Thanks, this is helpful.
I also reached out to our local Aruba channel engineers for assistance. We are currently using Intune extension v6.0.3, so it should already be doing matching based on the device ID.
With further testing, I believe Machine authentication is working as required (Though, I will need to check what attributes are being pulled). User authentication is where it falls down. I believe that some some users, it is working off the machine authentication cache, which appears to be cleared after 24 hours. The Machine cert has the device ID as the Subject Name and as the Alternative Subject Name, however, the device ID does not exist in the User cert. I believe this is the reason for the failure.
My first step will be to update the user cert to include the device ID, and see if I can have Intune re-issue the certificate to all users. Failing that, I may need to implement EAP-TEAP, so the machine cert is always presented along with the user certificate.
Original Message:
Sent: Feb 06, 2024 04:06 PM
From: mholden
Subject: ClearPass - EAP-TLS Issues with Intune
You will also find this issue with using docking stations, and newer Android device.
Make sure you're Intune Extension is up-to-date.
Check the ClearPass Intune Guide https://support.hpe.com/hpesc/public/docDisplay?docId=a00112290en_us (Appendix E ) on how to configure the SCEP profile so that you can add Intune Device ID.
To get the User Certificate to include the Device ID you can use the Subject Alt Name URI field to include {{DeviceId}} You'll likely want to add this to the Device certificate too.
This will change the custom Auth Source Filter Query you have above from '%{Certificate:Subject-CN}' to '%{Certificate:Subject-AltName-URI}'
Once you have the Intune Device ID {{DeviceId}} in the certificate, you can use the HTTP method to do an API call to Intune, more overhead but closer to real time. See "HTTP Authorization Mode" page 27 of the Intune Integration Guide.
If you want to stay with the endpoint database addition to the filter queries you have listed, you may want to add "Intune Compliance State", "Intune Last Updated", and/or "Source" depending on what values you want to use back from the Intune information. Check your event viewer to make sure that your new Authentication Service has the correct Username / Password to access the ClearPass PostgreSQL DB when using this method.
Original Message:
Sent: Feb 04, 2024 09:24 PM
From: MatazaNz
Subject: ClearPass - EAP-TLS Issues with Intune
Hi all,
I have recently run into an issue with a customer's Clearpass environment.
In essence, their main services are as follows:
- [EAP-TLS]Intune Computer Machine Auth
- [EAP-TLS] Intune Computer User Auth
- [EAP-TLS] Other MDMs (JamfSchool, Jamf Pro, etc)
- [EAP-PEAP] AD Student User (For BYOD)
- [EAP-PEAP] AD Staff User (For BYOD)
This has worked fairly well until recently. We have discovered that some Intune devices are reporting the incorrect MAC address. They are reporting the virtual WiFi Direct interface, not the hardware MAC address, to Intune. This then means the Endpoint Repository does not have the correct information, and does not know the machine comes from Intune when selecting the service. The main lines that are affecting this in the Intune Device and User services are: Endpoint source equals Intune; Endpoint Intune Managed Device Ownership not equals personal.
The issue here is that neither of these pass if the MAC address listed in Intune is incorrect. The devices then fall down to either AD Staff or AD Student, depending on the username passed. This then denies access, as the WiFi profile pushed via Intune is EAP-TLS only. For context, the EAP-PEAP services are for BYOD access, and I have confirmed this is non-negotiable with this particular customer.
I did find a promising solution here:
Where you create a new filter on the Endpoint repository as follows:
select attributes->>'Intune User Principal Name' as "Intune User Principal Name",attributes->>'Intune Model' as "Intune Model",attributes->>'Intune Jail Broken' as "Intune Jail Broken",attributes->>'Intune Operating System' as "Intune Operating System",attributes->>'Intune Managed Device Owner Type' as "Intune Managed Device Owner Type",attributes->>'Intune Management Agent' as "Intune Management Agent",attributes->>'Intune Azure AD Registered' as "Intune Azure AD Registered" FROM tips_endpoints WHERE attributes->>'Intune ID' = LOWER('%{Certificate:Subject-CN}')
This searches the Endpoint repository for the device based on the Intune device ID presented in the certificate. I have two issues with this. The Intune device ID is presented only in the machine cert, not the user cert. And secondly, thus far, it does not appear to be working. How does this filter work when specifying the Endpoint source under the service rules? As my understanding is that the certificate details are not looked at until after the service rules match, and the authentication begins. If I am mistaken about this, please let me know.
The first issue could possibly be negated by using TEAP, as the machine cert is presented at all times, with the user cert as the inner cert if present. However, I will need the Intune Device ID match to work before I can implement any additional solutions.
Any assistance with getting the Device ID lookup working, so I can remove reliance on the MAC address being correct, would be greatly appreciated.