Security

I know that due to recent/upcoming Intune changes,  you will not be able to do device queries to Intune using MAC addresses any more, and EAP-TLS with queries using the Intune IDs are preferred if using the Intune Extension v6. Having said that, if ClearPass is doing periodic Intune syncs instead of querying per device on authentication, will the periodic syncs still include the Wi-Fi MAC address of the device in the attributes for the endpoint? I know Android devices won't include it, but I am not clear on Windows devices. If MAC randomization can be turned off for managed devices, we could still match on the MAC address for devices in the Endpoint database unless the periodic syncs don't include the Wi-Fi MAC address anymore.

Yes; this is an example of a Windows 10 client, and you can see the Intune Wi Fi MAC Address


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 04, 2022 03:33 PM
From: Jose Perez
Subject: ClearPass Intune Extension V6 - do periodic updates still include MAC address for endpoints for non-android devices?

I know that due to recent/upcoming Intune changes,  you will not be able to do device queries to Intune using MAC addresses any more, and EAP-TLS with queries using the Intune IDs are preferred if using the Intune Extension v6. Having said that, if ClearPass is doing periodic Intune syncs instead of querying per device on authentication, will the periodic syncs still include the Wi-Fi MAC address of the device in the attributes for the endpoint? I know Android devices won't include it, but I am not clear on Windows devices. If MAC randomization can be turned off for managed devices, we could still match on the MAC address for devices in the Endpoint database unless the periodic syncs don't include the Wi-Fi MAC address anymore.

By the way, the approach mentioned in this post may work as well. It queries the Endpoint Database based on the Azure AD Device ID (from the client certificate) instead of through the client MAC address, and should overcome the 'Android not exposing MAC address' and increase the reliability and security.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 08, 2022 04:04 AM
From: Herman Robers
Subject: ClearPass Intune Extension V6 - do periodic updates still include MAC address for endpoints for non-android devices?

Yes; this is an example of a Windows 10 client, and you can see the Intune Wi Fi MAC Address


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 04, 2022 03:33 PM
From: Jose Perez
Subject: ClearPass Intune Extension V6 - do periodic updates still include MAC address for endpoints for non-android devices?

I know that due to recent/upcoming Intune changes,  you will not be able to do device queries to Intune using MAC addresses any more, and EAP-TLS with queries using the Intune IDs are preferred if using the Intune Extension v6. Having said that, if ClearPass is doing periodic Intune syncs instead of querying per device on authentication, will the periodic syncs still include the Wi-Fi MAC address of the device in the attributes for the endpoint? I know Android devices won't include it, but I am not clear on Windows devices. If MAC randomization can be turned off for managed devices, we could still match on the MAC address for devices in the Endpoint database unless the periodic syncs don't include the Wi-Fi MAC address anymore.

I know, but not all clients want to do EAP-TLS...
Original Message:
Sent: Aug 08, 2022 05:26 AM
From: Herman Robers
Subject: ClearPass Intune Extension V6 - do periodic updates still include MAC address for endpoints for non-android devices?

By the way, the approach mentioned in this post may work as well. It queries the Endpoint Database based on the Azure AD Device ID (from the client certificate) instead of through the client MAC address, and should overcome the 'Android not exposing MAC address' and increase the reliability and security.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 08, 2022 04:04 AM
From: Herman Robers
Subject: ClearPass Intune Extension V6 - do periodic updates still include MAC address for endpoints for non-android devices?

Yes; this is an example of a Windows 10 client, and you can see the Intune Wi Fi MAC Address


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 04, 2022 03:33 PM
From: Jose Perez
Subject: ClearPass Intune Extension V6 - do periodic updates still include MAC address for endpoints for non-android devices?

