If you use Intune to enroll your certificates, you can easily add the Entra ID device id (or other field/attribute to select the device on) in the user certificate and have it available for lookup. That's what I have done.. and works.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 18, 2024 06:18 AM
From: Exodius
Subject: EntraID device lookup with TEAP
Hi guys,
I'm currently facing an issue using TEAP with certificates with EntraID autorization lookups.
To keep it short, when TEAP Phase 1 and 2 are successful, I need to retrieve the user AND device AD groups for my autorization policies. I don't have any problem with the user but I can't do it with the device as the TEAP-Phase-1-Username is truncated in the computed attributes (like sAMAccountName format: 15 characters + $ and there is not sAMAccountName equivalent in EntraID) and I can't use the certificates fields, either CN or SAN, because when Phase 2 is successful, the attributes contains only the user's certificate values.
When only phase 1 is successful, I can successfully retrieve the device's EntraID values and groups using the device certificate CN.
Therefore, I don't have any attributes (which I know) I can rely on to do the EntraID lookups for the device when Phase 1 & 2 are successful.
Have you faced a similar issue using TEAP-TLS with EntraID ? Is there any attributes I can match between Entra ID and ClearPass to retrieve a device ?