Security

How are you guys solving authentication and authorization when customers retire their local AD and going with AzureAD, but keeping a local CPPM server/farm?

Legacy authentication (EAP-PEAP) I understand is "dead" when going all cloud, so EAP-TLS I take is the way to go.

What would we authenticate against then, as in, what would accept or deny the certificate presented (CPPM yes, but source - just that certifcate is signed by a trusted CA?)?

How about authorization? Device attributes are ok, same with compliance state and device owner for example, via intune extesion, but what about AAD group membership?

Machine+User authentication is a challenge then as well, as a machine can be used by users which should have different access levels.

Any thoughts, ideas, solutions?

hi HRossvoll,

I would start with this document here:

https://community.arubanetworks.com/t5/Security/ClearPass-Configuration-Guide-Onboard-Cloud-Identity-Providers/td-p/301657

I think it is going to explain exactly what you are looking for 

I briefly looked trough this, but since it mentioned the CPPM Onboard module I assume it was tied in to that process only.

As I'm looking to do this without using CPPM onboarding, but handle management via intune or airwatch for example.

I'll dig in to the document more in depth and come back with questions if any :)

sure, you can replace ClearPass onboarding with every other onboarding process you like. but the document explains the main concepts very well.