Your response is appreciated as well.
Original Message:
Sent: Jul 17, 2023 09:16 AM
From: bosborne
Subject: Intune Integration decision
My understanding of the Docs is that in extension v6, the Ethernet address is available again. I do not use the extension but have been researching it.
"As noted below, Intune Extension v5 made a major move to use Microsoft GraphAPI. However, we encountered an issue with GraphAPI when syncing with Intune to retrieve device attributes as it did not support pulling the Ethernet MAC address attribute (wired interface). We addressed this with a workaround that utilizes real-time lookup by Intune device ID to pull the Ethernet MAC address attribute and have it stored in the endpoint DB.Please refer to the section "Utilizing HTTP Authorization Mode to Retrieve Specific Device Attributes"for more details"
From here
------------------------------
Bruce Osborne ACCP ACMP
Liberty University
The views expressed here are my personal views and not those of my employer
Original Message:
Sent: Jul 17, 2023 05:52 AM
From: Herman Robers
Subject: Intune Integration decision
The issue that you see lies in the point that Intune only exposes the wireless MAC address through the API, and the ClearPass extension uses that wireless MAC address to store Intune data in the endpoint database. That means that only if the client connects to the network with it's registered WLAN MAC address, and has mac randomization disabled, this integration works well. Because making security decistions on a MAC address, which is easy spoofable, is not recommended, your idea to move to EAP-TLS would solve your issue if you configure Intune to enroll the clients with a certificate and you authenticate on the Intune DeviceID instead of the MAC address. That certificate would be used then both for wireless and wired, and you can extract the information from the endpoint database independent from the MAC address.
Here is a presentation from a local Atmosphere event that describes the configuration of the Intune-AzureAD-ClearPass-EAP-TLS combination (first document in the list, or search for Azure AD (Intune is abbreviated because of the long filename).
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 14, 2023 05:22 AM
From: jeepee
Subject: Intune Integration decision
Hello,
I'm a little stuck on the best way to recognize Azure registered company devices for the appropriate role and enforcement allocation.
All the company devices are registered in Azure and we want to use that info for the correct enforcement.
Authentication/Authorization via On-Prem AD is not a problem, but for device recognition, Azure is needed. We've installed the Microsoft Intune extension v6.0.3 and use the Azure attributes for authorization. I do not have or use a Azure HTTP autorisation source.
The Intune extension works and for many devices the Azure attributes are available. However, if devices connect to the network by cable via different network adapters (USB/Docking Station), the Azure attributes are not always available and the enforcement is not correct.
I have a colleague who is specialized in Azure, and he's has been working on the Intune extension for some time, but we're not really getting anywhere. We still are not possible to recoqnize a device which is registered in Intune through a different network adapter.
I have seen that there are several threads regarding "ClearPass Intune Integration," which talk about certain IDs in the certificate on which recognition can be done. We don't do anything with certificates on devices here (yet), but for wifi I want to switch from EAP-PEAP to EAP-TLS.
What should be my way to go?