Security

 View Only
Expand all | Collapse all

Intune Clearpass Extension and MAC address randomization

This thread has been viewed 44 times
  • 1.  Intune Clearpass Extension and MAC address randomization

    Posted Nov 14, 2024 05:55 PM
    Edited by youngc Nov 14, 2024 06:00 PM

    Hi,

    I'm having issues with devices that has MAC address randomization turned on, according to the logs, the username presented can't be found, the username is the Microsoft Entra Device ID. If I turn off randomization, the devices can connect just fine. When I do a lookup in Configuration -> Identity -> Endpoints and filter attribute for Intune Azure AD Device Id, the devices does exist. This is how the service Authentication and Authorization tabs are setup:

    And here is the Intune HTTP authentication source is setup:

    Not sure if I missed something in the Intune extension guide. The certificate is setup to have the subject name as the Microsoft Entra Device ID and I also added the Intune Device ID as a URI attribute.



  • 2.  RE: Intune Clearpass Extension and MAC address randomization

    Posted Nov 15, 2024 09:46 AM

    What instructions were you following to setup the integration?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Intune Clearpass Extension and MAC address randomization

    Posted Nov 15, 2024 12:46 PM

    I used the integration guide from Aruba. 

    https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00112290en_us




  • 4.  RE: Intune Clearpass Extension and MAC address randomization

    Posted Nov 15, 2024 12:48 PM

    You'll want to look at something more current.

    https://www.arubanetworks.com/techdocs/NAC/clearpass/integrations/unified-endpoint-management/intune/



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: Intune Clearpass Extension and MAC address randomization

    Posted Nov 15, 2024 05:55 PM

    I did some changes below is now my new PKCS config.

    I also updated the HTTP source:

    This is the access tracker log




  • 6.  RE: Intune Clearpass Extension and MAC address randomization

    Posted Nov 15, 2024 06:07 PM

    You're still trying to authenticate based on the username from the certificate which isn't how this process works.  The certificate gets validated (validity period, trust chain) and then you authorize the session based on the relevant attributes.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 7.  RE: Intune Clearpass Extension and MAC address randomization

    Posted Nov 15, 2024 06:19 PM
    Edited by youngc Nov 15, 2024 06:20 PM

    Are you able to point me to the right direction on how I can change that? I am not too familiar with the ins and outs of Clearpass.

    This is my current authentication method:




  • 8.  RE: Intune Clearpass Extension and MAC address randomization

    Posted Nov 15, 2024 06:57 PM

    https://youtu.be/OrrXgnTH_Qw?si=G2hy5VBoOJ_dXIou

    I think this video covers the service creation.  Although dated and the extension has changed some since then, the general idea should still be there.

    First and foremost item: "Authorization Required" needs to be disabled in the auth method.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 9.  RE: Intune Clearpass Extension and MAC address randomization

    Posted Nov 18, 2024 08:13 AM

    Can you check in Access Tracker if the Certificate:Subject-AltName-URI is there? It may not be there because of the already mentioned 'Authorization Required', but it may also that a wrong client certificate is used.

    Normally 'failed to construct path from' (in the access tracker detailed logs) means that the attribute is not available. It may also be a mismatch between what you see in Access Tracker and what is in the query, which is why I tend to copy the attribute name from Access Tracker and paste it in the query.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 10.  RE: Intune Clearpass Extension and MAC address randomization

    Posted Nov 19, 2024 05:55 PM

    I finally figured out the issue with TAC's help.

    The role mapping policy was using the "Endpoints" database instead of using the HTTP Intune source. Which made a lot of sense since that MAC address does not have the attributes.

    As soon as I changed it to this, it started working: