Security

Hi Guys,

I'm having issues with the Intune extension.

Hi Guys,

I'm having issues with the Intune extension.

Error 400 means in most cases that the device that you query is not in Intune. Note that with the recent versions of the ClearPass Intune Extension, you need to query based on the Intune Device ID, no longer on the MAC adress as in earlier versions.

Hi Guys,

I'm having issues with the Intune extension.

Hello @Herman Robers,

I am a little bit confused about extension querying and I was hoping you can clarify a bit more as I understand it is somehow important to have it set up correctly.

For now I am having as below, I was also trying some queries with Certificate but then my extension was sending errors in logs.
Users are accepted on the network and everything seems to be fine for the most of them, but I can see this alert on all requests:

My extension logs are not showing any particular errors with what I have configured for the moment but I have a feeling that I do not understand something and it can be done much better.... 

Any feedback highly appreciated! 

Error 400 means in most cases that the device that you query is not in Intune. Note that with the recent versions of the ClearPass Intune Extension, you need to query based on the Intune Device ID, no longer on the MAC adress as in earlier versions.

Hi Guys,

I'm having issues with the Intune extension.

I would recommend to start with the Intune Extension Tech Note available from the ClearPass Tech Notes page.

One immediate thing that caught my attention is that the use normal parentheses %() in the filter query, where that should be %{curly-braces}. But also the use of Endpoint is deprecated as it uses the client MAC address which is easily spoofed and incompatible with randomized MAC addresses or clients that connect both wired and wireless.

A presentation on ClearPass with Intune integration has been posted on this page of the Airheads community. That may describe a bit better how the integration works.

Hello @Herman Robers,

I am a little bit confused about extension querying and I was hoping you can clarify a bit more as I understand it is somehow important to have it set up correctly.

For now I am having as below, I was also trying some queries with Certificate but then my extension was sending errors in logs.
Users are accepted on the network and everything seems to be fine for the most of them, but I can see this alert on all requests:

My extension logs are not showing any particular errors with what I have configured for the moment but I have a feeling that I do not understand something and it can be done much better.... 

Any feedback highly appreciated! 

Error 400 means in most cases that the device that you query is not in Intune. Note that with the recent versions of the ClearPass Intune Extension, you need to query based on the Intune Device ID, no longer on the MAC adress as in earlier versions.

Hi Guys,

I'm having issues with the Intune extension.

Hello @Herman Robers

Thank you so much for sharing this presentation slides from Belgium Atmosphere Meetup - it is indeed very clear to me now what possibilities we have with Intune integration.  I still have some questions about this setup:

1) When we set up INTUNE in Authentication Sources documentation says it is very important to set up Filter correctly and they give below example (this is also what we have configured now after your comment about brackets).

What I do not really understand is what other filters can I set up? How does this work? Do you have some documents I can read more about it?
For now as my services authorize users performing checks on local replica of Intune Database it does not seem to have much effect on anything, but ideally I would like to use it as backup method. User authenticates -> check in local replica (not existing) -> check with live HTTP query to Intune - is it even possible?

2) I am not really able to change this indexing of local database for different attribute than MAC of the endpoint.
Do you have any more examples how to set it up? I only have gone to the point that I have separated Authentication Source that I would like to use for this different querying purpose, as I have in my network devices that do not use Intune or do1x.

3) I have impression that in this Atmosphere events a lot of valuable knowledge is shared - will there be more events in 2024?
Year is almost ending and no info makes me suspect there is no such plan. :-( 

Best regards!

Ola

I would recommend to start with the Intune Extension Tech Note available from the ClearPass Tech Notes page.

One immediate thing that caught my attention is that the use normal parentheses %() in the filter query, where that should be %{curly-braces}. But also the use of Endpoint is deprecated as it uses the client MAC address which is easily spoofed and incompatible with randomized MAC addresses or clients that connect both wired and wireless.

A presentation on ClearPass with Intune integration has been posted on this page of the Airheads community. That may describe a bit better how the integration works.

Hello @Herman Robers,

I am a little bit confused about extension querying and I was hoping you can clarify a bit more as I understand it is somehow important to have it set up correctly.

For now I am having as below, I was also trying some queries with Certificate but then my extension was sending errors in logs.
Users are accepted on the network and everything seems to be fine for the most of them, but I can see this alert on all requests:

My extension logs are not showing any particular errors with what I have configured for the moment but I have a feeling that I do not understand something and it can be done much better.... 

Any feedback highly appreciated! 

Error 400 means in most cases that the device that you query is not in Intune. Note that with the recent versions of the ClearPass Intune Extension, you need to query based on the Intune Device ID, no longer on the MAC adress as in earlier versions.

Hi Guys,

I'm having issues with the Intune extension.

3) The Atmosphere events are posted on the website. I think for 2024 these are still in the process of being scheduled.

1) For the filter query, ClearPass requests information from Intune based on the Intune Device ID, so you would need to put the Intune Device ID in the query, where in this case it's pulling that from the certificate CN. If you check Access Tracker, you can see the Intune device ID is in the field name Certificate

Then you encapsulate that in %{ and }, and during the authentication ClearPass replaces %{Certificate:Subject-CN} with the value of fdd2d322-27fd-4f82-a5da-07eb7142dccf. If you have the device id in another field you can put that in. When you just follow the tech notes and documentation, there probably is no need to change it, thus no real need to understand the query, but for advanced scenarios you have the possibility to change it.

There is no 'optional lookup' for authorization sources, to only lookup via HTTP if the Endpoint information is missing. It's not the first time that I heard the idea, so please request it as a feature through Aruba Innovation Zone which is accessible for partners and Aruba employees.

2) That is also in that deck, idea is where the normal endpoint database uses the client MAC address (also in a %{...} construct); for the Intune ID you use something like: FROM tips_endpoints WHERE attributes->>'Intune ID' = LOWER('%{Certificate:Subject-CN}')

That %{...} replaces in the query with the value of the Certificate:Subject-CN similar to the previous point.

Hello @Herman Robers

Thank you so much for sharing this presentation slides from Belgium Atmosphere Meetup - it is indeed very clear to me now what possibilities we have with Intune integration.  I still have some questions about this setup:

1) When we set up INTUNE in Authentication Sources documentation says it is very important to set up Filter correctly and they give below example (this is also what we have configured now after your comment about brackets).

What I do not really understand is what other filters can I set up? How does this work? Do you have some documents I can read more about it?
For now as my services authorize users performing checks on local replica of Intune Database it does not seem to have much effect on anything, but ideally I would like to use it as backup method. User authenticates -> check in local replica (not existing) -> check with live HTTP query to Intune - is it even possible?

2) I am not really able to change this indexing of local database for different attribute than MAC of the endpoint.
Do you have any more examples how to set it up? I only have gone to the point that I have separated Authentication Source that I would like to use for this different querying purpose, as I have in my network devices that do not use Intune or do1x.

3) I have impression that in this Atmosphere events a lot of valuable knowledge is shared - will there be more events in 2024?
Year is almost ending and no info makes me suspect there is no such plan. :-( 

Best regards!

Ola

I would recommend to start with the Intune Extension Tech Note available from the ClearPass Tech Notes page.

One immediate thing that caught my attention is that the use normal parentheses %() in the filter query, where that should be %{curly-braces}. But also the use of Endpoint is deprecated as it uses the client MAC address which is easily spoofed and incompatible with randomized MAC addresses or clients that connect both wired and wireless.

A presentation on ClearPass with Intune integration has been posted on this page of the Airheads community. That may describe a bit better how the integration works.

Hello @Herman Robers,

I am a little bit confused about extension querying and I was hoping you can clarify a bit more as I understand it is somehow important to have it set up correctly.

For now I am having as below, I was also trying some queries with Certificate but then my extension was sending errors in logs.
Users are accepted on the network and everything seems to be fine for the most of them, but I can see this alert on all requests:

My extension logs are not showing any particular errors with what I have configured for the moment but I have a feeling that I do not understand something and it can be done much better.... 

