Security

View Only

Back to discussions

Expand all | Collapse all

Clearpass + Intune

This thread has been viewed 395 times

1. Clearpass + Intune

Kudos
zshore
Posted Feb 01, 2021 12:12 AM

Reply Reply Privately
Hello all,

Now I know this is a lot of text, but I am just trying to get as much detail in as possible. I have read Aruba guides and watched the videos countless times, but I do have a few lingering questions.

Our org has started moving over staff devices to InTune, we still have a large presence of BYOD and student devices.

Our setup today is pretty simple. Users log into their Windows machines and it all automatically logs them in to the wireless.

Now with a recent directive from the powers above, we are moving devices (starting with staff) over to InTune management and are beefing up security practice. I really want to take advantage of the InTune Extension in Clearpass, as I feel that coupled with Defender ATP extension would be a great value add.

This is a rough draft of what I would like to do with our wireless auth moving forward.

Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.

So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.

Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)

I appreciate any help or insight on this.
2. RE: Clearpass + Intune

Kudos
zshore
Posted Feb 04, 2021 01:25 AM

Reply Reply Privately
Bump

------------------------------
Zack Shore
------------------------------

Original Message
3. RE: Clearpass + Intune

Kudos
dannyjump
Posted Feb 04, 2021 01:43 AM

Reply Reply Privately
I assume your using V5 of the InTune Extension??

Why do you have it running on two nodes, offset.... sync on one node and sync more regularly, when you sync on a SUB it will have to write the data to the PUB first.

Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.

So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.
{djj} - Yes, this workflow is achievable, in terms of using InTune data and D-ATP data as authZ content.

Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
{djj} - This really depends on how you want to authN the user/device, if you have WIN10 and run TEAP you can do both.

Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
{djj} - Not if you ingesting the endpoint into the CPPM EndpointDb and using that data as an authZ souce to make you first check, is this endpoint enrolled/known to InTune.

Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)
{djj} - Sure, that's the autHn portion, the Intune/D-ATP is more the authZ part. One of the huge benefits of CPPM is that authN & authZ can be separated to different identity stores/repositories.

------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message
4. RE: Clearpass + Intune

Kudos
zshore
Posted Feb 04, 2021 01:55 AM

Reply Reply Privately
I appreciate the response! Big fan of your advice on this forum.

So I think I have the cert piece down. I currently push a user and device SCEP cert to my InTune devices. Then I set up an InTune Wi-Fi profile that specifies user or machine auth. This allows our laptops to connect at the sign in screen using machine auth and then when the user logs in it uses their creds. So far this is working great

The issue that I'm dealing with right now is a little strange. At the end of my enforcement policy, I have it set to look at the endpoint DB, and if InTune Registered is NOT__EXIST it will bump that device to the student VLAN. This doesn't seem to work very well and won't connect my personal devices when I test. BUT it will connect them sometimes if MAC randomization is on.

is there a better way to get my devices with no InTune registration onto that student VLAN as shown in the flow chart?

------------------------------
Zack Shore
------------------------------

Original Message
5. RE: Clearpass + Intune

Kudos
zshore
Posted Feb 04, 2021 01:58 AM

Reply Reply Privately
And yes, we enroll all our devices into InTune before distribution. So they are synced to the Endpoint DB and ready by the time the user is ready to join wireless.

------------------------------
Zack Shore
------------------------------

Original Message
6. RE: Clearpass + Intune

Kudos
dannyjump
Posted Feb 04, 2021 01:23 PM

Reply Reply Privately
Zack,

I can't think why the mac-randomizatin would have any bearing on a device working or not, as you describe. It not like your checking for a known mac-address, or doing mac-auth. However, if you specifically making an authZ decision on In_Tune registered, when you make this check you'll have to be looking up the endpoint with its mac-address, if randomization is enabled then you're potentially in a pickle when comparing to the physical address reported by InTune that is the Endpoint mac-address......said another way I'd have expected mac-randomization to always drop the endpoint into the student vlan/role.

