We have a customer that has its laptop in Azure AD+Intune only (so not hybrid with onprem AD). They roll out client certificates via SCEPman.
Now they are looking to authenticate their secure wifi via TLS or TEAP using Clearpass, but with entry licenses only (since it is a huge price difference)
In the licensing overview for Entry licences it says:
The Entry license does not include support for the TACACS+ authentication and endpoint profiling features supported by the Access license. Entry licenses also do not support non-Local host endpoint context servers or Policy Manager extensions.
So the Intune extension will not work, we will not be able to query the Intune attributes, correct?
But can we still use Intune/Azure AD as authentication source for "live" authentication?
Entry licenses will support all forms of 802.1x including EAP-TLS
Azure AD can only be used as an Authorisation source to get additional user attributes like group membership, etc if the username is included in the EAP-TLS certificate that is being used for auth.
To add a bit of clarification to this, also the Intune Extension is just Authorization Attributes (like corporate/personal ownership, compliance state, OS, owner information), the authentication happens locally on the ClearPass server based on EAP-TLS/TEAP.
Q: So the Intune extension will not work, we will not be able to query the Intune attributes, correct? => Seems correct to me
Q: But can we still use Intune/Azure AD as authentication source for "live" authentication? => You can't use either as Authentication source, just as Authorization source (see above). As the Intune Extension requires Access Licenses, you can only use the Azure AD attributes as Ariyap mentioned with Entry licenses.
Entry licenses are 'ClearPass light' licenses where customers just need to do simple RADIUS authentication at bulk, like for higher education eduroam.
Thank you both for your input. We will continue with this; the lack of intune attributes is a nuisance but we'll try to work around that with the Azure AD attributes.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.