Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Intune extension HTTP attribute query returned error=400

This thread has been viewed 59 times
  • 1.  ClearPass Intune extension HTTP attribute query returned error=400

    Posted Nov 15, 2023 08:12 AM

    Hi Guys,

    I'm having issues with the Intune extension.

    HTTP attribute query returned error=400

    Without selecting the authorization, it works, but ClearPass cannot query in Intune.

    Intune exension logging s empty, looks like the request will not reach the extension or something like that.

    Does anyone have a tip?

    Bet regards,

    Erik



  • 2.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    EMPLOYEE
    Posted Nov 15, 2023 05:07 PM

    the intune extension log should show something.

    I suggest stop the extension and restart it and see its logs.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    EMPLOYEE
    Posted Nov 30, 2023 08:52 AM

    Error 400 means in most cases that the device that you query is not in Intune. Note that with the recent versions of the ClearPass Intune Extension, you need to query based on the Intune Device ID, no longer on the MAC adress as in earlier versions.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    Posted Dec 11, 2023 09:08 AM

    Hello @Herman Robers,

    I am a little bit confused about extension querying and I was hoping you can clarify a bit more as I understand it is somehow important to have it set up correctly.

    For now I am having as below, I was also trying some queries with Certificate but then my extension was sending errors in logs.
    Users are accepted on the network and everything seems to be fine for the most of them, but I can see this alert on all requests:

    My extension logs are not showing any particular errors with what I have configured for the moment but I have a feeling that I do not understand something and it can be done much better.... 

    Any feedback highly appreciated! 




  • 5.  RE: ClearPass Intune extension HTTP attribute query returned error=400
    Best Answer

    EMPLOYEE
    Posted Dec 11, 2023 09:17 AM

    I would recommend to start with the Intune Extension Tech Note available from the ClearPass Tech Notes page.

    One immediate thing that caught my attention is that the use normal parentheses %() in the filter query, where that should be %{curly-braces}. But also the use of Endpoint is deprecated as it uses the client MAC address which is easily spoofed and incompatible with randomized MAC addresses or clients that connect both wired and wireless.

    A presentation on ClearPass with Intune integration has been posted on this page of the Airheads community. That may describe a bit better how the integration works.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    Posted Dec 15, 2023 12:58 AM

    Hello @Herman Robers

    Thank you so much for sharing this presentation slides from Belgium Atmosphere Meetup - it is indeed very clear to me now what possibilities we have with Intune integration.  I still have some questions about this setup:

    1) When we set up INTUNE in Authentication Sources documentation says it is very important to set up Filter correctly and they give below example (this is also what we have configured now after your comment about brackets).

    What I do not really understand is what other filters can I set up? How does this work? Do you have some documents I can read more about it?
    For now as my services authorize users performing checks on local replica of Intune Database it does not seem to have much effect on anything, but ideally I would like to use it as backup method. User authenticates -> check in local replica (not existing) -> check with live HTTP query to Intune - is it even possible?

    2) I am not really able to change this indexing of local database for different attribute than MAC of the endpoint.
    Do you have any more examples how to set it up? I only have gone to the point that I have separated Authentication Source that I would like to use for this different querying purpose, as I have in my network devices that do not use Intune or do1x.

    3) I have impression that in this Atmosphere events a lot of valuable knowledge is shared - will there be more events in 2024?
    Year is almost ending and no info makes me suspect there is no such plan. :-( 

    Best regards!

    Ola




  • 7.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    EMPLOYEE
    Posted Dec 15, 2023 10:07 AM

    3) The Atmosphere events are posted on the website. I think for 2024 these are still in the process of being scheduled.

    1) For the filter query, ClearPass requests information from Intune based on the Intune Device ID, so you would need to put the Intune Device ID in the query, where in this case it's pulling that from the certificate CN. If you check Access Tracker, you can see the Intune device ID is in the field name Certificate

    Then you encapsulate that in %{ and }, and during the authentication ClearPass replaces %{Certificate:Subject-CN} with the value of fdd2d322-27fd-4f82-a5da-07eb7142dccf. If you have the device id in another field you can put that in. When you just follow the tech notes and documentation, there probably is no need to change it, thus no real need to understand the query, but for advanced scenarios you have the possibility to change it.

    There is no 'optional lookup' for authorization sources, to only lookup via HTTP if the Endpoint information is missing. It's not the first time that I heard the idea, so please request it as a feature through Aruba Innovation Zone which is accessible for partners and Aruba employees.

    2) That is also in that deck, idea is where the normal endpoint database uses the client MAC address (also in a %{...} construct); for the Intune ID you use something like: FROM tips_endpoints WHERE attributes->>'Intune ID' = LOWER('%{Certificate:Subject-CN}')

    That %{...} replaces in the query with the value of the Certificate:Subject-CN similar to the previous point.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: ClearPass Intune extension HTTP attribute query returned error=400

    Posted Dec 16, 2023 04:19 AM

    Hello @Herman Robers

    I have a feeling that I understand this theory and idea but still I am not able to figure it all out in the way 100% clear to me (I still have production working with MAC address matching, so this is not like a critical issue, but very annoying and not optimal at all).

    1) Do I need to modify this SQL statement on Endpoint Repository or can I keep in separate?

    For now I have created (as mentioned before) INTUNE ENDPOINT REPOSITORY authentication source and I would like to use it only for Intune related service.
    For the moment I have only one filter and I am a bit confused about select part (for now I have just copied from Endpoint Repository filter number 1 and modified a bit).

    Should I put something else as SELECT? All my trials ended with message 'Column does not exist'.
    Do I have some documentation where available columns are listed?
    What about other filters? Do I need them? What is the filter selection process?

    2) Are we able to make it work for other values than certificate like I have tried now? 
    My test group is not rejected but I have below error in logs:

    3) I will raise a point to our Aruba partner, so he can raise it to Aruba Innovation Zone hopefully. 

    Thanks very much for your help already, I start to see some bright light in the tunnel. :-) 




  • 9.  RE: ClearPass Intune extension HTTP attribute query returned error=400