Any feedback highly appreciated! 

Error 400 means in most cases that the device that you query is not in Intune. Note that with the recent versions of the ClearPass Intune Extension, you need to query based on the Intune Device ID, no longer on the MAC adress as in earlier versions.

Hi Guys,

I'm having issues with the Intune extension.

Hello @Herman Robers

I have a feeling that I understand this theory and idea but still I am not able to figure it all out in the way 100% clear to me (I still have production working with MAC address matching, so this is not like a critical issue, but very annoying and not optimal at all).

1) Do I need to modify this SQL statement on Endpoint Repository or can I keep in separate?

For now I have created (as mentioned before) INTUNE ENDPOINT REPOSITORY authentication source and I would like to use it only for Intune related service.
For the moment I have only one filter and I am a bit confused about select part (for now I have just copied from Endpoint Repository filter number 1 and modified a bit).

Should I put something else as SELECT? All my trials ended with message 'Column does not exist'.
Do I have some documentation where available columns are listed?
What about other filters? Do I need them? What is the filter selection process?

2) Are we able to make it work for other values than certificate like I have tried now? 
My test group is not rejected but I have below error in logs:

3) I will raise a point to our Aruba partner, so he can raise it to Aruba Innovation Zone hopefully. 

Thanks very much for your help already, I start to see some bright light in the tunnel. :-) 

3) The Atmosphere events are posted on the website. I think for 2024 these are still in the process of being scheduled.

1) For the filter query, ClearPass requests information from Intune based on the Intune Device ID, so you would need to put the Intune Device ID in the query, where in this case it's pulling that from the certificate CN. If you check Access Tracker, you can see the Intune device ID is in the field name Certificate

Then you encapsulate that in %{ and }, and during the authentication ClearPass replaces %{Certificate:Subject-CN} with the value of fdd2d322-27fd-4f82-a5da-07eb7142dccf. If you have the device id in another field you can put that in. When you just follow the tech notes and documentation, there probably is no need to change it, thus no real need to understand the query, but for advanced scenarios you have the possibility to change it.

There is no 'optional lookup' for authorization sources, to only lookup via HTTP if the Endpoint information is missing. It's not the first time that I heard the idea, so please request it as a feature through Aruba Innovation Zone which is accessible for partners and Aruba employees.

2) That is also in that deck, idea is where the normal endpoint database uses the client MAC address (also in a %{...} construct); for the Intune ID you use something like: FROM tips_endpoints WHERE attributes->>'Intune ID' = LOWER('%{Certificate:Subject-CN}')

That %{...} replaces in the query with the value of the Certificate:Subject-CN similar to the previous point.

Hello @Herman Robers

Thank you so much for sharing this presentation slides from Belgium Atmosphere Meetup - it is indeed very clear to me now what possibilities we have with Intune integration.  I still have some questions about this setup:

1) When we set up INTUNE in Authentication Sources documentation says it is very important to set up Filter correctly and they give below example (this is also what we have configured now after your comment about brackets).

What I do not really understand is what other filters can I set up? How does this work? Do you have some documents I can read more about it?
For now as my services authorize users performing checks on local replica of Intune Database it does not seem to have much effect on anything, but ideally I would like to use it as backup method. User authenticates -> check in local replica (not existing) -> check with live HTTP query to Intune - is it even possible?

2) I am not really able to change this indexing of local database for different attribute than MAC of the endpoint.
Do you have any more examples how to set it up? I only have gone to the point that I have separated Authentication Source that I would like to use for this different querying purpose, as I have in my network devices that do not use Intune or do1x.

3) I have impression that in this Atmosphere events a lot of valuable knowledge is shared - will there be more events in 2024?
Year is almost ending and no info makes me suspect there is no such plan. :-( 

Best regards!

Ola

I would recommend to start with the Intune Extension Tech Note available from the ClearPass Tech Notes page.

