To add a bit of clarification to this, also the Intune Extension is just Authorization Attributes (like corporate/personal ownership, compliance state, OS, owner information), the authentication happens locally on the ClearPass server based on EAP-TLS/TEAP.
Q: So the Intune extension will not work, we will not be able to query the Intune attributes, correct? => Seems correct to me
Q: But can we still use Intune/Azure AD as authentication source for "live" authentication? => You can't use either as Authentication source, just as Authorization source (see above). As the Intune Extension requires Access Licenses, you can only use the Azure AD attributes as Ariyap mentioned with Entry licenses.
Entry licenses are 'ClearPass light' licenses where customers just need to do simple RADIUS authentication at bulk, like for higher education eduroam.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 28, 2023 08:55 AM
From: ariyap
Subject: Clearpass Entry licenses and Azure AD/Intune
Entry licenses will support all forms of 802.1x including EAP-TLS
Azure AD can only be used as an Authorisation source to get additional user attributes like group membership, etc if the username is included in the EAP-TLS certificate that is being used for auth.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Sep 28, 2023 02:54 AM
From: KrisVe
Subject: Clearpass Entry licenses and Azure AD/Intune
Hello,
We have a customer that has its laptop in Azure AD+Intune only (so not hybrid with onprem AD). They roll out client certificates via SCEPman.
Now they are looking to authenticate their secure wifi via TLS or TEAP using Clearpass, but with entry licenses only (since it is a huge price difference)
In the licensing overview for Entry licences it says:
The Entry license does not include support for the authentication and endpoint profiling features supported by the Access license. Entry licenses also do not support non-Local host endpoint context servers or Policy Manager extensions. |
So the Intune extension will not work, we will not be able to query the Intune attributes, correct?
But can we still use Intune/Azure AD as authentication source for "live" authentication?
Kind regards,
Kris