View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Intune Extension - Performance Issues

This thread has been viewed 17 times
  • 1.  Intune Extension - Performance Issues

    Posted Apr 22, 2024 12:24 PM

    Hi everyone - Does anyone know  a way to increase the performance of the realtime Intune authorizations in the extension?  We are noticing a tremendous amount of queries out to Intune and sometimes a delay of 5+ seconds when waiting for a response.  I noticed in the configuration

       "enableEndpointCache": true,
        "endpointCacheTimeSeconds": 900,

    Would there be a way to adjust any value here?  I mean the delays could also just be our network as well....we are trying to pinpoint.

    ALso, we were thinking about using EAP-TLS only without authorization, but I do not know if that is a good approach from a security standpoint.  Any assistance would be helpful...thanks!

  • 2.  RE: Intune Extension - Performance Issues

    Posted 30 days ago

    You can change the endpoint cache if you like but that just affects "real-time lookups".  If you are using a HTTP source in CPPM that is pointing to your extension then this cache will come into play.

    You can also do authorization against the endpoint database and that doesn't have to do a call out to Intune.  This comes with some pros/cons, so test it to see if it fits your needs.

    The other thing that can cause performance issues with Intune lookups is when your extension is doing a sync and how it is syncing.  There are a bunch of options that can be changed in the config that could help you out:

    "endpointCacheTimeSeconds" - How long data is cached for "real-time lookups".  The higher this value, the less the extension will need to reach out to Intune.
    "enableSyncAll" - true/false - do you want to periodically sync endpoints to the cache and endpoint database 
    "syncAllSchedule" - when to run the endpoint sync.  Running this often will add load to your CPPM server but keep the cache up to date.
    "syncUpdatedOnly" - True will cause less load but your cache will not get updated as often.

    All of the above are in the intune integration guide and you can adjust and test to see what works best for your environment.

    Personally what I have set and works well for us (do not just copy my settings - you need to test what works in your environment):
    Publisher config:
         "enableSyncAll": false,
        "syncAllSchedule": "0 * * * *",
        "syncUpdatedOnly": false,
        "syncAllOnStart": true,
        "enableEndpointCache": true,
        "endpointCacheTimeSeconds": 86400,

    Standby publisher config:
        "enableSyncAll": true,
        "syncAllSchedule": "30 * * * *",
        "syncUpdatedOnly": false,
        "syncAllOnStart": true,
        "enableEndpointCache": true,
        "endpointCacheTimeSeconds": 900,
        "intuneAttributes": null,
        "enableUserGroups": false,
        "userGroupUpdateSchedule": "30 * * * *",

    I send all radius requests to the publisher as primary and do not load balance requests between my radius servers.

    The publisher does not do a periodic sync with Intune.  I do a periodic sync with with the standby publisher that does not handle radius requests unless the publisher is down.

    I used an HTTP source with real time lookup to the Intune extension.  I also have a Entra ID source to do a user/group lookup as well.  I have the cache lookup for the Entra ID user lookup set to 600seconds.

    "ALso, we were thinking about using EAP-TLS only without authorization, but I do not know if that is a good approach from a security standpoint.  Any assistance would be helpful...thanks!"

    This is up to you and what you want to accomplish.  If you are doing OCSP check on your certs then I see no issue from a security standpoint.

    This would not work for me as I have quite a few Aruba-Roles depending on the machine/user.  I also have machine-auth only role setup - If there is only a cert signed by our CA and the user doesn't return from the Entra ID lookup, it will get a machine-auth role.  If the cert is signed by our CA and I can lookup the Entra user, then I will give a default user-role or another user-role based on the Azure Group they are part of.  (That is the basics of my setup but a lot more smaller details.)

    I can not tell you what is right or wrong for your environment.  Just depends on what your needs are.

  • 3.  RE: Intune Extension - Performance Issues

    Posted 30 days ago

    I saw a similar issue some time ago, and there the issue was that the primary DNS server was not reachable/responding to ClearPass.

    The realtime lookup will go to Entra ID/Intune every time, if the IP for Azure is not known, ClearPass (extension) will do a DNS lookup. If the primary DNS is not responding, it wall fallback to the second DNS and then cache the result for some time. Till the DNS timeout occurs, and then there is again a timeout.

    This may be the same issue....

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.