x profile TEAP is not and option in the list of authentication methods.

I don't know if this is dependent on any license or agreement level of the tennant in Intune. Have read some information that you can export an XML file with a TEAP profile from a computer where it has been created manually and import it in Intune. But I have never tried that.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Feb 23, 2024 05:56 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Thanks Herman for the suggestion, will look further into TEAP.

Given we have users and devices currently connecting with EAP-TLS configuration profile, can you have both authentication methods in the same service?

Original Message:
Sent: Feb 23, 2024 03:46 AM
From: Herman Robers
Subject: ClearPass and Intune device groups

You can have a look at TEAP, which allows both computer and user authentication in a combined authentication transaction. One thing this solves is the situation that you describe where a computer certificate is present, but no user certificate. You can create a policy like: TEAP-Method-1 (which is computer) Success and TEAP-Method-2 (user) Failed -> computer role; if both methods succeed -> user role.

If you search on Airheads, there is quite some information on TEAP already. Also I created a video, which is somewhat outdated and for on premises, but the idea for Intune/Entra ID connected devices is similar.

As far as I know, Device Group information is not available, but has been discussed in the past. You could reach out to your Aruba partner or local Aruba SE to get the status on that, or if you are a partner have a look at Aruba Innovation Zone and see if there is an entry there already and vote, or create a new entry.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 23, 2024 02:48 AM
From: tobi.coonan
Subject: ClearPass and Intune device groups

Hi,

I've got a ClearPass 6.11.2 deployment using EAP-TLS for user and/or machine wireless authentication and authorisation.

User and machine certificates are issued using SCEP and configuration profiles in Intune, but have an issue with first time login user experience (especially on shared windows devices).

The default Intune device configuration is to use machine certificate prior to login (so device has network access) then once a user is logged in, it connects using the user certificate.

This works fine if the user already has a certificate on that device.

Issue is for first time users on that device, the device has network access so a new user can log into the device using their Azure AD credentials, however after login they drop off the network as there's no user certificate. We then need to connect to another network and sync with Azure AD to get user policy pushed to the device, including the user certificate.

To resolve this poor user experience on shared devices, we thought of deploying an Intune network policy that connects as machine only, but would like to make policy decisions based on device group information.

We are using the Intune v6 extension to get device attributes, but it doesn't include the groups the device is a member of.

Is anyone aware of a method to get device group information from Intune?