This is what I have:
And on the note: "Even though the current release supports fetching these attributes, it cannot be used within the enforcement profile.", that does not apply to the Group membership, but to the other attributes. And that is because the default filter does only pull the Group information, but you can add the other attributes like:
... which will then pull these attributes and make them available for Role Mapping or Enforcement. Example:
Both of the following Role mappings work after that change:
Hope this helps... and I'll reach out to the documentation team to get the Azure API required permissions added.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Nov 16, 2022 01:14 PM
From: Geury Torres
Subject: Clearpass RADIUS Intune/Azure AD integration POC
I upgraded to 6.11 and configured the azure authentication source, but I do not see any authorization information being pulled when I check access tracker. I created the azure APP and gave it user.read permissions. Is there anything I'm missing ? The documentation is lacking on the exact permissions needed in the azure app.
Original Message:
Sent: Nov 16, 2022 08:34 AM
From: Geury Torres
Subject: Clearpass RADIUS Intune/Azure AD integration POC
I may have to upgrade to 6.11 to give this a shot. Looks like it can pull group information from azure, then I can assign roles ->enforcement. If I can't use it for authorization then what the heck is the point lol
Original Message:
Sent: Nov 15, 2022 08:33 PM
From: James Andrewartha
Subject: Clearpass RADIUS Intune/Azure AD integration POC
I have good group information from ClearPass Guest's Azure AD social integration, they show up in Endpoint:social_groups. 6.11 has some Azure AD support but also a note "Even though the current release supports fetching these attributes, it cannot be used within the enforcement profile."
https://www.arubanetworks.com/techdocs/ClearPass/6.11/PolicyManager/Content/CPPM_UserGuide/Auth/AuthSource_Azure.htm
Original Message:
Sent: Nov 15, 2022 08:29 AM
From: Geury Torres
Subject: Clearpass RADIUS Intune/Azure AD integration POC
Hey!
Running a POC for my company regarding clearpass and was wondering how do you guys pull user group information from Azure ad/intune. I currently have the intune extension setup and working but the attributes passed by intune are very limited. I need to be able to pull group information to assign different roles/policies.
Is the only way to achieve this is using secure ldap to azure domain services ? Is there a simpler way to do this ? We do not want to use onboard and we use SCEPman as a CA for EAP-TLS.
Thanks!!