Security

 View Only
  • 1.  Migrate Wired 802.1X GPO to Intune on Entra Hybrid Joined device

    Posted Oct 01, 2024 08:14 AM

    Hi everybody,

    I have an environment where my corporate devices use a 802.1X GPO to configure our wired NIC to authenticate against ClearPass. We migrated to Azure and therefore, our corporate devices are now hybrid joined to Entra and can also be managed by Intune. 

    Now I want to migrate my 802.1X GPO to an Intune Policy but I faced an issue. The Intune policy doesn't take precedence over the GPO and I need to remove the later to make it work. But because I need to remove the GPO, my corporate device lose the network as the NIC is now not configured to do 802.1X and therefore can't retreive the Intune policy. I can't just disable AAA on the switches as we are doing VLAN assignment and we don't want reassign static VLANs on all switch ports.

    Does anyone face the same situation and how did you handle it without impacting the final user experience ?

    Thanks in advance !



  • 2.  RE: Migrate Wired 802.1X GPO to Intune on Entra Hybrid Joined device

    Posted Oct 01, 2024 09:14 AM

    Hi

    Interesting issue! I have not faced the same problem but I have customers who have had hybrid clients and to my knowledge they have not run into any issues during the transition from AD managed to Intune managed.

    How does the clients connect to the network? Wireless, wired with docking station or internal NIC? 

    I can see a few different ways to temporary allow a client to do MAC authentication to temporary get a role that gives Internet access to be able to get the Intune profiles after the GPO has been removed.

    One way is to utilize the option to remember previous roles in a service

    If you enable this in the MAC auth service you the device will still have the roles assigned during the 802.1x authentication. If I remember correct the cache time is 5 minutes, but I may be wrong on that.

    Another option is to create a custom attribute in the Endpoints database and write a time stamp to the MAC address and allow MAC authentication during the same day or similar intervall.

    This is done in the same way as with Guest MAC caching.

    But only write to your custom attribute instead of the attribute MAC-Auth Expiry.

    Note, to be able to write the Time stamp data in correct format [Time Source] must be added as an authorization source.

    If the GPO is removed and the client haven't got the Intune profile yet, it can still get authenticated based on the time stamp for the MAC address and download the 802.1x profile from Intune. Assign a role as needed, maybe just internet access.

    Hope this gives some inspiration.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Migrate Wired 802.1X GPO to Intune on Entra Hybrid Joined device

    Posted Oct 01, 2024 10:17 AM
    Edited by Exodius Oct 01, 2024 10:18 AM

    Hi Jonas,

    Thanks for your quick answer !

    So yes, I was focusing on wired 802.1X here but in fact there is the same policy on the WLAN. The users are connecting their laptops to the LAN either directly to the NIC or with a dockstation, there is no rule for that.

    I was thinking about doing MAC Authentication in the meantime like you mentioned but I was hoping that there is maybe a more transparent approach allowing us to keep 802.1X from start to end.

    I was also thinking about doing the LAN and WLAN separately. It's going to work for the LAN because the Wi-Fi will always be a backup link (depending on the coverage of course but let's say we are at 100%) but for the WLAN, there is no backup if the user is in mobility when the GPO drops (he will need to find an ethernet port de retrieve his network and hope the Intune policy to sync quickly, which is not the best advantage of the solution...).

    Maybe the issue is on the MDM side but I can't really see another way to configure it on Intune. We are using TEAP, maybe it could be linked to that as our DCs didn't know this method (Windows Server 2016) so we are using XML for the GPO and that's maybe why Intune is not taking precedence over GPO.




  • 4.  RE: Migrate Wired 802.1X GPO to Intune on Entra Hybrid Joined device

    Posted Oct 01, 2024 10:39 AM

    I don't have a really good answer on how to solve this situation.

    But I also think you have to use XML to configure TEAP in Intune, for either wireless or wired. At least last time I checked, but a bit unsure if it was the wired or wireless configuration.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Migrate Wired 802.1X GPO to Intune on Entra Hybrid Joined device

    Posted Oct 01, 2024 11:16 AM

    Yes exactly, we are also using XML on Intune as the templates are kind of incomplete at the moment for TEAP.

    Thanks again Jonas for your help