In ClearPass 6.11.x, on out TAC Case 5376142493, product engineering quoted Bug ID CP-47920
" We did not support the Group/Custom queries in the initial release. We are exploring the use case"
Also, there is no precise date when this feature will be added.
Since then CPPM 6.12.0 SSR has been released I think that allows more customization
In our organization we are exploring a custom http Authz source that uses the Graph API to access Azure. We are currentl;y testing features we desire that are not likely to be available in the Aruba offering.
For more information, please contact me privately. After this week, I will be OOO until 2024 though..
------------------------------
Bruce Osborne ACCP ACMP
Liberty University
The views expressed here are my personal views and not those of my employer
------------------------------
Original Message:
Sent: Dec 10, 2023 09:23 PM
From: wong94886
Subject: Clearpass RADIUS Intune/Azure AD integration POC
Hi Herman -
Thank you for the quick response. 'Test Connection' works and we have the UPN as CN in the user certificate for authentication so we should be good. One thing I found interesting, is that I use the same filter query - users/?select=mail,userPrincipalName,id,department,accountEnabled&$filter=userPrincipalName%{Authentication:Username}/users/{id}/memberOf?select=displayName. However, I have gotten errors when I tried to run this query in the Microsoft Graph Explorer. I have tweaked the query to work partially. Take this section of query for example, users/?select=mail,userPrincipalName,id,department,accountEnabled&$filter=userPrincipalName%{Authentication:Username}, I had to change it to users/?$select=mail,userPrincipalName,id,department,accountEnabled&$filter=userPrincipalName eq {Authentication:Username} (of course I used my own UPN for this). Also, what's the correct syntax to inject the ClearPass macro to the query? Should it be in the format of %{Authentication:Username}
Thanks,
Kawai
Original Message:
Sent: Dec 07, 2023 05:51 AM
From: Herman Robers
Subject: Clearpass RADIUS Intune/Azure AD integration POC
The username during the authentication should be the UPN for the Entra ID user.
And does the 'Test Connection' in your Entra ID (Azure AD) Authorization Source work?? Then you know the API tokens are valid at least.
The message you show can be either incorrect API tokens/ids or wrong format of the username (not the UPN) sent to Azure.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 04, 2023 02:36 PM
From: wong94886
Subject: Clearpass RADIUS Intune/Azure AD integration POC
Hi. I've been working on this for the past few days. I even have a TAC case opened and they are researching the issues, but basically the filter is not able to pull user attributes such as AccountEnabled, Department, Email. I have everything setup (including Azure App permission), so that I can perform authentication with cert, but NOT ABLE to use user attributes for authorization because they are not available for some reasons. The following is an excerpt from Show Logs.
Original Message:
Sent: Nov 17, 2022 04:22 AM
From: Herman Robers
Subject: Clearpass RADIUS Intune/Azure AD integration POC
This is what I have:
And on the note: "Even though the current release supports fetching these attributes, it cannot be used within the enforcement profile.", that does not apply to the Group membership, but to the other attributes. And that is because the default filter does only pull the Group information, but you can add the other attributes like:
... which will then pull these attributes and make them available for Role Mapping or Enforcement. Example:
Both of the following Role mappings work after that change:
Hope this helps... and I'll reach out to the documentation team to get the Azure API required permissions added.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Nov 16, 2022 01:14 PM
From: Geury Torres
Subject: Clearpass RADIUS Intune/Azure AD integration POC
I upgraded to 6.11 and configured the azure authentication source, but I do not see any authorization information being pulled when I check access tracker. I created the azure APP and gave it user.read permissions. Is there anything I'm missing ? The documentation is lacking on the exact permissions needed in the azure app.
Original Message:
Sent: Nov 16, 2022 08:34 AM
From: Geury Torres
Subject: Clearpass RADIUS Intune/Azure AD integration POC
I may have to upgrade to 6.11 to give this a shot. Looks like it can pull group information from azure, then I can assign roles ->enforcement. If I can't use it for authorization then what the heck is the point lol
Original Message:
Sent: Nov 15, 2022 08:33 PM
From: James Andrewartha
Subject: Clearpass RADIUS Intune/Azure AD integration POC
I have good group information from ClearPass Guest's Azure AD social integration, they show up in Endpoint:social_groups. 6.11 has some Azure AD support but also a note "Even though the current release supports fetching these attributes, it cannot be used within the enforcement profile."
https://www.arubanetworks.com/techdocs/ClearPass/6.11/PolicyManager/Content/CPPM_UserGuide/Auth/AuthSource_Azure.htm
Original Message:
Sent: Nov 15, 2022 08:29 AM
From: Geury Torres
Subject: Clearpass RADIUS Intune/Azure AD integration POC
Hey!
Running a POC for my company regarding clearpass and was wondering how do you guys pull user group information from Azure ad/intune. I currently have the intune extension setup and working but the attributes passed by intune are very limited. I need to be able to pull group information to assign different roles/policies.
Is the only way to achieve this is using secure ldap to azure domain services ? Is there a simpler way to do this ? We do not want to use onboard and we use SCEPman as a CA for EAP-TLS.
Thanks!!