Security

 View Only
  • 1.  ClearPass - Intune Extension - Periodic Sync VS. HTTP Realtime

    Posted Oct 10, 2023 11:07 AM

    Hi everyone - So my company has been using the intune clearpass extension v6 on our network.  We are currently have periodic sync enabled, and we are using HTTP realtime authorizations.  We are noticing that there is a great deal of latency to connect to Office 365\Intune to query device info.

    We also have to account for random MAC Addresses and for device that do not pass MAC Addresses to Intune.  So I was told that periodic sync cannot be used without HTTP realtime auth.

    Does anyone have a best practices document outside of the normal configuration?  For example, should we have multiple AzureAD app registrations for our various clearpass nodes.



  • 2.  RE: ClearPass - Intune Extension - Periodic Sync VS. HTTP Realtime

    Posted Oct 11, 2023 07:53 AM

    The 'trick' is to use the Intune Device ID and you can still use the synchronized data from the endpoint database and would not need realtime.

    The ClearPass, Azure AD, and Intune presentation from Atmosphere Local can help you to get some better view and the pro/cons for HTTP Realtime vs synchronized.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ClearPass - Intune Extension - Periodic Sync VS. HTTP Realtime

    Posted Oct 11, 2023 08:13 AM

    Thank you Herman for this info!  Is there a way that ClearPass can "pick and choose" which method to use based upon availability of the MAC Address in the database.  For example if we have a surface hub that doesn't send the proper MAC Address to Intune....or interms of randomized mac.

    SO if MAC not found...use realtime lookup....or if MAC present from periodic sync...do not use Realtime lookup?

    Let me know if that makes sense.

    Thanks!




  • 4.  RE: ClearPass - Intune Extension - Periodic Sync VS. HTTP Realtime

    Posted Oct 12, 2023 04:22 AM

    I see the point, but I don't think there are 'conditional Authorization sources'; ClearPass can query multiple authentication sources in parallel or no specific order, and it will just try all of them.

    For this use-case you may open an idea in the Aruba Innovation Zone to see if there are more customers running into the same issue. BTW, if you have significant delays with the real-time lookups, where for me everything under a second would not really be significant for the purpose, then it's good to open a TAC case to investigate why that happens.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: ClearPass - Intune Extension - Periodic Sync VS. HTTP Realtime

    Posted Oct 12, 2023 04:26 AM

    I opened a case already and waiting for the engineer

     

    But Iam not quite sure if TAC will support the intune behavior

    Viele Grüße aus Lübeck
    Ehab Boshra | Netzwerktechnik
    tenzing - Dr. Müller & Partner GmbH IT-Solutions  
    Hutmacherring 6, 23556 Lübeck
    Tel.: (+49) 451 8730035
    Fax: (+49) 451 8730029
    Mobil: (+49) 1703725035
    E-Mail: ehab.boshra@tenzing.de
    Web: https://tenzing.de

    Amtsgericht Lübeck | HRB 5627
    Geschäftsführer: Björn Meyer & Gunnar Petersen






  • 6.  RE: ClearPass - Intune Extension - Periodic Sync VS. HTTP Realtime

    Posted Oct 13, 2023 11:30 AM

    If there is 'significant delays' with querying Intune, they should be able to at least tell you if that is expected performance or not and even check to find where the delay is. If that's in Intune, there is not so much that TAC can do, if it's in ClearPass or the extension, they may.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------