I know that due to recent/upcoming Intune changes,  you will not be able to do device queries to Intune using MAC addresses any more, and EAP-TLS with queries using the Intune IDs are preferred if using the Intune Extension v6. Having said that, if ClearPass is doing periodic Intune syncs instead of querying per device on authentication, will the periodic syncs still include the Wi-Fi MAC address of the device in the attributes for the endpoint? I know Android devices won't include it, but I am not clear on Windows devices. If MAC randomization can be turned off for managed devices, we could still match on the MAC address for devices in the Endpoint database unless the periodic syncs don't include the Wi-Fi MAC address anymore.

Thank you, sir. I wanted to make sure that once Microsoft replaces the Intune NAC service with the Compliance Retrieval service as described in the ClearPass Intune v6 integration guide, that the Wi-Fi MAC attribute was still returned. The guide states that "The new service is also streamlined to return only enrollment and compliance data from Intune. Any other device data not related to access control is eliminated from this service". As long as the data still includes the Wi-Fi MAC with periodic syncs, existing configurations using that method should not break.
Original Message:
Sent: Aug 08, 2022 04:04 AM
From: Herman Robers
Subject: ClearPass Intune Extension V6 - do periodic updates still include MAC address for endpoints for non-android devices?

Yes; this is an example of a Windows 10 client, and you can see the Intune Wi Fi MAC Address


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 04, 2022 03:33 PM
From: Jose Perez
Subject: ClearPass Intune Extension V6 - do periodic updates still include MAC address for endpoints for non-android devices?

I know that due to recent/upcoming Intune changes,  you will not be able to do device queries to Intune using MAC addresses any more, and EAP-TLS with queries using the Intune IDs are preferred if using the Intune Extension v6. Having said that, if ClearPass is doing periodic Intune syncs instead of querying per device on authentication, will the periodic syncs still include the Wi-Fi MAC address of the device in the attributes for the endpoint? I know Android devices won't include it, but I am not clear on Windows devices. If MAC randomization can be turned off for managed devices, we could still match on the MAC address for devices in the Endpoint database unless the periodic syncs don't include the Wi-Fi MAC address anymore.

I would say the WiFi MAC address is relevant to access control, at least to have a placeholder to store the data in the Endpoint Database in ClearPass.

On page 24 of the Intune v6 integration guide, there is a list of attributes that are synced (or can be configured to sync or not sync). wiFiMacAddress is part of that list.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 08, 2022 09:24 AM
From: Jose Perez
Subject: ClearPass Intune Extension V6 - do periodic updates still include MAC address for endpoints for non-android devices?

Thank you, sir. I wanted to make sure that once Microsoft replaces the Intune NAC service with the Compliance Retrieval service as described in the ClearPass Intune v6 integration guide, that the Wi-Fi MAC attribute was still returned. The guide states that "The new service is also streamlined to return only enrollment and compliance data from Intune. Any other device data not related to access control is eliminated from this service". As long as the data still includes the Wi-Fi MAC with periodic syncs, existing configurations using that method should not break.
Original Message:
Sent: Aug 08, 2022 04:04 AM
From: Herman Robers
Subject: ClearPass Intune Extension V6 - do periodic updates still include MAC address for endpoints for non-android devices?

Yes; this is an example of a Windows 10 client, and you can see the Intune Wi Fi MAC Address


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 04, 2022 03:33 PM
From: Jose Perez
Subject: ClearPass Intune Extension V6 - do periodic updates still include MAC address for endpoints for non-android devices?

I know that due to recent/upcoming Intune changes,  you will not be able to do device queries to Intune using MAC addresses any more, and EAP-TLS with queries using the Intune IDs are preferred if using the Intune Extension v6. Having said that, if ClearPass is doing periodic Intune syncs instead of querying per device on authentication, will the periodic syncs still include the Wi-Fi MAC address of the device in the attributes for the endpoint? I know Android devices won't include it, but I am not clear on Windows devices. If MAC randomization can be turned off for managed devices, we could still match on the MAC address for devices in the Endpoint database unless the periodic syncs don't include the Wi-Fi MAC address anymore.