Security

 View Only
last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Intune extension HTTP attribute query returned error=400

This thread has been viewed 64 times
  • 1.  ClearPass Intune extension HTTP attribute query returned error=400

    Posted Nov 15, 2023 08:12 AM

    Hi Guys,

    I'm having issues with the Intune extension.

    HTTP attribute query returned error=400

    Without selecting the authorization, it works, but ClearPass cannot query in Intune.

    Intune exension logging s empty, looks like the request will not reach the extension or something like that.

    Does anyone have a tip?

    Bet regards,

    Erik



  • 2.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    EMPLOYEE
    Posted Nov 15, 2023 05:07 PM

    the intune extension log should show something.

    I suggest stop the extension and restart it and see its logs.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    Posted Nov 30, 2023 08:52 AM

    Error 400 means in most cases that the device that you query is not in Intune. Note that with the recent versions of the ClearPass Intune Extension, you need to query based on the Intune Device ID, no longer on the MAC adress as in earlier versions.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    Posted Dec 11, 2023 09:08 AM

    Hello @Herman Robers,

    I am a little bit confused about extension querying and I was hoping you can clarify a bit more as I understand it is somehow important to have it set up correctly.

    For now I am having as below, I was also trying some queries with Certificate but then my extension was sending errors in logs.
    Users are accepted on the network and everything seems to be fine for the most of them, but I can see this alert on all requests:

    My extension logs are not showing any particular errors with what I have configured for the moment but I have a feeling that I do not understand something and it can be done much better.... 

    Any feedback highly appreciated! 




  • 5.  RE: ClearPass Intune extension HTTP attribute query returned error=400
    Best Answer

    Posted Dec 11, 2023 09:17 AM

    I would recommend to start with the Intune Extension Tech Note available from the ClearPass Tech Notes page.

    One immediate thing that caught my attention is that the use normal parentheses %() in the filter query, where that should be %{curly-braces}. But also the use of Endpoint is deprecated as it uses the client MAC address which is easily spoofed and incompatible with randomized MAC addresses or clients that connect both wired and wireless.

    A presentation on ClearPass with Intune integration has been posted on this page of the Airheads community. That may describe a bit better how the integration works.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    Posted Dec 15, 2023 12:58 AM

    Hello @Herman Robers

    Thank you so much for sharing this presentation slides from Belgium Atmosphere Meetup - it is indeed very clear to me now what possibilities we have with Intune integration.  I still have some questions about this setup:

    1) When we set up INTUNE in Authentication Sources documentation says it is very important to set up Filter correctly and they give below example (this is also what we have configured now after your comment about brackets).

    What I do not really understand is what other filters can I set up? How does this work? Do you have some documents I can read more about it?
    For now as my services authorize users performing checks on local replica of Intune Database it does not seem to have much effect on anything, but ideally I would like to use it as backup method. User authenticates -> check in local replica (not existing) -> check with live HTTP query to Intune - is it even possible?

    2) I am not really able to change this indexing of local database for different attribute than MAC of the endpoint.
    Do you have any more examples how to set it up? I only have gone to the point that I have separated Authentication Source that I would like to use for this different querying purpose, as I have in my network devices that do not use Intune or do1x.

    3) I have impression that in this Atmosphere events a lot of valuable knowledge is shared - will there be more events in 2024?
    Year is almost ending and no info makes me suspect there is no such plan. :-( 

    Best regards!

    Ola




  • 7.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    Posted Dec 15, 2023 10:07 AM

    3) The Atmosphere events are posted on the website. I think for 2024 these are still in the process of being scheduled.

    1) For the filter query, ClearPass requests information from Intune based on the Intune Device ID, so you would need to put the Intune Device ID in the query, where in this case it's pulling that from the certificate CN. If you check Access Tracker, you can see the Intune device ID is in the field name Certificate

    Then you encapsulate that in %{ and }, and during the authentication ClearPass replaces %{Certificate:Subject-CN} with the value of fdd2d322-27fd-4f82-a5da-07eb7142dccf. If you have the device id in another field you can put that in. When you just follow the tech notes and documentation, there probably is no need to change it, thus no real need to understand the query, but for advanced scenarios you have the possibility to change it.

    There is no 'optional lookup' for authorization sources, to only lookup via HTTP if the Endpoint information is missing. It's not the first time that I heard the idea, so please request it as a feature through Aruba Innovation Zone which is accessible for partners and Aruba employees.

