Security

Dear Team,

One of our customers is migrating their AD to Entra-ID. Once the migration is complete, they will shut down their on-premise AD permanently.

Now the point is that..ClearPass is now integrated with AD and working properly (for Wired and Wireless authentication). 

Once on-premise AD moved to Entra-ID, ClearPass must be integrated with Entra-ID. Here's the confusion..

• 
  

  How do I integrate with ClearPass Entra-ID?

  
  


• 
  

  Will secure LDAP integration work?

  
  


• 
  

  Is Intune mandatory to integrate ClearPass with Entra-ID?

  
  

Reg,

Shamz

Dear Team,

One of our customers is migrating their AD to Entra-ID. Once the migration is complete, they will shut down their on-premise AD permanently.

Now the point is that..ClearPass is now integrated with AD and working properly (for Wired and Wireless authentication). 

Once on-premise AD moved to Entra-ID, ClearPass must be integrated with Entra-ID. Here's the confusion..

• 
  

  How do I integrate with ClearPass Entra-ID?

  
  


• 
  

  Will secure LDAP integration work?

  
  


• 
  

  Is Intune mandatory to integrate ClearPass with Entra-ID?

  
  

Reg,

Shamz

Hi,

Hermann has created documents on it and it is not that difficult. You have to know that you cannot use username/password authentication, you have to use EAP-TLS which means client certificates. Intune is not mandatory, ClearPass can extract the username from the certificate, query EntraID for user account existence and query user group membership.

There are some discussions on it, mainly what you need is a new Authentication method and Source using EntraID. On this forum you can find some discussions on it.

I use 6.11 and there is no issue or bug with it so far.

Best Regards

Istvan

Dear Team,

One of our customers is migrating their AD to Entra-ID. Once the migration is complete, they will shut down their on-premise AD permanently.

Now the point is that..ClearPass is now integrated with AD and working properly (for Wired and Wireless authentication). 

Once on-premise AD moved to Entra-ID, ClearPass must be integrated with Entra-ID. Here's the confusion..

• 
  

  How do I integrate with ClearPass Entra-ID?

  
  


• 
  

  Will secure LDAP integration work?

  
  


• 
  

  Is Intune mandatory to integrate ClearPass with Entra-ID?

  
  

Reg,

Shamz

Hi there,

do you have the link for the documents which Hermann has created

TIA

David

Hi,

Hermann has created documents on it and it is not that difficult. You have to know that you cannot use username/password authentication, you have to use EAP-TLS which means client certificates. Intune is not mandatory, ClearPass can extract the username from the certificate, query EntraID for user account existence and query user group membership.

There are some discussions on it, mainly what you need is a new Authentication method and Source using EntraID. On this forum you can find some discussions on it.

I use 6.11 and there is no issue or bug with it so far.

Best Regards

Istvan

Dear Team,

One of our customers is migrating their AD to Entra-ID. Once the migration is complete, they will shut down their on-premise AD permanently.

Now the point is that..ClearPass is now integrated with AD and working properly (for Wired and Wireless authentication). 

Once on-premise AD moved to Entra-ID, ClearPass must be integrated with Entra-ID. Here's the confusion..

• 
  

  How do I integrate with ClearPass Entra-ID?

  
  


• 
  

  Will secure LDAP integration work?

  
  


• 
  

  Is Intune mandatory to integrate ClearPass with Entra-ID?

  
  

Reg,

Shamz

These should point you in the right direction: https://community.arubanetworks.com/discussion/clearpass-611-entra-id#bm6d462785-445c-4f11-b68f-0196856ce10e

Hi there,

do you have the link for the documents which Hermann has created

TIA

David

Hi,

Hermann has created documents on it and it is not that difficult. You have to know that you cannot use username/password authentication, you have to use EAP-TLS which means client certificates. Intune is not mandatory, ClearPass can extract the username from the certificate, query EntraID for user account existence and query user group membership.

There are some discussions on it, mainly what you need is a new Authentication method and Source using EntraID. On this forum you can find some discussions on it.

I use 6.11 and there is no issue or bug with it so far.

Best Regards

Istvan

Dear Team,

One of our customers is migrating their AD to Entra-ID. Once the migration is complete, they will shut down their on-premise AD permanently.

Now the point is that..ClearPass is now integrated with AD and working properly (for Wired and Wireless authentication). 

Once on-premise AD moved to Entra-ID, ClearPass must be integrated with Entra-ID. Here's the confusion..

• 
  

  How do I integrate with ClearPass Entra-ID?

  
  


• 
  

  Will secure LDAP integration work?

  
  


• 
  

  Is Intune mandatory to integrate ClearPass with Entra-ID?

  
  

Reg,

Shamz

Dear Herman and Jonas,

So, I hope that Intune integration is not required for AD group based role enforcement to happen in ClearPass, just Entra ID integration is enough. Can we use EAP-TEAP (both options are TLS) for the end user dot1X authentication? Or is there any challenge?

Please clear me.

Reg.

