Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Intune Extension - Authorization for Android device

This thread has been viewed 16 times

  • 1.  ClearPass Intune Extension - Authorization for Android device

    Posted Dec 05, 2019 08:22 PM

    We've setup Intune with NDES and an on-prem PKI to issue User Certificates to Intune enrolled devices.

     

    This is working great for Windows10 devices, and we are using the Intune extension to check that a device is Managed, Corporate owned and compliant.

     

    We are having an issue with Android devices registered in Intune - they are visible in Intune, and are showing as compliant etc, but for some reason the extension isn't able to find them.

     

    The only difference between the devices in Intune that I can see is that the MAC address for Android devices is in the format AA:BB:CC:DD:EE:FF, whereas Windows devices are AABBCCDDEEFF.

     

    The Filter query in the Intune HTTP auth source is as follows, but there is no 'Upper Case with Colon Delimiter' option we can use.

     

    ?macAddress=%{Connection:Client-Mac-Address-NoDelim}

     

    Unfortunately the DEBUG logs from the extension don't shed much light ont this.

     

    Has anyone been able to use the extension for Android devices successfully before?

     

    Capture.PNG



  • 2.  RE: ClearPass Intune Extension - Authorization for Android device

    EMPLOYEE
    Posted Dec 05, 2019 08:35 PM

    Checking with Microsoft. This seems to be new behavior.



  • 3.  RE: ClearPass Intune Extension - Authorization for Android device

    Posted Dec 17, 2019 04:01 PM

    We logged a support ticket with Microsoft, they pointed us to this article which says Android devices aren't supported with what looks like the Intune API that the ClearPass extension uses - can anyone confirm?

     

    Capture.PNG

     

    https://docs.microsoft.com/en-us/intune/protect/network-access-control-integrate



  • 4.  RE: ClearPass Intune Extension - Authorization for Android device

    EMPLOYEE
    Posted Dec 18, 2019 10:40 AM

    That should not be related to your issue. We're still awaiting a response from Intune enngineering.



  • 5.  RE: ClearPass Intune Extension - Authorization for Android device

    Posted Jan 05, 2020 03:59 PM

    Hi there 

    Do you have the MS ticket number, I could try and escalate from my end as I have the same issue?

    Thank you



  • 6.  RE: ClearPass Intune Extension - Authorization for Android device

    Posted Feb 14, 2020 04:11 AM

    Hello,

     

    I have the same issue.

    But for inexplicable reason, it works for few Androids.

     

    Can you please also share the MS ticket in order to escalate on my own?

     

    Regards,

    Blaise D.



  • 7.  RE: ClearPass Intune Extension - Authorization for Android device

    Posted Sep 18, 2020 03:16 PM

    any new on this? what was the solution?

    we have the exact same behaviour for over 1k new ipads



  • 8.  RE: ClearPass Intune Extension - Authorization for Android device

    Posted Sep 18, 2020 04:22 PM

    Hugo,

     

    So a reveal at the end of this post.

     

    I missed this original thread..... reading through all of the comments, where do you fit into the above?

     

    mac-address format?

    new-devices working v not?

     

    Spoiler
    I've a new v5 InTune integration coming GA on Sept 30th 2020, this new version uses a different API {GraphAPI} and adds a lot of new functionality E.g. the ability to pre-ingest all endpoints into CPPM like every other UEM/MDM vendor......plus new workflows, due to new API's changes to some of the old work-flows as well.... customers will need to review the guide.


  • 9.  RE: ClearPass Intune Extension - Authorization for Android device

    Posted Sep 21, 2020 03:04 AM

    It seems the issue appears when the MAC randomization is enabled on the mobile. By disabling it, problem is solved for each Android.

     



  • 10.  RE: ClearPass Intune Extension - Authorization for Android device

    Posted Sep 21, 2020 09:19 AM

    @dannyjump, the behavior is the same, device make the query to intune, device is in intune, clearpass dont find the device in intune.

    i dont see a format mismatch tho. even the logs in the extension look fine, like this:

    [2020-09-18T15:33:35.668] [DEBUG] intune - Querying Intune at https://fef.msua06.manage.microsoft.com/StatelessNACService/devices
    [2020-09-18T15:33:40.739] [DEBUG] intune - Request received. /?macAddress=58e6bad7b444
     
    what we found is a setting similar in the ipad about wifi privacy, but the said setting is only available after you are connected to the ssid.
    its just a feeling, but i'm thinking its a new ios feature that is causing us trouble. i'm still looking