Hi, I'm new to Clearpass and trying to setup EAP-TEAP for our Intune managed devices with Scepman Cloud PKI. All goes well except for some minor issues I can't clarify using the provided documentation. So what is working so far:
- Intune provision machine and user certs with URI attributes: AA_Device_Id and DeviceId for machine & AA_Device_Id, DeviceId and UNP for user.
- Intune extension v6 resolves these attributes and queries the Intune API endpoints.
- Disabled 'authorization required' for the inner EAP TLS method.
- On Boot Method 1 is present in access tracker, on user login method 1 and 2 are present and successful.
- Through authorization live-query the device groups and user groups get resolved
So for the questions:
- What is the functional difference between the EntraID http lookup for user group membership and using the Intune extension endpoint realtimeUserGroup as I am currently doing?
- If Windows boots to logon screen EAP-TEAP method 1 machine authentication is performed, but method 2 is empty. In this situation the machine certificate has no UNP (only DeviceId), but still the Intune user authorization 'realtimeUserGroup' is requested, with a time-out resulting in some errors:
The Intune extension debug logs shows - as expected - only the DeviceId and AAD_Device_Id being parsed, UNP is <null>, so I would expect the internal logic to skip user related http requests:
Additional configuration screenshots:
Intune device source:
Intune user source:
Access tracker:
Service:
