Key consideration is security - you would be trusting any certificate from that certificate chain as your first 'gate'.
Main reason we've been looking into the HTTP method is because the Endpoint DB will only be populated by the Intune extension once a MAC is recorded in Intune, and have found significant delays in that process (Intune not ClearPass).
Original Message:
Sent: Mar 11, 2025 01:04 AM
From: BrendanMYS
Subject: ClearPass - Error 404 with EAP TLS with SAN intunedeviceid://
Thanks Tobi and good catch. From my quick research the Onboard licenses work out slightly cheaper than the MS Cloud PKI licenses but only just!
Crazy idea maybe - is there any reason we couldn't use the Intune MDM certificate to authenticate with? I realize it doesn't have the right SAN values to use HTTP method but it would work fine with Endpoint DB lookup as long as you imported the CA certs it was signed with.
Original Message:
Sent: Mar 10, 2025 11:41 PM
From: tobi.coonan
Subject: ClearPass - Error 404 with EAP TLS with SAN intunedeviceid://
Hi Brendan,
As we don't have hybrid machines, I haven't configured that but will in the future if required.
Here's a Microsoft article on Configure infrastructure to support SCEP certificate profiles with Microsoft Intune | Microsoft Learn.
I could be wrong, but I believe ClearPass native SCEP will consume an Onboard licence.
Original Message:
Sent: Mar 10, 2025 11:15 PM
From: BrendanMYS
Subject: ClearPass - Error 404 with EAP TLS with SAN intunedeviceid://
Tobi don't forget the new strong-mapping requirement for hybrid machines, adding another SAN URI of {{OnPremisesSecurityIdentifier}}
https://arubanetworking.hpe.com/techdocs/NAC/clearpass/integrations/unified-endpoint-management/intune/#whats-new-in-clearpass-intune-extension-v63
What SCEP server are you using? I am just wondering why everyone doesn't just use the Clearpass native SCEP?? I am thinking I will use this after our MS Cloud PKI issue with SAN values being changed to lowercase, yet Clearpass Intune extension mandates case sensitivity, hence our HTTP lookup is not working.
Original Message:
Sent: Mar 05, 2025 02:43 AM
From: tobi.coonan
Subject: ClearPass - Error 404 with EAP TLS with SAN intunedeviceid://
@Herman Robers,
All seems to be ok after redoing the SCEP certificates and restarting the ClearPass appliance. Will continue to monitor before considering rolling out to our production instance.
@SimondsCC - we are not using the Intune Cloud PKI but details and screenshots below.
You will need the Intune details in the USER SCEP certificate as well if you are doing user-based authentication with EAP-TLS or EAP-TEAP.
As Herman mentioned they need to be in a specific format for ClearPass to use them:
DeviceId:{{DeviceID}}
AAD_Device_ID:{{AAD_Device_ID}}
SCEP Device:
SCEP User:
We've also got a couple of other SAN attributes in the certs not required for ClearPass and all seems ok.
Hope this helps.
Original Message:
Sent: Mar 04, 2025 10:43 PM
From: SimondsCC
Subject: ClearPass - Error 404 with EAP TLS with SAN intunedeviceid://
Tobi are you able to share a screenshot of the SCEP device certificate profile in Intune? I am also having trouble getting this this up and running.
I am using Intune Cloud PKI and when i add URI attributes the certificate gets removed from the device.
Original Message:
Sent: Feb 19, 2025 05:24 PM
From: tobi.coonan
Subject: ClearPass - Error 404 with EAP TLS with SAN intunedeviceid://
@Herman Robers - doesn't seem to like EAP-TEAP as machine auth only (method-1), still getting the 404 error with no authorisation attributes even though the DeviceId is listed in the access tracker information.
EAP-TEAP access tracker information:
Works fine if connection is EAP-TLS only with the same authorisation source.
Is this expected?
Original Message:
Sent: Feb 19, 2025 02:53 AM
From: Herman Robers
Subject: ClearPass - Error 404 with EAP TLS with SAN intunedeviceid://
Yes, since extension version 6.3 there is support for parsing the SAN-URI fields. The attribute name for the Intune Device ID would be DeviceId, but the idea is similar (screenshots and more info in the documentation):
Supported KEY:VALUE pairs are as follows. The KEY names used are same as the variable names that Intune supports in the SCEP profile. Please refer the below link from Micrsoft for details.
https://learn.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep
- DeviceId:{{DeviceId}} - Used for Intune attributes lookup.
- AAD_Device_ID:{{AAD_Device_ID}} - Used for both Intune attributes and Device group membership lookup.
- UserPrincipalName:{{UserPrincipalName}} - Used for User group lookup only when user group lookup using extension is enabled.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 19, 2025 02:12 AM
From: tobi.coonan
Subject: ClearPass - Error 404 with EAP TLS with SAN intunedeviceid://
@Herman Robers - has there been any updates on this?
It would be cleaner from a certificate deployment if ClearPass could be configured to extract it from a field, like the IntuneDeviceId: URL SAN rather than use another field.
Original Message:
Sent: Apr 15, 2024 11:40 AM
From: Kiame
Subject: ClearPass - Error 404 with EAP TLS with SAN intunedeviceid://
Hi Herman,
Thanks for this detailed response. We will try several things with this new pki cloud ...
Original Message:
Sent: Apr 15, 2024 07:30 AM
From: Herman Robers
Subject: ClearPass - Error 404 with EAP TLS with SAN intunedeviceid://
ClearPass does not recognize the URL-form, intunedeviceid:// and will send the full attribute to Intune, which fails.
Make sure that you have just the DeviceID somewhere in a certificate field as an isolated attribute. Here is an example where I put the DeviceID in many different certificate fields:
So you can even put it in the Location, OU, Country or whatever other attribute in the DN; or in an unused SAN (just make sure there are not multiple attributes of the same time, like in my example (and your case) with the URI SAN. It would be nice if ClearPass could be configured to extract it from a field, like the IntuneDeviceId: URL SAN, but that's not possible as far as I know.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Apr 15, 2024 05:02 AM
From: Kiame
Subject: ClearPass - Error 404 with EAP TLS with SAN intunedeviceid://
Hello,
ClearPass version : 6.11.7.257550
Extension Microsoft Intune : 6.1.7
We can use the extension with the deviceid in the common name. But when we try to use in the SAN only, we got an error 404 ::
We use Microsoft PKI Cloud to deploy the certificate and we must specify intunedeviceid:// in the SAN field in intune configuration (without, the certificate won't be deploy) :
The certificate look likes :
Someone can confirm that the extension works only with URL={{deviceid}} and doesn't support intunedeviceid:// please ?
I found in an other discussion the same information (problem with intunedeviceid://) but I need to confirm that we don't have a workaround.
Thanks.