I ended up using an auth source filter from a senior SE that I then customized.. My source has 2 Attribute queries - 1 for user and 1 for device.
We put the Entra ID device id in the email SAN field of the device certificate.
users:users/?$select=id, userPrincipalName,accountEnabled&$filter=userPrincipalName eq %{Certificate:Subject-AltName-Email};group:/users/%{users:id}/memberOf?$select=displayName,id,groupTypes
device:devices?$select=id,deviceId,displayName&$filter=deviceId eq %{Certificate:Subject-AltName-Email};deviceGroups:devices/%{device:id}/memberof?$select=displayName
If you need more information, just let me know.
Original Message:
Sent: Mar 26, 2024 08:19 AM
From: toopaki
Subject: ClearPass: How to combine machine and user auth with EAP-TLS in Intune and Azure
Exactly what I am referring to (see below screenshot), however there is no end to end guide on this for 6.12, I do see a intune based guide though for 6.11. They kind of documented it on web, and that page breaks the tree content structure on left bar...
https://www.arubanetworks.com/techdocs/ClearPass/6.12/PolicyManager/Content/CPPM_UserGuide/Auth/AuthSource_Entra.htm
Anyone has this working end to end?
Original Message:
Sent: Mar 26, 2024 05:30 AM
From: bosborne
Subject: ClearPass: How to combine machine and user auth with EAP-TLS in Intune and Azure
In CPPM 6.12 the Entra ID auth source was completely rewritten. For me, i could not get the 6.11 version working with TLS certificates.
In our lab, I currently have Entra ID auth source working with TLS after some assistance from our account team. We are not using the Intune extension though. We use a third-party cloud vendor for our PKI and personal device onboarding. We currently have Intune working with our onboarding vendor for Entra ID joined devices and are working on getting it working with our AD Hybrid devices.
------------------------------
Bruce Osborne ACCP ACMP
Liberty University
The views expressed here are my personal views and not those of my employer
Original Message:
Sent: Mar 23, 2024 07:37 AM
From: toopaki
Subject: ClearPass: How to combine machine and user auth with EAP-TLS in Intune and Azure
Hello jeepee,
Can you post step by step guide how you implemented this on EntraID and CPPM in whole.
We are implementing something similar, I need some guidance in testing this first and implement in our setup.
Thanks for your understanding.
Original Message:
Sent: Jan 17, 2024 11:15 AM
From: jeepee
Subject: ClearPass: How to combine machine and user auth with EAP-TLS in Intune and Azure
Hello Herman, we've finally solved our issue with the Entra ID attributes.
The problem seemed to be an incorrect filter query in our authentication source for the Entra ID.
After my colleague changed the filter query to:
We're able to see the attributes in the Access Tracker and we could use them for rol mapping.
so obviously the old (standard) query was incorrect!
Regards,
Jan
Original Message:
Sent: Jan 05, 2024 05:42 AM
From: Herman Robers
Subject: ClearPass: How to combine machine and user auth with EAP-TLS in Intune and Azure
You missed the screenshot of the role mapping, but if your user T1@......com is in your Entra ID, I would expect the lookup to happen. And if you have a role mapping based on one of the attributes, these should show up in Access Tracker where you now just see the Intune attributes. Also, if the lookup didn't work, I would have expected an Alerts tab in Access Tracker, which is not shown. The "Show Logs" in Access Tracker may reveal even some more.
Did you work with your Aruba Partner or Aruba TAC already? It may be easier to do some interactive testing to find where the issue lies.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jan 05, 2024 04:33 AM
From: jeepee
Subject: ClearPass: How to combine machine and user auth with EAP-TLS in Intune and Azure
Hello Herman,
I still cannot see and use the Azure attributes for some reason!
Both authentications work (Device & User):
But In the Access Tracker I only see the Intune attributes:
My AAD authorisation source is configured and tested!
My current rol mapping is still very basic, but tries to use some Azure attributes:
Any idea why I cannot use the Azure attributes?
