Security

 View Only
Expand all | Collapse all

ClearPass integration with Azure for Intune devices

This thread has been viewed 85 times
  • 1.  ClearPass integration with Azure for Intune devices

    Posted Feb 25, 2023 10:40 AM

    Hi All,

    What are current possibilities of ClearPass integration with Azure for authentication/authorization of Intune devices with SSO and dot1x.

    Thanks



  • 2.  RE: ClearPass integration with Azure for Intune devices

    Posted Feb 25, 2023 07:14 PM

    See if this helps

    https://www.flomain.de/2020/02/clearpass-sso-with-azure-ad/



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: ClearPass integration with Azure for Intune devices

    Posted Feb 27, 2023 05:23 AM

    Currently we don't have license for ClearPass Onboard.

    These are available ClearPass SSO options:

    Which option from above can be used for windows single sign on before user logon?



  • 4.  RE: ClearPass integration with Azure for Intune devices

    Posted Feb 27, 2023 04:08 AM

    Regarding dot1x.

    We supports the integration of AAD as an authorization source. You can fetch the group information from AAD for a user during authentication.

    Besides this we supports Intune integration. The Intune integration can be used to fetch information of the endpoint from Intune during authentication. Please check 

    https://support.hpe.com/hpesc/public/docDisplay?docId=a00112290en_us


    ------------------------------
    William Bargeman
    Systems Engineer Aruba
    ------------------------------



  • 5.  RE: ClearPass integration with Azure for Intune devices

    Posted Feb 27, 2023 04:27 AM

    I used that doc and with Intune extension synced endpoints to ClearPass.

    In that doc only is described HTTP authorization mode, where I can find info how to use local endpoint repository with new Intune attributes ?

    Thanks




  • 6.  RE: ClearPass integration with Azure for Intune devices

    Posted Feb 27, 2023 04:56 AM

    Version 6 is a big change. The authorization is now not done based on MAC address but based on Device ID which is in the client certificate. I'm not sure but I think its not possible anymore to sync all the endpoints to the endpoint database upfront. Please check page 29 and 30 of the document to store data in the endpoint database.



    ------------------------------
    William Bargeman
    Systems Engineer Aruba
    ------------------------------



  • 7.  RE: ClearPass integration with Azure for Intune devices

    Posted Feb 27, 2023 07:55 AM

    Yes, you can still sync all Intune devices to the endpoint database. The Intune extension works in two ways: sync to the ClearPass Endpoint Database, or a real-time lookup. The synced data may be up-to the sync interval old, but it does not require a call to Intune for each device. Note that devices that only have a wired interface are not synced to the endpoint database either because the wifi mac is still used to store the data.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: ClearPass integration with Azure for Intune devices

    Posted Feb 27, 2023 07:01 AM

    Please note that you cannot do EAP-PEAP authentication against Azure AD. To authenticate Azure AD users, you would need to setup EAP-TLS, where Intune is a logical candidate to configure/enroll the client certificates. Then you can use the Intune Extension for authorization against Intune Attributes; and starting ClearPass 6.11 the Azure AD Authorization Source for authorization against Azure AD attributes like AAD group membership.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 9.  RE: ClearPass integration with Azure for Intune devices

    Posted Mar 02, 2023 07:19 AM

    If Azure AD can be only Authorization Source, then is local AD still used for authentication ? 




  • 10.  RE: ClearPass integration with Azure for Intune devices

    Posted Mar 03, 2023 08:32 AM

    PEAP-MSCHAPv2 is not generally recommended.

    We are testing using Azure Authorization while using the trusted TLS Certificate Subject for Authentication.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------