Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Entry licenses and Azure AD/Intune

This thread has been viewed 23 times
  • 1.  Clearpass Entry licenses and Azure AD/Intune

    Posted Sep 28, 2023 02:55 AM

    Hello,

    We have a customer that has its laptop in Azure AD+Intune only (so not hybrid with onprem AD). They roll out client certificates via SCEPman.

    Now they are looking to authenticate their secure wifi via TLS or TEAP using Clearpass, but with entry licenses only (since it is a huge price difference)

    In the licensing overview for Entry licences it says:

    The Entry license does not include support for the TACACS+ authentication and endpoint profiling features supported by the Access license. Entry licenses also do not support non-Local host endpoint context servers or Policy Manager extensions.

    So the Intune extension will not work, we will not be able to query the Intune attributes, correct?

    But can we still use Intune/Azure AD as authentication source for "live" authentication?

    Kind regards,

    Kris



  • 2.  RE: Clearpass Entry licenses and Azure AD/Intune

    EMPLOYEE
    Posted Sep 28, 2023 08:56 AM

    Entry licenses will support all forms of 802.1x including EAP-TLS

    Azure AD can only be used as an Authorisation source to get additional user attributes like group membership, etc if the username is included in the EAP-TLS certificate that is being used for auth. 



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Clearpass Entry licenses and Azure AD/Intune
    Best Answer

    Posted Oct 06, 2023 04:00 AM

    To add a bit of clarification to this, also the Intune Extension is just Authorization Attributes (like corporate/personal ownership, compliance state, OS, owner information), the authentication happens locally on the ClearPass server based on EAP-TLS/TEAP.

    Q: So the Intune extension will not work, we will not be able to query the Intune attributes, correct? => Seems correct to me

    Q: But can we still use Intune/Azure AD as authentication source for "live" authentication? => You can't use either as Authentication source, just as Authorization source (see above). As the Intune Extension requires Access Licenses, you can only use the Azure AD attributes as Ariyap mentioned with Entry licenses.

    Entry licenses are 'ClearPass light' licenses where customers just need to do simple RADIUS authentication at bulk, like for higher education eduroam.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: Clearpass Entry licenses and Azure AD/Intune

    Posted Oct 06, 2023 04:48 AM

    Hello,

    Thank you both for your input. We will continue with this; the lack of intune attributes is a nuisance but we'll try to work around that with the Azure AD attributes.

    Kris