One immediate thing that caught my attention is that the use normal parentheses %() in the filter query, where that should be %{curly-braces}. But also the use of Endpoint is deprecated as it uses the client MAC address which is easily spoofed and incompatible with randomized MAC addresses or clients that connect both wired and wireless.

A presentation on ClearPass with Intune integration has been posted on this page of the Airheads community. That may describe a bit better how the integration works.

Hello @Herman Robers,

I am a little bit confused about extension querying and I was hoping you can clarify a bit more as I understand it is somehow important to have it set up correctly.

For now I am having as below, I was also trying some queries with Certificate but then my extension was sending errors in logs.
Users are accepted on the network and everything seems to be fine for the most of them, but I can see this alert on all requests:

My extension logs are not showing any particular errors with what I have configured for the moment but I have a feeling that I do not understand something and it can be done much better.... 

Any feedback highly appreciated! 

Error 400 means in most cases that the device that you query is not in Intune. Note that with the recent versions of the ClearPass Intune Extension, you need to query based on the Intune Device ID, no longer on the MAC adress as in earlier versions.

Hi Guys,

I'm having issues with the Intune extension.

You would need to copy the Endpoint Database Auth Source, and then change the account to 'appexternal' for which you can set a password in the Cluster Wide Parameters.

The filter 'attributes->>'Intune ID' = LOWER('%{Endpoint:Intune ID}') will not work as Endpoint:Intune ID is the same as attributes->>'Intune ID' so you would need to get the Intune ID from somewhere else than the Endpoint; in the examples the Intune ID comes from the Client Certificate. Do you have the Intune ID in your certificate authentication? 

As part of the deck shared earlier, it's critical to understand that there are 2 steps. First step in authentication, and in that step you need to get available the Intune ID in order to query Intune:

If you don't have an authentication method that exposes the Intune ID (implicitly means that you would need to have EAP-TLS/TEAP authentication with client certificates that contain the Intune ID in the Subject-CN, you can't do an HTTP query. You MAY do a lookup in the Endpoint database on the client MAC address, but that only works for clients that connect Wireless, and it's deprecated because of the MAC address to be easily spoofed/changed and MAC randomization.

I would recommend that you work with your Aruba partner or Aruba Support to make the basics work, and possibly expand your use case from there.

Hello @Herman Robers

I have a feeling that I understand this theory and idea but still I am not able to figure it all out in the way 100% clear to me (I still have production working with MAC address matching, so this is not like a critical issue, but very annoying and not optimal at all).

1) Do I need to modify this SQL statement on Endpoint Repository or can I keep in separate?

For now I have created (as mentioned before) INTUNE ENDPOINT REPOSITORY authentication source and I would like to use it only for Intune related service.
For the moment I have only one filter and I am a bit confused about select part (for now I have just copied from Endpoint Repository filter number 1 and modified a bit).

Should I put something else as SELECT? All my trials ended with message 'Column does not exist'.
Do I have some documentation where available columns are listed?
What about other filters? Do I need them? What is the filter selection process?

2) Are we able to make it work for other values than certificate like I have tried now? 
My test group is not rejected but I have below error in logs:

3) I will raise a point to our Aruba partner, so he can raise it to Aruba Innovation Zone hopefully. 

Thanks very much for your help already, I start to see some bright light in the tunnel. :-) 

3) The Atmosphere events are posted on the website. I think for 2024 these are still in the process of being scheduled.

1) For the filter query, ClearPass requests information from Intune based on the Intune Device ID, so you would need to put the Intune Device ID in the query, where in this case it's pulling that from the certificate CN. If you check Access Tracker, you can see the Intune device ID is in the field name Certificate

Then you encapsulate that in %{ and }, and during the authentication ClearPass replaces %{Certificate:Subject-CN} with the value of fdd2d322-27fd-4f82-a5da-07eb7142dccf. If you have the device id in another field you can put that in. When you just follow the tech notes and documentation, there probably is no need to change it, thus no real need to understand the query, but for advanced scenarios you have the possibility to change it.

