This is an old topic, but for your question - no the newest Extension doesn't have the wired mac address. There are known workarounds that have been around for a year or so. Basically the certificate needs to contain Intune ID and we use that to search for the correct device in the endpoint database.
The extension guide also explains how to collect the ethernet mac address and store it in the endpoint database, and then use that when pulling authorization parameters.
Original Message:
Sent: Nov 22, 2023 08:59 AM
From: NickTT
Subject: CPPM Intune Extension + Wired MAC not found.
Has this been fixed in the 6.1.7 version of the Extension? I can get wireless to work but can't get Wired 802.1x to work as the Intune Values are not populated in the Auth Request.
Original Message:
Sent: Jan 11, 2021 10:42 AM
From: Herman Robers
Subject: CPPM Intune Extension + Wired MAC not found.
Victor,
I received a confirmation from the product team on what you have seen and at the moment, not getting the wired MAC of an Intune client should be considered a limitation with the v5 version of the extension. You can ask TAC to republish the v4 version based on different APIs that do include the wired MAC. If you have the time to wait, this is being worked at and possible solutions are explored to get this limitation resolved.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Jan 11, 2021 09:55 AM
From: Victor Castro
Subject: CPPM Intune Extension + Wired MAC not found.
Thanks Herman, will do!
------------------------------
Victor Castro
Original Message:
Sent: Jan 11, 2021 04:10 AM
From: Herman Robers
Subject: CPPM Intune Extension + Wired MAC not found.
Victor,
Please open a TAC support case to discuss these findings. If this is an issue, it has to be documented and TAC may be able to test your suggestions.
Once you opened the case, please share the case number in a personal message with me, so I can see if I can route this to the right people quickly.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Jan 10, 2021 10:20 PM
From: Victor Castro
Subject: CPPM Intune Extension + Wired MAC not found.
I think I've narrowed down the issue.
It looks like the Microsoft Graph REST API v1.0 only has the wiFiMacAddress defined, while the beta API has an ethernetMacAddress. I suspect this is likely the issue.
v1.0 API: https://docs.microsoft.com/en-us/graph/api/resources/intune-devices-manageddevice?view=graph-rest-1.0
Beta API: https://docs.microsoft.com/en-us/graph/api/resources/intune-devices-manageddevice?view=graph-rest-beta
I've attempted to add the ethernetMacAddress to the intuneAttributes section of the Intune extension configuration in CPPM but that just returns the following error:
[2021-01-10T21:42:36.481] [ERROR] Intune - {"error":{"code":"BadRequest","message":"Parsing OData Select and Expand failed: Could not find a property named 'ethernetMacAddress' on type 'microsoft.graph.managedDevice'.","innerError":{"date":"2021-01-11T02:42:48","request-id
Another change I made was to have the extension pull all items, not just updated ones, as a result I'm seeing my wired-only devices being pulled down, but not added to the endpoint database as a result of no MAC address being available:
[2021-01-10T22:00:01.204] [WARN] Intune - The device "DESKTOP-D80VMRE" (4c40059c-9afa-43b5-831d-c39b8a4b7170} does not have a MAC Address. Unable to process it.
[2021-01-10T22:00:01.204] [DEBUG] Intune - {"id":"xxxx-9afa-xxxx","wiFiMacAddress":"","deviceName":"DESKTOP-D80VMRE","model":"OptiPlex 9020","osVersion":"10.0.18363.1237","operatingSystem":"Windows","userId":"xxxx-d040-4694-9xxxx","managedDeviceOwnerType":"personal","enrolledDateTime":"2021-01-10T21:19:27Z","lastSyncDateTime":"2021-01-11T01:25:23Z","complianceState":"compliant","jailBroken":"Unknown","managementAgent":"mdm","easActivated":true,"easDeviceId":"fffffBC30","easActivationDateTime":"0001-01-01T00:00:00Z","azureADRegistered":true,"deviceEnrollmentType":"windowsAutoEnrollment","activationLockBypassCode":null,"emailAddress":"castrov@xyz.com","azureADDeviceId":"-444c-bfd1-x","deviceRegistrationState":"registered","deviceCategoryDisplayName":"Unknown","isSupervised":false,"exchangeLastSuccessfulSyncDateTime":"0001-01-01T00:00:00Z","exchangeAccessState":"none","exchangeAccessStateReason":"none","remoteAssistanceSessionUrl":null,"remoteAssistanceSessionErrorDetails":null,"isEncrypted":true,"userPrincipalName":"castrov@","manufacturer":"Dell Inc.","imei":"","complianceGracePeriodExpirationDateTime":"9999-12-31T23:59:59Z","serialNumber":"3kk2","phoneNumber":"","androidSecurityPatchLevel":"","userDisplayName":"Victor Castro","configurationManagerClientEnabledFeatures":null,"deviceHealthAttestationState":null,"subscriberCarrier":"","meid":"","totalStorageSpaceInBytes":500106788864,"freeStorageSpaceInBytes":432788209664,"managedDeviceName":"castro_Windows_1/10/2021_9:19 PM","partnerReportedThreatState":"unknown"}
Clearly the device is enrolled and CPPM +MS Intune are talking, it's just that Intune isn't returning the ethernet MAC with the v1.0 Graph API.
Any idea if we change change to the beta Graph API?
Thanks,
Victor
------------------------------
Victor Castro
Original Message:
Sent: Jan 08, 2021 04:07 PM
From: Victor Castro
Subject: CPPM Intune Extension + Wired MAC not found.
We have CPPM configured to perform compliance lookups with Microsoft Intune following the latest Integration Guide (2020-01).
We have this working with wireless clients, however during our testing, we noticed wired clients would be shown as not enrolled. When searching logs and analyzing the endpoint database in ClearPass, we see that wired endpoints had no Intune attributes and were unable to authenticate as a result of our security policy.
Intune Extension log in Aruba ClearPass when ClearPass attempts a sync:
'The device "DESKTOP-9T9P8D0" (27f2f00a-9a83-43ed-0000-111111111111} does not have a MAC Address. Unable to process it.'
Intune Extension log in Aruba ClearPass when user tries to authenticate:
'Intune - The endpoint with the MAC Address 00-19-0e-16-3a-80 does not have an "Intune ID".'
- Screenshot of device hardware showing the device name, Intune Device ID and Ethernet MAC. Again, this works with wireless clients.
To be clear, we have tested a laptop with both wired and wireless NICs. On the same machine, wireless works associated to an Aruba network. Wired does not work, when performing dot1x against a Cisco switch.
------------------------------
Victor Castro
------------------------------