Security

 View Only
  • 1.  ClearPass Intune Extension - AAD User Groups?

    Posted May 07, 2024 09:02 AM

    Hi all,

    Is it possible to synchronize AAD user groups from devices / users using the ClearPass Intune Extension?

    To me the following stood out from the configuration, but I cannot seem to find any documentation regarding these settings:

    {
        "logLevel": "INFO",
        "verifySSLCerts": true,
        "azureADEndpoint": "login.microsoftonline.com",
        "graphEndpoint": "graph.microsoft.com",
        "tenantId": "<>",
        "clientId": "<>",
        "clientSecret": "<>",
        "syncPageSize": 50,
        "enableSyncAll": true,
        "syncAllSchedule": "*/30 * * * *",
        "syncUpdatedOnly": true,
        "syncAllOnStart": false,
        "enableEndpointCache": false,
        "endpointCacheTimeSeconds": 900,
        "intuneAttributes": null,
        "enableUserGroups": false,
        "userGroupUpdateSchedule": "*/30 * * * *",
        "bypassProxy": false,
        "enableStats": true,
        "statsUsername": "intune_api",
        "statsPassword": "********"
    }

    I am using version 6.1.7 of the Microsoft Intune Extension, within ClearPass Guest.

    We came across this topic: Airheads Community. However, no at that time it was confirmed no documentation was available.  



    ------------------------------
    Lex
    ------------------------------


  • 2.  RE: ClearPass Intune Extension - AAD User Groups?

    Posted May 07, 2024 11:02 AM
    Edited by mkk May 07, 2024 11:40 AM

    Hi Lex,

    The intune extension is responsible to get the Intune attributes into the ClearPass Endpoint Repository, not Azure Intra ID attributes. 

    For getting Entra ID Groups into ClearPass you can create a new authentication source which does a secure LDAP query to Intra ID. Note that only user groups is supported to fetch. In ClearPass 6.11 you can add a authentication source "Azure", it's possible in early version but then you have to manual create the queries.

    • Only EAP-TLS is supported.
    •  Username must be UPN

    Some slides below



    ------------------------------
    Marcel Koedijk | MVP Expert 2023 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 3.  RE: ClearPass Intune Extension - AAD User Groups?
    Best Answer

    Posted May 24, 2024 09:35 AM

    The highlighted attributes (enableUserGroups) are undocumented and considered to be non-functional. I've not seen updates and what I responded in that other thread is still current. With ClearPass 6.12 you can create a Graph API call to retrieve device group membership through the Entra ID Authorization source. The following query works for me, with the Entra ID Device ID being available in the certificate as the Subject:L (Location); change that if you store the Entra ID Device ID in a different field/attribute:

    device:devices?$select=id,deviceId,displayName,approximateLastSignInDateTime,enrollmentType&$filter=deviceId eq %{Certificate:Subject-L};deviceGroups:devices/%{device:id}/memberOf?$select=displayName


    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------