There is no 'optional lookup' for authorization sources, to only lookup via HTTP if the Endpoint information is missing. It's not the first time that I heard the idea, so please request it as a feature through Aruba Innovation Zone which is accessible for partners and Aruba employees.

2) That is also in that deck, idea is where the normal endpoint database uses the client MAC address (also in a %{...} construct); for the Intune ID you use something like: FROM tips_endpoints WHERE attributes->>'Intune ID' = LOWER('%{Certificate:Subject-CN}')

That %{...} replaces in the query with the value of the Certificate:Subject-CN similar to the previous point.

Hello @Herman Robers

Thank you so much for sharing this presentation slides from Belgium Atmosphere Meetup - it is indeed very clear to me now what possibilities we have with Intune integration.  I still have some questions about this setup:

1) When we set up INTUNE in Authentication Sources documentation says it is very important to set up Filter correctly and they give below example (this is also what we have configured now after your comment about brackets).

What I do not really understand is what other filters can I set up? How does this work? Do you have some documents I can read more about it?
For now as my services authorize users performing checks on local replica of Intune Database it does not seem to have much effect on anything, but ideally I would like to use it as backup method. User authenticates -> check in local replica (not existing) -> check with live HTTP query to Intune - is it even possible?

2) I am not really able to change this indexing of local database for different attribute than MAC of the endpoint.
Do you have any more examples how to set it up? I only have gone to the point that I have separated Authentication Source that I would like to use for this different querying purpose, as I have in my network devices that do not use Intune or do1x.

3) I have impression that in this Atmosphere events a lot of valuable knowledge is shared - will there be more events in 2024?
Year is almost ending and no info makes me suspect there is no such plan. :-( 

Best regards!

Ola

I would recommend to start with the Intune Extension Tech Note available from the ClearPass Tech Notes page.

One immediate thing that caught my attention is that the use normal parentheses %() in the filter query, where that should be %{curly-braces}. But also the use of Endpoint is deprecated as it uses the client MAC address which is easily spoofed and incompatible with randomized MAC addresses or clients that connect both wired and wireless.

A presentation on ClearPass with Intune integration has been posted on this page of the Airheads community. That may describe a bit better how the integration works.

Hello @Herman Robers,

I am a little bit confused about extension querying and I was hoping you can clarify a bit more as I understand it is somehow important to have it set up correctly.

For now I am having as below, I was also trying some queries with Certificate but then my extension was sending errors in logs.
Users are accepted on the network and everything seems to be fine for the most of them, but I can see this alert on all requests:

My extension logs are not showing any particular errors with what I have configured for the moment but I have a feeling that I do not understand something and it can be done much better.... 

Any feedback highly appreciated! 

Error 400 means in most cases that the device that you query is not in Intune. Note that with the recent versions of the ClearPass Intune Extension, you need to query based on the Intune Device ID, no longer on the MAC adress as in earlier versions.

Hi Guys,

I'm having issues with the Intune extension.

Hello @Herman Robers

This is the problem - I have Intune ID in Certificate Subject field and I have this external database configured and it still does not work.

I have also opened TAC but my TAC engineer seems to be a bit confused.

Do I need to copy all Filters from Endpoints Repository or only Autentication (first one) and then modify it?

I keep getting SQL query parse error no matter what I put (I have tried many things, last filter I shared with you was one of my many attempts).

Then of course the result is:

Can you send me some example query? (I know you have send one but that gave me error as well, so not sure what is wrong here).

Config for SQL database is ok , when I paste exactly the same query as in Endpoints Repository it works....

You would need to copy the Endpoint Database Auth Source, and then change the account to 'appexternal' for which you can set a password in the Cluster Wide Parameters.

The filter 'attributes->>'Intune ID' = LOWER('%{Endpoint:Intune ID}') will not work as Endpoint:Intune ID is the same as attributes->>'Intune ID' so you would need to get the Intune ID from somewhere else than the Endpoint; in the examples the Intune ID comes from the Client Certificate. Do you have the Intune ID in your certificate authentication? 

