I would recommend to start with the Intune Extension Tech Note available from the ClearPass Tech Notes page.
One immediate thing that caught my attention is that the use normal parentheses %() in the filter query, where that should be %{curly-braces}. But also the use of Endpoint is deprecated as it uses the client MAC address which is easily spoofed and incompatible with randomized MAC addresses or clients that connect both wired and wireless.
A presentation on ClearPass with Intune integration has been posted on this page of the Airheads community. That may describe a bit better how the integration works.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Dec 11, 2023 02:04 AM
From: Ola_B54
Subject: ClearPass Intune extension HTTP attribute query returned error=400
Hello @Herman Robers,
I am a little bit confused about extension querying and I was hoping you can clarify a bit more as I understand it is somehow important to have it set up correctly.
For now I am having as below, I was also trying some queries with Certificate but then my extension was sending errors in logs.
Users are accepted on the network and everything seems to be fine for the most of them, but I can see this alert on all requests: