Security

 View Only
  • 1.  Intune Integration decision

    Posted Jul 14, 2023 05:23 AM

    Hello,

    I'm a little stuck on the best way to recognize Azure registered company devices for the appropriate role and enforcement allocation.

    All the company devices are registered in Azure and we want to use that info for the correct enforcement.

    Authentication/Authorization via On-Prem AD is not a problem, but for device recognition, Azure is needed. We've installed the Microsoft Intune extension v6.0.3 and use the Azure attributes for authorization. I do not have or use a Azure HTTP autorisation source. 

    The Intune extension works and for many devices the Azure attributes are available. However, if devices connect to the network by cable via different network adapters (USB/Docking Station), the Azure attributes are not always available and the enforcement is not correct.

    I have a colleague who is specialized in Azure, and he's has been working on the Intune extension for some time, but we're not really getting anywhere. We still are not possible to recoqnize a device which is registered in Intune through a different network adapter.

    I have seen that there are several threads regarding "ClearPass Intune Integration," which talk about certain IDs in the certificate on which recognition can be done. We don't do anything with certificates on devices here (yet), but for wifi I want to switch from EAP-PEAP to EAP-TLS.

    What should be my way to go?



  • 2.  RE: Intune Integration decision

    Posted Jul 17, 2023 05:53 AM

    The issue that you see lies in the point that Intune only exposes the wireless MAC address through the API, and the ClearPass extension uses that wireless MAC address to store Intune data in the endpoint database. That means that only if the client connects to the network with it's registered WLAN MAC address, and has mac randomization disabled, this integration works well. Because making security decistions on a MAC address, which is easy spoofable, is not recommended, your idea to move to EAP-TLS would solve your issue if you configure Intune to enroll the clients with a certificate and you authenticate on the Intune DeviceID instead of the MAC address. That certificate would be used then both for wireless and wired, and you can extract the information from the endpoint database independent from the MAC address.

    Here is a presentation from a local Atmosphere event that describes the configuration of the Intune-AzureAD-ClearPass-EAP-TLS combination (first document in the list, or search for Azure AD (Intune is abbreviated because of the long filename).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Intune Integration decision

    Posted Jul 17, 2023 09:16 AM
    Edited by bosborne Jul 17, 2023 09:16 AM

    My understanding of the Docs is that in extension v6, the Ethernet address is available again. I do not use the extension but have been researching it.

    "As noted below, Intune Extension v5 made a major move to use Microsoft GraphAPI. However, we encountered an issue with GraphAPI when syncing with Intune to retrieve device attributes as it did not support pulling the Ethernet MAC address attribute (wired interface). We addressed this with a workaround that utilizes real-time lookup by Intune device ID to pull the Ethernet MAC address attribute and have it stored in the endpoint DB.Please refer to the section "Utilizing HTTP Authorization Mode to Retrieve Specific Device Attributes"for more details"

    From here



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 4.  RE: Intune Integration decision

    Posted Jul 17, 2023 04:52 PM

    Hello Bruce,

    Your response is appreciated as well.

    As Intune Extension v6 adheres to the main requirement to use certificate-based authentication, we wil address this.




  • 5.  RE: Intune Integration decision

    Posted Jul 17, 2023 04:41 PM

    Hello Herman,

    Thanks for your response, those presentations provide a lot of information.

    I will look into EAP-TLS authentication. My clients are Azure/Intune registered clients.

    I 'am not very familiar with Azure, and will also ask my colleague if certs are automatically provided when clients are registered with Azure/Intune.

    My customer also has an OnBoard license, in which we can use ClearPass as the CA, but I guess it's probably more convenient to use Azure/Intune certs.