As part of the deck shared earlier, it's critical to understand that there are 2 steps. First step in authentication, and in that step you need to get available the Intune ID in order to query Intune:

If you don't have an authentication method that exposes the Intune ID (implicitly means that you would need to have EAP-TLS/TEAP authentication with client certificates that contain the Intune ID in the Subject-CN, you can't do an HTTP query. You MAY do a lookup in the Endpoint database on the client MAC address, but that only works for clients that connect Wireless, and it's deprecated because of the MAC address to be easily spoofed/changed and MAC randomization.

I would recommend that you work with your Aruba partner or Aruba Support to make the basics work, and possibly expand your use case from there.

Hello @Herman Robers

I have a feeling that I understand this theory and idea but still I am not able to figure it all out in the way 100% clear to me (I still have production working with MAC address matching, so this is not like a critical issue, but very annoying and not optimal at all).

1) Do I need to modify this SQL statement on Endpoint Repository or can I keep in separate?

For now I have created (as mentioned before) INTUNE ENDPOINT REPOSITORY authentication source and I would like to use it only for Intune related service.
For the moment I have only one filter and I am a bit confused about select part (for now I have just copied from Endpoint Repository filter number 1 and modified a bit).

Should I put something else as SELECT? All my trials ended with message 'Column does not exist'.
Do I have some documentation where available columns are listed?
What about other filters? Do I need them? What is the filter selection process?

2) Are we able to make it work for other values than certificate like I have tried now? 
My test group is not rejected but I have below error in logs:

3) I will raise a point to our Aruba partner, so he can raise it to Aruba Innovation Zone hopefully. 

Thanks very much for your help already, I start to see some bright light in the tunnel. :-) 

3) The Atmosphere events are posted on the website. I think for 2024 these are still in the process of being scheduled.

1) For the filter query, ClearPass requests information from Intune based on the Intune Device ID, so you would need to put the Intune Device ID in the query, where in this case it's pulling that from the certificate CN. If you check Access Tracker, you can see the Intune device ID is in the field name Certificate

Then you encapsulate that in %{ and }, and during the authentication ClearPass replaces %{Certificate:Subject-CN} with the value of fdd2d322-27fd-4f82-a5da-07eb7142dccf. If you have the device id in another field you can put that in. When you just follow the tech notes and documentation, there probably is no need to change it, thus no real need to understand the query, but for advanced scenarios you have the possibility to change it.

There is no 'optional lookup' for authorization sources, to only lookup via HTTP if the Endpoint information is missing. It's not the first time that I heard the idea, so please request it as a feature through Aruba Innovation Zone which is accessible for partners and Aruba employees.

2) That is also in that deck, idea is where the normal endpoint database uses the client MAC address (also in a %{...} construct); for the Intune ID you use something like: FROM tips_endpoints WHERE attributes->>'Intune ID' = LOWER('%{Certificate:Subject-CN}')

That %{...} replaces in the query with the value of the Certificate:Subject-CN similar to the previous point.

Hello @Herman Robers

Thank you so much for sharing this presentation slides from Belgium Atmosphere Meetup - it is indeed very clear to me now what possibilities we have with Intune integration.  I still have some questions about this setup:

1) When we set up INTUNE in Authentication Sources documentation says it is very important to set up Filter correctly and they give below example (this is also what we have configured now after your comment about brackets).

What I do not really understand is what other filters can I set up? How does this work? Do you have some documents I can read more about it?
For now as my services authorize users performing checks on local replica of Intune Database it does not seem to have much effect on anything, but ideally I would like to use it as backup method. User authenticates -> check in local replica (not existing) -> check with live HTTP query to Intune - is it even possible?

2) I am not really able to change this indexing of local database for different attribute than MAC of the endpoint.
Do you have any more examples how to set it up? I only have gone to the point that I have separated Authentication Source that I would like to use for this different querying purpose, as I have in my network devices that do not use Intune or do1x.

3) I have impression that in this Atmosphere events a lot of valuable knowledge is shared - will there be more events in 2024?
Year is almost ending and no info makes me suspect there is no such plan. :-( 

Best regards!