Shamz

These should point you in the right direction: https://community.arubanetworks.com/discussion/clearpass-611-entra-id#bm6d462785-445c-4f11-b68f-0196856ce10e

Hi there,

do you have the link for the documents which Hermann has created

TIA

David

Hi,

Hermann has created documents on it and it is not that difficult. You have to know that you cannot use username/password authentication, you have to use EAP-TLS which means client certificates. Intune is not mandatory, ClearPass can extract the username from the certificate, query EntraID for user account existence and query user group membership.

There are some discussions on it, mainly what you need is a new Authentication method and Source using EntraID. On this forum you can find some discussions on it.

I use 6.11 and there is no issue or bug with it so far.

Best Regards

Istvan

Dear Team,

One of our customers is migrating their AD to Entra-ID. Once the migration is complete, they will shut down their on-premise AD permanently.

Now the point is that..ClearPass is now integrated with AD and working properly (for Wired and Wireless authentication). 

Once on-premise AD moved to Entra-ID, ClearPass must be integrated with Entra-ID. Here's the confusion..

• 
  

  How do I integrate with ClearPass Entra-ID?

  
  


• 
  

  Will secure LDAP integration work?

  
  


• 
  

  Is Intune mandatory to integrate ClearPass with Entra-ID?

  
  

Reg,

Shamz

Dear Herman and Jonas,

So, I hope that Intune integration is not required for AD group based role enforcement to happen in ClearPass, just Entra ID integration is enough. Can we use EAP-TEAP (both options are TLS) for the end user dot1X authentication? Or is there any challenge?

Please clear me.

Reg.

Shamz

These should point you in the right direction: https://community.arubanetworks.com/discussion/clearpass-611-entra-id#bm6d462785-445c-4f11-b68f-0196856ce10e

Hi there,

do you have the link for the documents which Hermann has created

TIA

David

Hi,

Hermann has created documents on it and it is not that difficult. You have to know that you cannot use username/password authentication, you have to use EAP-TLS which means client certificates. Intune is not mandatory, ClearPass can extract the username from the certificate, query EntraID for user account existence and query user group membership.

There are some discussions on it, mainly what you need is a new Authentication method and Source using EntraID. On this forum you can find some discussions on it.

I use 6.11 and there is no issue or bug with it so far.

Best Regards

Istvan

Dear Team,

One of our customers is migrating their AD to Entra-ID. Once the migration is complete, they will shut down their on-premise AD permanently.

Now the point is that..ClearPass is now integrated with AD and working properly (for Wired and Wireless authentication). 

Once on-premise AD moved to Entra-ID, ClearPass must be integrated with Entra-ID. Here's the confusion..

• 
  

  How do I integrate with ClearPass Entra-ID?

  
  


• 
  

  Will secure LDAP integration work?

  
  


• 
  

  Is Intune mandatory to integrate ClearPass with Entra-ID?

  
  

Reg,

Shamz

For Entra ID based group enforcement, integration with Entra ID is needed.

For AD group based enforcement, integration with AD is needed.

Intune is used in many cases for the device provisioning, enroll client certs, configure WLAN/wired settings (supplicant/802.1X).

Without Intune, it's hard to get the clients correctly configured; but you don't need the Intune integration unless you would need Intune attributes to authorize the client. For example, if you want compliant devices to get a different role on the network than noncompliant (or company vs personal managed), you would use the Intune integration. Some customers only use Intune integration, others only Entra ID, others both.

Dear Herman and Jonas,

So, I hope that Intune integration is not required for AD group based role enforcement to happen in ClearPass, just Entra ID integration is enough. Can we use EAP-TEAP (both options are TLS) for the end user dot1X authentication? Or is there any challenge?

Please clear me.

Reg.

Shamz

These should point you in the right direction: https://community.arubanetworks.com/discussion/clearpass-611-entra-id#bm6d462785-445c-4f11-b68f-0196856ce10e

Hi there,

do you have the link for the documents which Hermann has created

TIA

David

Hi,

Hermann has created documents on it and it is not that difficult. You have to know that you cannot use username/password authentication, you have to use EAP-TLS which means client certificates. Intune is not mandatory, ClearPass can extract the username from the certificate, query EntraID for user account existence and query user group membership.

There are some discussions on it, mainly what you need is a new Authentication method and Source using EntraID. On this forum you can find some discussions on it.

I use 6.11 and there is no issue or bug with it so far.

Best Regards

Istvan

Dear Team,

One of our customers is migrating their AD to Entra-ID. Once the migration is complete, they will shut down their on-premise AD permanently.

Now the point is that..ClearPass is now integrated with AD and working properly (for Wired and Wireless authentication). 

Once on-premise AD moved to Entra-ID, ClearPass must be integrated with Entra-ID. Here's the confusion..

• 
  

  How do I integrate with ClearPass Entra-ID?

  
  


• 
  

  Will secure LDAP integration work?

  
  


• 
  

  Is Intune mandatory to integrate ClearPass with Entra-ID?

  
  

Reg,

Shamz

Many thanks Herman, for your detailed reply.

Could you please give me some more clarification on this case.

We plan to do EAP-TLS authentication on the user/device side. Our CA is SCEP (through Intune). Do we need a SCEP root certificate and EAP server certificate in ClearPass to integrate with EntraID? If so, how do I generate an EAP server certificate from SCEPman for ClearPass?

