Security

 View Only
  • 1.  ClearPass Intune extension

    Posted Nov 09, 2023 07:25 AM

    Hi guys,

    I'm currently migrating ClearPass from 6.9 to 6.11 with ClearPass Intune extension.

    In ClearPass 6.11 have the exact same service for the customers Wi-Fi but the ClearPass extension cannot lookup the mac-address. The extension is searching for the IntuneID which is not configured.  

    [2023-11-09T12:46:26.445] [INFO] Intune - [id] Request for information received from ::ffff:172.17.0.1.
    [2023-11-09T12:46:26.445] [DEBUG] Intune - [id] Performing device lookup.
    [2023-11-09T12:46:26.447] [INFO] Intune - [id] Device not found.

    [2023-11-09T12:40:07.273] [DEBUG] Intune - ce32b8ad-a293-4a3e-a1c1-f079e91ab08a Processing the MAC Address 88c08b093017 for device da0fe22a-dadb-4974-aede-9535dfee773a... [2023-11-09T12:40:07.273] [INFO] Intune - ce32b8ad-a293-4a3e-a1c1-f079e91ab08a No updates to 45398 (88c08b093017) in ClearPass - skipping. [2023-11-09T12:40:07.273] [DEBUG] Intune - ce32b8ad-a293-4a3e-a1c1-f079e91ab08a Processing device b4272cd9-ba3a-4ecd-a5cf-d7fce00399d5.

    My older Intune extension v4.0.0 is quering the mac-address the right way

    [2023-11-08T13:20:51.516] [DEBUG] intune - Querying Intune at https://fef.msub05.manage.microsoft.com/StatelessNACService/devices
    [2023-11-08T13:20:55.366] [DEBUG] intune - Request received. /?macAddress=8cc681d10f2e
    

    I don't have access to Intune myself but the new enterprise app is configured the same as the older ones.

    What could be the issue? I cannot migrate the Wi-Fi users to the new cluster.

    In the meanwhile I cannot test the wired part of my project as well.

    Is there a bug or am I doing something completely wrong?

    Thanks,

    Best regards,

    Erik



  • 2.  RE: ClearPass Intune extension

    Posted Nov 09, 2023 08:18 AM

    Erik,

    That is expected. The newer Intune Extensions use different APIs (GraphAPI), instead of older (deprecated) APIs. Part of that is that lookup is done through the Intune DeviceID, no longer to the MAC address, except that you can use the sync option to sync Intune data to the Endpoint Database and lookup by (wireless!) MAC there.

    I did a presentation at a recent event in Belgium, where the slides are posted here. It also explains why using the MAC address to lookup/link security data is a bad idea in many cases.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ClearPass Intune extension

    Posted Nov 09, 2023 08:32 AM

    Hi Herman,

    thanks for clarification.

    But how can I migrate for the time being from the "old" cluster to the new one?

    Is there a way to install a new and an older Intune extension?

    Thanks,

    Erik




  • 4.  RE: ClearPass Intune extension

    Posted Nov 09, 2023 08:47 AM

    Probably, yes... you can install multiple Intune extensions in parallel. Just be a bit careful to prevent that both extensions synchronize to the endpoint database at the same time. For HTTP Authorization, it shouldn't be an issue.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: ClearPass Intune extension

    Posted Nov 09, 2023 08:53 AM

    Is there a guide available how to install it?

    My search results gave me only the latest version in the extension.

    Regards,

    Erik




  • 6.  RE: ClearPass Intune extension
    Best Answer

    Posted Nov 10, 2023 08:42 AM

    In that case you may need to go through TAC. If you have the extension ID from your current installation, you may be able to install based on the ID, but not sure if older versions are still posted.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: ClearPass Intune extension

    Posted Nov 13, 2023 04:28 AM

    Thank you Herman, I created an TAC case.

    Case closed




  • 8.  RE: ClearPass Intune extension

    Posted Nov 13, 2023 07:22 AM

    Even if you installed the old extension, there will likely be issues because Microsoft changed the Graph API behaviour that the extension uses.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 9.  RE: ClearPass Intune extension

    Posted Nov 14, 2023 12:06 AM

    the current version of clearpass intune extension is 6.1.7



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------