Security

Hello folks.

I have set up my the customer ClearPass with EAP-TLS for user and machine authentication on Intune and oon-prem managed clients.

Now I've setup a working EAP-TEAP configuration. Both TEAP-methods with EAP-TLS are succeeded, but I got an alert on the Intune. Cannot find the user in Intune.

So now I'm not sure if both methods are really checked: DeviceID with certificates on Intune and the user in AD.

I also tried to migrate both EAP-TLS services to one EAP-TEAP services but this did not work.

I saw in a Herman Robers video he had alle used sources added, so I did, but received alerts in access tracker.

I only receive the on-prem AD authorization attributes, no Intune attributes.

Does someone have a solution for me?

Thanks, 

Best regards,

Erik

Without the full configuration and Access Tracker logs, it's hard to tell something useful. Did you check/find this presentation on Intune/Entra ID integration (presentation is halfway down the list)?

The method is different if you use the real-time HTTP query or use the Endpoint Database for your Intune attribute lookups. Also, by default Intune issues certificates based on the Entra ID Device ID, not the Intune Device ID. Those are different IDs, and if you use the wrong (default) one, you will not get any correct lookup.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 12, 2023 05:05 AM
From: erik.boss
Subject: ClearPass EAP-TEAP checks after EAP-TLS user and machine authentication works

Hello folks.

I have set up my the customer ClearPass with EAP-TLS for user and machine authentication on Intune and oon-prem managed clients.

Now I've setup a working EAP-TEAP configuration. Both TEAP-methods with EAP-TLS are succeeded, but I got an alert on the Intune. Cannot find the user in Intune.

So now I'm not sure if both methods are really checked: DeviceID with certificates on Intune and the user in AD.

I also tried to migrate both EAP-TLS services to one EAP-TEAP services but this did not work.

I saw in a Herman Robers video he had alle used sources added, so I did, but received alerts in access tracker.

I only receive the on-prem AD authorization attributes, no Intune attributes.

Does someone have a solution for me?

Thanks, 

Best regards,

Erik

Hi Herman,

I found your presentation and from that point of view I could configure the EAP-TLS for user and machine authentication.

I want to do a real-time HTTP query to check the Intune attributes.  

For the test I added only one Intune authorization attribute. 

In the logs I see

User-Name = host/1ca0607a-092a-409d-ad03-91b50f62efd2

subject = /CN=1ca0607a-092a-409d-ad03-91b50f62efd2

issuer = /<Customer CA>

verify return:1

So this works and is verified.

Then it's trying to find my (test)user 

Found in the on-prem AD

Intune cannot find my UPN, but it will not do a realtime lookup to check the Intune attribute

At the end this radius server error

and a deny access profile.

@Herman I found on page 44 this:

What must be the exact IntuneDeviceId value?

Thanks,

Erik

Original Message:
Sent: Dec 12, 2023 07:26 AM
From: Herman Robers
Subject: ClearPass EAP-TEAP checks after EAP-TLS user and machine authentication works

Without the full configuration and Access Tracker logs, it's hard to tell something useful. Did you check/find this presentation on Intune/Entra ID integration (presentation is halfway down the list)?

The method is different if you use the real-time HTTP query or use the Endpoint Database for your Intune attribute lookups. Also, by default Intune issues certificates based on the Entra ID Device ID, not the Intune Device ID. Those are different IDs, and if you use the wrong (default) one, you will not get any correct lookup.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 12, 2023 05:05 AM
From: erik.boss
Subject: ClearPass EAP-TEAP checks after EAP-TLS user and machine authentication works

Hello folks.

I have set up my the customer ClearPass with EAP-TLS for user and machine authentication on Intune and oon-prem managed clients.

Now I've setup a working EAP-TEAP configuration. Both TEAP-methods with EAP-TLS are succeeded, but I got an alert on the Intune. Cannot find the user in Intune.

So now I'm not sure if both methods are really checked: DeviceID with certificates on Intune and the user in AD.

I also tried to migrate both EAP-TLS services to one EAP-TEAP services but this did not work.

I saw in a Herman Robers video he had alle used sources added, so I did, but received alerts in access tracker.

I only receive the on-prem AD authorization attributes, no Intune attributes.

Does someone have a solution for me?

Thanks, 

Best regards,

Erik

If you looikup the test device in Intune, does it indeed have the DeviceID: 1ca0607a-092a-409d-ad03-91b50f62efd2 ? And you see that in Access Tracker as well under the Certificate parameters?

It looks like you lookup the wrong ID, or the device is not registered in Intune.404 error means 'not found'.

On the screenshot CN={{DeviceID}} in the SCEP request sets the CN to the Intune Device ID; and that is the correct setting.

Hi Herman,

I found your presentation and from that point of view I could configure the EAP-TLS for user and machine authentication.

I want to do a real-time HTTP query to check the Intune attributes.  

For the test I added only one Intune authorization attribute. 

In the logs I see

User-Name = host/1ca0607a-092a-409d-ad03-91b50f62efd2

subject = /CN=1ca0607a-092a-409d-ad03-91b50f62efd2

issuer = /<Customer CA>

verify return:1

So this works and is verified.

Then it's trying to find my (test)user 

Found in the on-prem AD

Intune cannot find my UPN, but it will not do a realtime lookup to check the Intune attribute

At the end this radius server error

and a deny access profile.

@Herman I found on page 44 this:

What must be the exact IntuneDeviceId value?

Thanks,

Erik

Original Message:
Sent: Dec 12, 2023 07:26 AM
From: Herman Robers
Subject: ClearPass EAP-TEAP checks after EAP-TLS user and machine authentication works

Without the full configuration and Access Tracker logs, it's hard to tell something useful. Did you check/find this presentation on Intune/Entra ID integration (presentation is halfway down the list)?

The method is different if you use the real-time HTTP query or use the Endpoint Database for your Intune attribute lookups. Also, by default Intune issues certificates based on the Entra ID Device ID, not the Intune Device ID. Those are different IDs, and if you use the wrong (default) one, you will not get any correct lookup.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 12, 2023 05:05 AM
From: erik.boss
Subject: ClearPass EAP-TEAP checks after EAP-TLS user and machine authentication works

Hello folks.

I have set up my the customer ClearPass with EAP-TLS for user and machine authentication on Intune and oon-prem managed clients.

Now I've setup a working EAP-TEAP configuration. Both TEAP-methods with EAP-TLS are succeeded, but I got an alert on the Intune. Cannot find the user in Intune.

So now I'm not sure if both methods are really checked: DeviceID with certificates on Intune and the user in AD.

I also tried to migrate both EAP-TLS services to one EAP-TEAP services but this did not work.

I saw in a Herman Robers video he had alle used sources added, so I did, but received alerts in access tracker.

I only receive the on-prem AD authorization attributes, no Intune attributes.

Does someone have a solution for me?

Thanks, 

Best regards,

Erik