Reg,

Shamz

For Entra ID based group enforcement, integration with Entra ID is needed.

For AD group based enforcement, integration with AD is needed.

Intune is used in many cases for the device provisioning, enroll client certs, configure WLAN/wired settings (supplicant/802.1X).

Without Intune, it's hard to get the clients correctly configured; but you don't need the Intune integration unless you would need Intune attributes to authorize the client. For example, if you want compliant devices to get a different role on the network than noncompliant (or company vs personal managed), you would use the Intune integration. Some customers only use Intune integration, others only Entra ID, others both.

Dear Herman and Jonas,

So, I hope that Intune integration is not required for AD group based role enforcement to happen in ClearPass, just Entra ID integration is enough. Can we use EAP-TEAP (both options are TLS) for the end user dot1X authentication? Or is there any challenge?

Please clear me.

Reg.

Shamz

These should point you in the right direction: https://community.arubanetworks.com/discussion/clearpass-611-entra-id#bm6d462785-445c-4f11-b68f-0196856ce10e

Hi there,

do you have the link for the documents which Hermann has created

TIA

David

Hi,

Hermann has created documents on it and it is not that difficult. You have to know that you cannot use username/password authentication, you have to use EAP-TLS which means client certificates. Intune is not mandatory, ClearPass can extract the username from the certificate, query EntraID for user account existence and query user group membership.

There are some discussions on it, mainly what you need is a new Authentication method and Source using EntraID. On this forum you can find some discussions on it.

I use 6.11 and there is no issue or bug with it so far.

Best Regards

Istvan

Dear Team,

One of our customers is migrating their AD to Entra-ID. Once the migration is complete, they will shut down their on-premise AD permanently.

Now the point is that..ClearPass is now integrated with AD and working properly (for Wired and Wireless authentication). 

Once on-premise AD moved to Entra-ID, ClearPass must be integrated with Entra-ID. Here's the confusion..

• 
  

  How do I integrate with ClearPass Entra-ID?

  
  


• 
  

  Will secure LDAP integration work?

  
  


• 
  

  Is Intune mandatory to integrate ClearPass with Entra-ID?

  
  

Reg,

Shamz

If you use SCEPman to deliver client certificates, you don't need a SCEP certificate in ClearPass.

In ClearPass you would need the EAP Server certificate, for which the Root is deployed on your clients (through Intune), as well matches the servername and Root are configured (through Intune) in the SSID/wired profile.

You would also need the SCEP server's client CA Root certificate in the ClearPass Trust List; this may be the same as the SCEP Root CA, but can be different as well.

Many thanks Herman, for your detailed reply.

Could you please give me some more clarification on this case.

We plan to do EAP-TLS authentication on the user/device side. Our CA is SCEP (through Intune). Do we need a SCEP root certificate and EAP server certificate in ClearPass to integrate with EntraID? If so, how do I generate an EAP server certificate from SCEPman for ClearPass?

Reg,

Shamz

For Entra ID based group enforcement, integration with Entra ID is needed.

For AD group based enforcement, integration with AD is needed.

Intune is used in many cases for the device provisioning, enroll client certs, configure WLAN/wired settings (supplicant/802.1X).

Without Intune, it's hard to get the clients correctly configured; but you don't need the Intune integration unless you would need Intune attributes to authorize the client. For example, if you want compliant devices to get a different role on the network than noncompliant (or company vs personal managed), you would use the Intune integration. Some customers only use Intune integration, others only Entra ID, others both.

Dear Herman and Jonas,

So, I hope that Intune integration is not required for AD group based role enforcement to happen in ClearPass, just Entra ID integration is enough. Can we use EAP-TEAP (both options are TLS) for the end user dot1X authentication? Or is there any challenge?

Please clear me.

Reg.

Shamz

These should point you in the right direction: https://community.arubanetworks.com/discussion/clearpass-611-entra-id#bm6d462785-445c-4f11-b68f-0196856ce10e

Hi there,

do you have the link for the documents which Hermann has created

TIA

David

Hi,

Hermann has created documents on it and it is not that difficult. You have to know that you cannot use username/password authentication, you have to use EAP-TLS which means client certificates. Intune is not mandatory, ClearPass can extract the username from the certificate, query EntraID for user account existence and query user group membership.

There are some discussions on it, mainly what you need is a new Authentication method and Source using EntraID. On this forum you can find some discussions on it.

I use 6.11 and there is no issue or bug with it so far.

Best Regards

Istvan

Dear Team,

One of our customers is migrating their AD to Entra-ID. Once the migration is complete, they will shut down their on-premise AD permanently.

Now the point is that..ClearPass is now integrated with AD and working properly (for Wired and Wireless authentication). 

Once on-premise AD moved to Entra-ID, ClearPass must be integrated with Entra-ID. Here's the confusion..

• 
  

  How do I integrate with ClearPass Entra-ID?

  
  


• 
  

  Will secure LDAP integration work?

  
  


• 
  

  Is Intune mandatory to integrate ClearPass with Entra-ID?

  
  

Reg,

Shamz