Here is my device query:
... where I query based on the AAD_DeviceID, which I store in the Subject Location (Subject-L) field in the certificate:
device:devices?$select=id,deviceId,displayName,approximateLastSignInDateTime,enrollmentType&$filter=deviceId eq %{Certificate:Subject-L};deviceGroups:devices/%{device:id}/memberOf?$select=displayName
The example in the documentation used the displayName to lookup the device instead of the deviceId. Any available identifier would work, and what helped me a lot is to use Postman to test the Graph API queries to find the available attributes (also to be used as filter) and the exact internal/API names of those which don't always match up with what is displayed in the Entra ID web interface.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 25, 2024 07:15 AM
From: aruba_tech
Subject: EntraID device lookup with TEAP
Hi Herman,
I am trying to configure the EAP-TLS with EntraID as authorization source.
If i choose entra ID as type under auth source i see only user group query attributes. Could you please post the filter query for device with attributes and sample role mapping/enforcement.
------------------------------
KK
Original Message:
Sent: Jul 18, 2024 07:52 AM
From: Herman Robers
Subject: EntraID device lookup with TEAP
If you use Intune to enroll your certificates, you can easily add the Entra ID device id (or other field/attribute to select the device on) in the user certificate and have it available for lookup. That's what I have done.. and works.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 18, 2024 06:18 AM
From: Exodius
Subject: EntraID device lookup with TEAP
Hi guys,
I'm currently facing an issue using TEAP with certificates with EntraID autorization lookups.
To keep it short, when TEAP Phase 1 and 2 are successful, I need to retrieve the user AND device AD groups for my autorization policies. I don't have any problem with the user but I can't do it with the device as the TEAP-Phase-1-Username is truncated in the computed attributes (like sAMAccountName format: 15 characters + $ and there is not sAMAccountName equivalent in EntraID) and I can't use the certificates fields, either CN or SAN, because when Phase 2 is successful, the attributes contains only the user's certificate values.
When only phase 1 is successful, I can successfully retrieve the device's EntraID values and groups using the device certificate CN.
Therefore, I don't have any attributes (which I know) I can rely on to do the EntraID lookups for the device when Phase 1 & 2 are successful.
Have you faced a similar issue using TEAP-TLS with EntraID ? Is there any attributes I can match between Entra ID and ClearPass to retrieve a device ?