Ola

I would recommend to start with the Intune Extension Tech Note available from the ClearPass Tech Notes page.

One immediate thing that caught my attention is that the use normal parentheses %() in the filter query, where that should be %{curly-braces}. But also the use of Endpoint is deprecated as it uses the client MAC address which is easily spoofed and incompatible with randomized MAC addresses or clients that connect both wired and wireless.

A presentation on ClearPass with Intune integration has been posted on this page of the Airheads community. That may describe a bit better how the integration works.

Hello @Herman Robers,

I am a little bit confused about extension querying and I was hoping you can clarify a bit more as I understand it is somehow important to have it set up correctly.

For now I am having as below, I was also trying some queries with Certificate but then my extension was sending errors in logs.
Users are accepted on the network and everything seems to be fine for the most of them, but I can see this alert on all requests:

My extension logs are not showing any particular errors with what I have configured for the moment but I have a feeling that I do not understand something and it can be done much better.... 

Any feedback highly appreciated! 

Error 400 means in most cases that the device that you query is not in Intune. Note that with the recent versions of the ClearPass Intune Extension, you need to query based on the Intune Device ID, no longer on the MAC adress as in earlier versions.

Hi Guys,

I'm having issues with the Intune extension.

Here is an export of my Intune Endpoint DB Auth Source; you would need to put in the password for your appexternal account as value in the XML (or change it after import).

The filter should look after import like:

with the full bottom table (which are the attributes that you can find in the Endpoint database related to Intune (or even other attributes...):

Summary looks like:

Hello @Herman Robers

This is the problem - I have Intune ID in Certificate Subject field and I have this external database configured and it still does not work.

I have also opened TAC but my TAC engineer seems to be a bit confused.

Do I need to copy all Filters from Endpoints Repository or only Autentication (first one) and then modify it?

I keep getting SQL query parse error no matter what I put (I have tried many things, last filter I shared with you was one of my many attempts).

Then of course the result is:

Can you send me some example query? (I know you have send one but that gave me error as well, so not sure what is wrong here).

Config for SQL database is ok , when I paste exactly the same query as in Endpoints Repository it works....

You would need to copy the Endpoint Database Auth Source, and then change the account to 'appexternal' for which you can set a password in the Cluster Wide Parameters.

The filter 'attributes->>'Intune ID' = LOWER('%{Endpoint:Intune ID}') will not work as Endpoint:Intune ID is the same as attributes->>'Intune ID' so you would need to get the Intune ID from somewhere else than the Endpoint; in the examples the Intune ID comes from the Client Certificate. Do you have the Intune ID in your certificate authentication? 

As part of the deck shared earlier, it's critical to understand that there are 2 steps. First step in authentication, and in that step you need to get available the Intune ID in order to query Intune:

If you don't have an authentication method that exposes the Intune ID (implicitly means that you would need to have EAP-TLS/TEAP authentication with client certificates that contain the Intune ID in the Subject-CN, you can't do an HTTP query. You MAY do a lookup in the Endpoint database on the client MAC address, but that only works for clients that connect Wireless, and it's deprecated because of the MAC address to be easily spoofed/changed and MAC randomization.

I would recommend that you work with your Aruba partner or Aruba Support to make the basics work, and possibly expand your use case from there.

Hello @Herman Robers

I have a feeling that I understand this theory and idea but still I am not able to figure it all out in the way 100% clear to me (I still have production working with MAC address matching, so this is not like a critical issue, but very annoying and not optimal at all).

1) Do I need to modify this SQL statement on Endpoint Repository or can I keep in separate?

For now I have created (as mentioned before) INTUNE ENDPOINT REPOSITORY authentication source and I would like to use it only for Intune related service.
For the moment I have only one filter and I am a bit confused about select part (for now I have just copied from Endpoint Repository filter number 1 and modified a bit).

Should I put something else as SELECT? All my trials ended with message 'Column does not exist'.
Do I have some documentation where available columns are listed?
What about other filters? Do I need them? What is the filter selection process?