    2) That is also in that deck, idea is where the normal endpoint database uses the client MAC address (also in a %{...} construct); for the Intune ID you use something like: FROM tips_endpoints WHERE attributes->>'Intune ID' = LOWER('%{Certificate:Subject-CN}')

    That %{...} replaces in the query with the value of the Certificate:Subject-CN similar to the previous point.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    Posted Dec 16, 2023 04:19 AM

    Hello @Herman Robers

    I have a feeling that I understand this theory and idea but still I am not able to figure it all out in the way 100% clear to me (I still have production working with MAC address matching, so this is not like a critical issue, but very annoying and not optimal at all).

    1) Do I need to modify this SQL statement on Endpoint Repository or can I keep in separate?

    For now I have created (as mentioned before) INTUNE ENDPOINT REPOSITORY authentication source and I would like to use it only for Intune related service.
    For the moment I have only one filter and I am a bit confused about select part (for now I have just copied from Endpoint Repository filter number 1 and modified a bit).

    Should I put something else as SELECT? All my trials ended with message 'Column does not exist'.
    Do I have some documentation where available columns are listed?
    What about other filters? Do I need them? What is the filter selection process?

    2) Are we able to make it work for other values than certificate like I have tried now? 
    My test group is not rejected but I have below error in logs:

    3) I will raise a point to our Aruba partner, so he can raise it to Aruba Innovation Zone hopefully. 

    Thanks very much for your help already, I start to see some bright light in the tunnel. :-) 




  • 9.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    Posted Dec 18, 2023 05:27 AM

    You would need to copy the Endpoint Database Auth Source, and then change the account to 'appexternal' for which you can set a password in the Cluster Wide Parameters.

    The filter 'attributes->>'Intune ID' = LOWER('%{Endpoint:Intune ID}') will not work as Endpoint:Intune ID is the same as attributes->>'Intune ID' so you would need to get the Intune ID from somewhere else than the Endpoint; in the examples the Intune ID comes from the Client Certificate. Do you have the Intune ID in your certificate authentication? 

    As part of the deck shared earlier, it's critical to understand that there are 2 steps. First step in authentication, and in that step you need to get available the Intune ID in order to query Intune:

    If you don't have an authentication method that exposes the Intune ID (implicitly means that you would need to have EAP-TLS/TEAP authentication with client certificates that contain the Intune ID in the Subject-CN, you can't do an HTTP query. You MAY do a lookup in the Endpoint database on the client MAC address, but that only works for clients that connect Wireless, and it's deprecated because of the MAC address to be easily spoofed/changed and MAC randomization.

    I would recommend that you work with your Aruba partner or Aruba Support to make the basics work, and possibly expand your use case from there.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 10.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    Posted Dec 18, 2023 11:18 AM

    Hello @Herman Robers

    This is the problem - I have Intune ID in Certificate Subject field and I have this external database configured and it still does not work.

    I have also opened TAC but my TAC engineer seems to be a bit confused.

    Do I need to copy all Filters from Endpoints Repository or only Autentication (first one) and then modify it?

    I keep getting SQL query parse error no matter what I put (I have tried many things, last filter I shared with you was one of my many attempts).

    Then of course the result is:

    Can you send me some example query? (I know you have send one but that gave me error as well, so not sure what is wrong here).

    Config for SQL database is ok , when I paste exactly the same query as in Endpoints Repository it works....




  • 11.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    Posted Dec 18, 2023 11:45 AM
      |   view attached

    Here is an export of my Intune Endpoint DB Auth Source; you would need to put in the password for your appexternal account as value in the XML (or change it after import).

    The filter should look after import like:

    with the full bottom table (which are the attributes that you can find in the Endpoint database related to Intune (or even other attributes...):

    Summary looks like:



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Attachment(s)

    xml
    AuthSource(1).xml   3 KB 1 version


  • 12.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    Posted Dec 20, 2023 11:26 AM

    Hello,

    In fact the issue was with this SQL configuration.

    When you put loopback (as in your screen) instead of VIP it is not allowing to save with ; in the end of the query.
    Without this ending it is not extracting anything (we tried with TAC support queries manually).

    Another issue was that I did not prepare my INTUNE TLS modified version.

    I also reached my Aruba Partner to raise requests in Aruba Innovation Portal:

    SEC-I-2033 -> possibility to fallback to HTTP direct query to INTUNE 

    SEC-I-2034 -> possibility to search in Static Host Lists

    Thank you very much for answering all my questions, it was very useful and helped me to understand better the entire workflow.

    Everything seems to be working now but I keep getting this error:

    Do you know where it comes from? I would not like to be surprised with some unexpected side effects when we decide to go for production with this setup.

    Regards (probably if we ever meet on Atmosphere event I should offer you a beer and probably I am not the only one - you are doing the great job),

    Ola