You may add different attributes in the Intune deployed certificates for student vs staff and filter on that; or use a different CA to issue your certificates (may be useful for other applications as well).
If staff devices are Corporate managed, and student devices 'personal', you could use the
Intune Managed Device Owner Type to make your policy decision.
You probably should not rely on the client MAC address, rather on the Intune DeviceID that is in the client certificate. A query like the following would do such a thing if the Intune DeviceID is set as Common Name in the certificate:
select attributes->>'Intune User Principal Name' as "Intune User Principal Name",attributes->>'Intune Model' as "Intune Model",attributes->>'Intune Jail Broken' as "Intune Jail Broken",attributes->>'Intune Operating System' as "Intune Operating System",attributes->>'Intune Managed Device Owner Type' as "Intune Managed Device Owner Type",attributes->>'Intune Management Agent' as "Intune Management Agent",attributes->>'Intune Azure AD Registered' as "Intune Azure AD Registered",attributes->>'Intune Compliance State' as "Intune Compliance State",attributes->>'Intune Device Name' as "Intune Device Name",attributes->>'Intune Azure AD Device Id' as "Intune Azure AD Device Id" FROM tips_endpoints WHERE attributes->>'Intune ID' = LOWER('%{Certificate:Subject-CN}')
This approach avoids MAC spoofing attacks, as well it allows wired clients (as long as clients have at least one WiFi interface) when the lookup is done based on the DeviceID rather than on the MAC address.
And there is a v6 version of the Intune extension; I would not deploy new systems with v5.
With ClearPass 6.11 there now also is an Azure AD authorization source that can directly lookup Azure AD groups based on the Azure AD Username.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Nov 28, 2022 07:41 PM
From: Binod Ranabhat
Subject: Clearpass + Intune
Hi Community members,
I am on the same situation, we are using Clearpass Intune ext v 5. Using the query filter
%{Connection:Client-Mac-Address-Hyphen}
At this point, all the attributes Clearpass is getting is related to Device, not the user. If we pick one attribute, for example 'Intune Azure AD Registered' eq true--assign for example staff role, that means students getting staff vlan.
Is there any query filter , that gets user information, so that we can use that in policy ? It's quite hard to distinguish staff and student at this point.
Please share your thought/view.
-BINOD
Original Message:
Sent: Feb 04, 2021 01:23 PM
From: Danny Jump
Subject: Clearpass + Intune
Zack,
I can't think why the mac-randomizatin would have any bearing on a device working or not, as you describe. It not like your checking for a known mac-address, or doing mac-auth. However, if you specifically making an authZ decision on In_Tune registered, when you make this check you'll have to be looking up the endpoint with its mac-address, if randomization is enabled then you're potentially in a pickle when comparing to the physical address reported by InTune that is the Endpoint mac-address......said another way I'd have expected mac-randomization to always drop the endpoint into the student vlan/role.
------------------------------
Danny Jump
"Passionate about CPPM"
Original Message:
Sent: Feb 04, 2021 01:58 AM
From: Zack Shore
Subject: Clearpass + Intune
And yes, we enroll all our devices into InTune before distribution. So they are synced to the Endpoint DB and ready by the time the user is ready to join wireless.
------------------------------
Zack Shore
Original Message:
Sent: Feb 04, 2021 01:43 AM
From: Danny Jump
Subject: Clearpass + Intune
I assume your using V5 of the InTune Extension??
Why do you have it running on two nodes, offset.... sync on one node and sync more regularly, when you sync on a SUB it will have to write the data to the PUB first.
Question1: The ATP and Palo stuff can be configured later, but I am just trying to get some questions answered on if this InTune extension and Clearpass can do what I envision in the chart? Basically, I want InTune devices only on our Staff VLAN. All other devices can go and get the student clearpass role and be put on that VLAN.
So far I have the InTune extension installed on both nodes with sync schedules that offset each other. I do not plan on using HTTP auth mode to pull in data "live"...unless needed. I am pulling data into my Endpoint DB and can view it. Now it really comes down to making sure a cert is pushed to the devices. I will be using PKCS with an internal CA.
{djj} - Yes, this workflow is achievable, in terms of using InTune data and D-ATP data as authZ content.
Question 2: Do I need to push a user auth certificate, or machine auth? or does it not matter? What are the pros and cons?
{djj} - This really depends on how you want to authN the user/device, if you have WIN10 and run TEAP you can do both.
Question 3: Even though I am not using HTTP Auth mode, do I still need to set up an Authentication Source that points to InTune?
{djj} - Not if you ingesting the endpoint into the CPPM EndpointDb and using that data as an authZ souce to make you first check, is this endpoint enrolled/known to InTune.
Question 4: Will I be able to achieve the same setup I have today, where when a user logs into their device, they are automatically joined to the wireless (i think this is where the certs come into play)
{djj} - Sure, that's the autHn portion, the Intune/D-ATP is more the authZ part. One of the huge benefits of CPPM is that authN & authZ can be separated to different identity stores/repositories.
------------------------------
Danny Jump
"Passionate about CPPM"
Original Message:
Sent: Feb 01, 2021 12:12 AM
From: Zack Shore
Subject: Clearpass + Intune
Hello all,
Now I know this is a lot of text, but I am just trying to get as much detail in as possible. I have read Aruba guides and watched the videos countless times, but I do have a few lingering questions.
Our org has started moving over staff devices to InTune, we still have a large presence of BYOD and student devices.
Our setup today is pretty simple. Users log into their Windows machines and it all automatically logs them in to the wireless.