2) Are we able to make it work for other values than certificate like I have tried now? 
My test group is not rejected but I have below error in logs:

3) I will raise a point to our Aruba partner, so he can raise it to Aruba Innovation Zone hopefully. 

Thanks very much for your help already, I start to see some bright light in the tunnel. :-) 

3) The Atmosphere events are posted on the website. I think for 2024 these are still in the process of being scheduled.

1) For the filter query, ClearPass requests information from Intune based on the Intune Device ID, so you would need to put the Intune Device ID in the query, where in this case it's pulling that from the certificate CN. If you check Access Tracker, you can see the Intune device ID is in the field name Certificate

Then you encapsulate that in %{ and }, and during the authentication ClearPass replaces %{Certificate:Subject-CN} with the value of fdd2d322-27fd-4f82-a5da-07eb7142dccf. If you have the device id in another field you can put that in. When you just follow the tech notes and documentation, there probably is no need to change it, thus no real need to understand the query, but for advanced scenarios you have the possibility to change it.

There is no 'optional lookup' for authorization sources, to only lookup via HTTP if the Endpoint information is missing. It's not the first time that I heard the idea, so please request it as a feature through Aruba Innovation Zone which is accessible for partners and Aruba employees.

2) That is also in that deck, idea is where the normal endpoint database uses the client MAC address (also in a %{...} construct); for the Intune ID you use something like: FROM tips_endpoints WHERE attributes->>'Intune ID' = LOWER('%{Certificate:Subject-CN}')

That %{...} replaces in the query with the value of the Certificate:Subject-CN similar to the previous point.

Hello @Herman Robers

Thank you so much for sharing this presentation slides from Belgium Atmosphere Meetup - it is indeed very clear to me now what possibilities we have with Intune integration.  I still have some questions about this setup:

1) When we set up INTUNE in Authentication Sources documentation says it is very important to set up Filter correctly and they give below example (this is also what we have configured now after your comment about brackets).

What I do not really understand is what other filters can I set up? How does this work? Do you have some documents I can read more about it?
For now as my services authorize users performing checks on local replica of Intune Database it does not seem to have much effect on anything, but ideally I would like to use it as backup method. User authenticates -> check in local replica (not existing) -> check with live HTTP query to Intune - is it even possible?

2) I am not really able to change this indexing of local database for different attribute than MAC of the endpoint.
Do you have any more examples how to set it up? I only have gone to the point that I have separated Authentication Source that I would like to use for this different querying purpose, as I have in my network devices that do not use Intune or do1x.

3) I have impression that in this Atmosphere events a lot of valuable knowledge is shared - will there be more events in 2024?
Year is almost ending and no info makes me suspect there is no such plan. :-( 

Best regards!

Ola

I would recommend to start with the Intune Extension Tech Note available from the ClearPass Tech Notes page.

One immediate thing that caught my attention is that the use normal parentheses %() in the filter query, where that should be %{curly-braces}. But also the use of Endpoint is deprecated as it uses the client MAC address which is easily spoofed and incompatible with randomized MAC addresses or clients that connect both wired and wireless.

A presentation on ClearPass with Intune integration has been posted on this page of the Airheads community. That may describe a bit better how the integration works.

Hello @Herman Robers,

I am a little bit confused about extension querying and I was hoping you can clarify a bit more as I understand it is somehow important to have it set up correctly.

For now I am having as below, I was also trying some queries with Certificate but then my extension was sending errors in logs.
Users are accepted on the network and everything seems to be fine for the most of them, but I can see this alert on all requests:

My extension logs are not showing any particular errors with what I have configured for the moment but I have a feeling that I do not understand something and it can be done much better.... 

Any feedback highly appreciated! 

Error 400 means in most cases that the device that you query is not in Intune. Note that with the recent versions of the ClearPass Intune Extension, you need to query based on the Intune Device ID, no longer on the MAC adress as in earlier versions.

Hi Guys,

I'm having issues with the Intune extension.