Security

Hello everybody,

I know it's quite a recurent topic here but I have issues linking my clearpass with Azure Intune.
I tried with version 6.8.0, 6.8.6, 6.9.0 and everytime it's the same. I get an HTTP 500 error resulting in my service not getting a RADIUS ACCEPT.

I've fallowed to the letter the Clearpass Intune integration guide v3 (https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=35943) modulo the Intune graphical changes but every time the same : invalid NAC endpoint, invalid token, not able to query Intune,... cf log attached.

Does someone have an idea ?

Attachment(s)

log clearpass intune.txt   3 KB 1 version

What does the event viewer look like on the ClearPass server when trying to make the connection?

Hi Dustin,

No alerts in Event Viewer. Only in Access Tracker is the request being refused :

From the extension's logs, the error indicates that you are unable to get the token. 

[2020-07-07T14:37:50.812] [DEBUG] intune - Requesting token for resource "00000002-0000-0000-c000-000000000000".
[2020-07-07T14:37:55.971] [ERROR] intune - Unable to get token. Error: getaddrinfo EAI_AGAIN login.microsoftonline.com:443
at Object._errnoException (util.js:1024:11)
at errnoException (dns.js:55:15)
at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:92:26)

Please check if your DNS is able to resolve login.microsoftonline.com. Update the DNS and restart the extension. 

My DNS is working as I'm able to request update from Aruba servers (installed version is 6.8.0, updated to 6.8.6 then to 6.9.0).

To not let a trail unfollowed, i checked :

[appadmin@Clearpass2]# network nslookup login.microsoft.com

Server: 10.3.20.5
Address: 10.3.20.5#53

Non-authoritative answer:
login.microsoft.com canonical name = a.privatelink.msidentity.com.
a.privatelink.msidentity.com canonical name = prda.aadg.msidentity.com.
prda.aadg.msidentity.com canonical name = www.tm.a.prd.aadg.akadns.net.

[appadmin@Clearpass2]# network nslookup login.microsoft.com

Server: 10.3.20.5
Address: 10.3.20.5#53

Non-authoritative answer:
login.microsoft.com canonical name = a.privatelink.msidentity.com.
a.privatelink.msidentity.com canonical name = prda.aadg.msidentity.com.
prda.aadg.msidentity.com canonical name = www.tm.a.prd.aadg.akadns.net.
Name: www.tm.a.prd.aadg.akadns.net
Address: 20.190.137.75
Name: www.tm.a.prd.aadg.akadns.net
Address: 20.190.137.10
Name: www.tm.a.prd.aadg.akadns.net
Address: 20.190.137.98
Name: www.tm.a.prd.aadg.akadns.net
Address: 20.190.137.69
Name: www.tm.a.prd.aadg.akadns.net
Address: 40.126.9.77
Name: www.tm.a.prd.aadg.akadns.net
Address: 20.190.137.6
Name: www.tm.a.prd.aadg.akadns.net
Address: 20.190.137.14
Name: www.tm.a.prd.aadg.akadns.net
Address: 20.190.137.73

Strangely I had to nslookup 2 times to get the IP answer.

Should I activate DNS caching to avoid DNS taking to long to answer the request ?

New tests this morning, I completely reinstall the Extension after Cache DNS activation. No change in the behavior but more logs.

The App has autorisation for graph and intune compliance, the device is enrolled...

For thoses that want to check by themselves (it's a lab) :
Tenant ID : 935534e0-ea0b-4135-bf1f-9206e6c90aec

Client ID : 808818ac-7488-41a1-93e3-52ea70253994

Client secret : gthV.nN-H2JQQ_8.KO_M11eocCAE7yU1Ly

Been on this topic for nearly a week now, been twiking my clearpass on all direction and starting to loose focus...

Attachment(s)

cpass_log_error.txt   7 KB 1 version

The current issue appears to be with DNS rather than Intune or the extension itself. 

Error: getaddrinfo EAI_AGAIN login.microsoftonline.com:443 

You can work with Aruba TAC to debug the DNS issue. 

Hi all,

Just to inform you. The issue is probably found.
It seems the one that configured the DNS made a typo on its forwarders config. It was working sometimes but was not consistent and was the root cause of the application timed out.

Thanks for everyone thoughts