Regards,
Jan
Original Message:
Sent: Dec 22, 2023 08:26 AM
From: Herman Robers
Subject: ClearPass: How to combine machine and user auth with EAP-TLS in Intune and Azure
TEAP with Intune is indeed similar to configuring with AD deployed certificates. Just if you have multiple certificates, AD and Intune, you may need to select the client CA where you can select the 'simple certificate selection', to make sure the right certificates are selected.
I would not see why EAP-TLS with user certificates would be different from TEAP, from the perspective of the Entra ID user lookup.
Do you see in Access Tracker the Entra ID UserPrincipleName as username? Probably yes, as you filter on the '@' in the username. Did you create an EntraID (Azure AD) Authentication Source? Did you add that as an Authorization Source? And did you create at least one rule (that matches) in role-mapping or enforcement? If there are no rules evaluated that check a value from an authorization source, the policy won't be affected by the result and as performance optimization step the source is not even evaluated, so you won't see the information if you only add the authorization source.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 22, 2023 06:00 AM
From: jeepee
Subject: ClearPass: How to combine machine and user auth with EAP-TLS in Intune and Azure
Hello Herman,
After I changed the SCEP policy for the User certificate to use the CN={{DeviceID}}, my 404 errors we're gone!
So thats one step further :)
I'am still using two services (EAP-TLS) to catch both authentications and for now I use the "@" from the username to differentiate between them.
but I cannot find the AAD atributes yet, I only see the Intune attributes.
I probably need to change the authentication method to EAP-TEAP (EAP Chaining) with both device and user authentication with Intune/Azure
Is this the same as for the Internet/Youtube examples with On-prem AD + Certs ? (only without authorisation required in the authentication method)
Regards,
Jan.
Original Message:
Sent: Dec 21, 2023 05:37 AM
From: Herman Robers
Subject: ClearPass: How to combine machine and user auth with EAP-TLS in Intune and Azure
Yes, on the User certificate you should also have the CN={{DeviceID}}. You can add the username/other fields as SAN. This is how my User Cert config looks like:
It uses my ClearPass as SCEP server, you may have another CA there.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 20, 2023 01:51 PM
From: jeepee
Subject: ClearPass: How to combine machine and user auth with EAP-TLS in Intune and Azure
Hello Herman,
Thanks for you reply.
I've added that "Intune Device ID as your CN ( CN={{DeviceID}} " on my SCEP device policy in Intune, and that seems to work fine, I don't get errors on that!
But for the SCEP profile for Intune or Azure users I use this setting:
And on that I get those 404 errors.
Do I misunderstand something?
Regards,
Jan
Original Message:
Sent: Dec 20, 2023 11:06 AM
From: Herman Robers
Subject: ClearPass: How to combine machine and user auth with EAP-TLS in Intune and Azure
You should have the Intune Device ID as your CN ( CN={{DeviceID}} ) as that is what the Intune Extension queries for.
Did you find/check the ClearPass Intune integration TechNote?
The presentation (halfway the list) that I created for Atmosphere Belgium has some additional background and screenshots, as well how to configure TEAP through Intune.
The 404 message in the Intune Extension means in most cases that you are not querying the extension by a valid and enrolled Intune Device ID. It seems to query based on 'T1' which indeed is not a valid device ID.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 20, 2023 05:40 AM
From: jeepee
Subject: ClearPass: How to combine machine and user auth with EAP-TLS in Intune and Azure
Hello,
Im struggling with the combination for machine and user authentication using Intune and Azure.
I have enrolled machine and user certificates using SCEP in Intune, so I should be good to use EAP-TLS for both.
My Intune extension is working fine, and when I'am only doing Machine authentication, then I don't have (that well discussed 404) error, and authentication using EAP-TLS works fine.
But When I try to combine this with user authorisation through Azure AAD, then I receive that 404 error, and from the extension I can see that the information cannot be found. I must say that I use this in one Clearpass service, and I don't know if this is correct or that I should use two services.
I have my scep profile for user certificates setup like this:
The logs from the Intune extension first show the succesfull searches for the machine when it's booted, but when I login with the credentials then the authentication is done, but It cannot match the information from Intune/Azure.
What do I need to change?
The authorisation in my ClearPass service looks like:
When both authentications are working fine, then I will try to combine them using EAP-TEAP.
Thanks in advance!
Jan.