------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message
7. RE: Clearpass + Intune

Kudos
binodranabhat
Posted Nov 28, 2022 07:42 PM

Reply Reply Privately
Hi Community members,

I am on the same situation, we are using Clearpass Intune ext v 5. Using the query filter
%{Connection:Client-Mac-Address-Hyphen}

At this point, all the attributes Clearpass is getting is related to Device, not the user. If we pick one attribute, for example 'Intune Azure AD Registered' eq true--assign for example staff role, that means students getting staff vlan.

Is there any query filter , that gets user information, so that we can use that in policy ? It's quite hard to distinguish staff and student at this point.
Please share your thought/view.

-BINOD

Original Message
8. RE: Clearpass + Intune

Kudos
networkadminsjsd
Posted Dec 06, 2022 10:49 AM

Reply Reply Privately
Hello,

We ran into this as we are considering adding staff devices to InTune, but haven't yet. Luckily the staff and students use a different type of device, so you could make use of the attribute Endpoint:Intune Model in this case.

Original Message
9. RE: Clearpass + Intune

Kudos

Security

Clearpass + Intune

zshoreFeb 01, 2021 12:12 AM

zshoreFeb 04, 2021 01:25 AM

dannyjumpFeb 04, 2021 01:43 AM

zshoreFeb 04, 2021 01:55 AM

zshoreFeb 04, 2021 01:58 AM

dannyjumpFeb 04, 2021 01:23 PM

binodranabhatNov 28, 2022 07:42 PM

networkadminsjsdDec 06, 2022 10:49 AM

Herman RobersDec 06, 2022 11:30 AM

peter.elmsDec 29, 2022 05:35 AM

Herman RobersJan 02, 2023 07:44 AM

peter.elmsJan 03, 2023 05:00 AM

Herman RobersJan 03, 2023 06:00 AM

peter.elmsJan 10, 2023 04:59 AM

Herman RobersJan 10, 2023 12:09 PM

BrendanMYSMar 11, 2025 12:00 AM

michael.conlogue@greenmountainpower.comApr 30, 2024 10:50 AM

Herman RobersMay 02, 2024 07:12 AM

mrzepaJan 17, 2023 05:25 PM

michael.conlogue@greenmountainpower.comMay 09, 2024 09:42 AM

michael.conlogue@greenmountainpower.comMay 20, 2024 10:14 AM

scottdooreyFeb 18, 2025 06:17 PM

BrendanMYSMar 20, 2025 01:45 AM

Herman RobersMar 21, 2025 04:48 AM

BrendanMYSMar 23, 2025 06:44 PM

Herman RobersMar 24, 2025 11:31 AM

BrendanMYSMar 24, 2025 07:09 PM

Istvan HegedusMar 26, 2025 09:36 AM

BrendanMYSMar 26, 2025 06:28 PM

Herman RobersMar 26, 2025 11:43 AM

BrendanMYS30 days ago

Istvan HegedusMar 24, 2025 04:46 AM

BrendanMYSMar 24, 2025 07:32 AM

Istvan HegedusMar 25, 2025 06:35 AM

BrendanMYSMar 25, 2025 07:18 AM

Istvan HegedusMar 26, 2025 09:26 AM

BrendanMYSMar 26, 2025 06:31 PM

Istvan HegedusMar 27, 2025 06:47 AM

GorazdKikelj30 days ago

BrendanMYS28 days ago

GorazdKikelj28 days ago

BrendanMYS27 days ago

GorazdKikelj27 days ago

BrendanMYS13 days ago

Istvan Hegedus13 days ago

1. Clearpass + Intune

2. RE: Clearpass + Intune

3. RE: Clearpass + Intune

4. RE: Clearpass + Intune

5. RE: Clearpass + Intune

6. RE: Clearpass + Intune

7. RE: Clearpass + Intune

8. RE: Clearpass + Intune

9. RE: Clearpass + Intune