Security

Dear Support,

I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.

We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling. 

I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.

Thanks in advance!

Hi

In Intune you have as I understand configured policies that enroll a certificate for the iPads. In addition to this you also need to create a SSID profile with correct 802.1x settings.

In this profile you should specify the certificate to use for the authentication of the client, the SSID to connect to and to trust the Radius certificate root certificate. Also add the name in the Radius certificate to the policy.

In ClearPass you need to complete a service performing EAP-TLS and in the autentication remove the option to do authorization.

Dear Support,

I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.

We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling. 

I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.

Thanks in advance!

Hi Jonas,

The Authentication EAP-TLS Method is as follow:

Session Resumption: Enabled

Session Timeout: 6 hours

Authorization Required: Disabled

Certification Comparison: Do not compare

Authentication sources: Endpoint repository, local SQL DB

Authorization sources: Endpoint repository, local SQL DB - Addional: Microsoft Intune [HTTP]

Role Mapping condition: (Authorization:Microsoft Intune:Intune Azure AD Device Id  EXISTS   )

With enforcement profile: 

Hi

In Intune you have as I understand configured policies that enroll a certificate for the iPads. In addition to this you also need to create a SSID profile with correct 802.1x settings.

In this profile you should specify the certificate to use for the authentication of the client, the SSID to connect to and to trust the Radius certificate root certificate. Also add the name in the Radius certificate to the policy.

In ClearPass you need to complete a service performing EAP-TLS and in the autentication remove the option to do authorization.

Dear Support,

I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.

We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling. 

I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.

Thanks in advance!

Can you describe the question you have in more detail?

At the moment it's a bit hard to understand if you need assistance with a configuration question or if you have problems with the autentications.

Hi Jonas,

The Authentication EAP-TLS Method is as follow:

Session Resumption: Enabled

Session Timeout: 6 hours

Authorization Required: Disabled

Certification Comparison: Do not compare

Authentication sources: Endpoint repository, local SQL DB

Authorization sources: Endpoint repository, local SQL DB - Addional: Microsoft Intune [HTTP]

Role Mapping condition: (Authorization:Microsoft Intune:Intune Azure AD Device Id  EXISTS   )

With enforcement profile: 

Hi

In Intune you have as I understand configured policies that enroll a certificate for the iPads. In addition to this you also need to create a SSID profile with correct 802.1x settings.

In this profile you should specify the certificate to use for the authentication of the client, the SSID to connect to and to trust the Radius certificate root certificate. Also add the name in the Radius certificate to the policy.

In ClearPass you need to complete a service performing EAP-TLS and in the autentication remove the option to do authorization.

Dear Support,

I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.

We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling. 

I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.

Thanks in advance!

We are in research / design phase before testing phase and I'm looking for the right configurations for the solution. The question is if I'm in the right corner or am I completely off (configuration wise).

Another question; for the solution I described above and the configuration steps you mentioned is there any documentation of that? Because Google is not helping me.

Can you describe the question you have in more detail?

At the moment it's a bit hard to understand if you need assistance with a configuration question or if you have problems with the autentications.

Hi Jonas,

The Authentication EAP-TLS Method is as follow:

Session Resumption: Enabled

Session Timeout: 6 hours

Authorization Required: Disabled

Certification Comparison: Do not compare

Authentication sources: Endpoint repository, local SQL DB

Authorization sources: Endpoint repository, local SQL DB - Addional: Microsoft Intune [HTTP]

Role Mapping condition: (Authorization:Microsoft Intune:Intune Azure AD Device Id  EXISTS   )

With enforcement profile: 

Hi

In Intune you have as I understand configured policies that enroll a certificate for the iPads. In addition to this you also need to create a SSID profile with correct 802.1x settings.

In this profile you should specify the certificate to use for the authentication of the client, the SSID to connect to and to trust the Radius certificate root certificate. Also add the name in the Radius certificate to the policy.

In ClearPass you need to complete a service performing EAP-TLS and in the autentication remove the option to do authorization.

Dear Support,

I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.

We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling. 

I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.

Thanks in advance!

Ok, yes you are on the right track.

For configuration of SSID and 802.1x profiles in Intune you have to check the Intune documentation and how to's.

Regarding the ClearPass configuration Herman Robers have created a series of short tutorials published in the Airheads Broadcasting channel on Youtube. If you are new with ClearPass this series of videos are a crash course of all important aspects of ClearPass configurations.

https://www.youtube.com/watch?v=bnOGv6sN804&list=PLsYGHuNuBZcbZPEku1zxkfpn2k_O_MENo

In your case there are four main parts of the configuration:

1. Enroll certificate for the device in Intune
2. Configure SSID and 802.1x profiles on the device in Intune
3. Configure authentication service in ClearPass
4. Configure your wireless infrastructure with an SSID and set ClearPass as Radius server

The last two steps can be as simple as one service validating the certificate and sending an accept message back to the wireless infrastructure and in the SSID configuration place the client on a VLAN and assign the default role with full access.

Or you can build a service with authorization based on attributes for the device in Intune, and apply downloadable user roles from ClearPass to the wireless infrastructure to filter what resources the devices can access.

The ClearPass User Guide is available here:

https://www.arubanetworks.com/techdocs/ClearPass/6.11/PolicyManager/Content/home.htm

We are in research / design phase before testing phase and I'm looking for the right configurations for the solution. The question is if I'm in the right corner or am I completely off (configuration wise).

Another question; for the solution I described above and the configuration steps you mentioned is there any documentation of that? Because Google is not helping me.

Can you describe the question you have in more detail?

At the moment it's a bit hard to understand if you need assistance with a configuration question or if you have problems with the autentications.

Hi Jonas,

The Authentication EAP-TLS Method is as follow:

Session Resumption: Enabled

Session Timeout: 6 hours

Authorization Required: Disabled

Certification Comparison: Do not compare

Authentication sources: Endpoint repository, local SQL DB

Authorization sources: Endpoint repository, local SQL DB - Addional: Microsoft Intune [HTTP]

Role Mapping condition: (Authorization:Microsoft Intune:Intune Azure AD Device Id  EXISTS   )

With enforcement profile: 

Hi

In Intune you have as I understand configured policies that enroll a certificate for the iPads. In addition to this you also need to create a SSID profile with correct 802.1x settings.

In this profile you should specify the certificate to use for the authentication of the client, the SSID to connect to and to trust the Radius certificate root certificate. Also add the name in the Radius certificate to the policy.

In ClearPass you need to complete a service performing EAP-TLS and in the autentication remove the option to do authorization.

Dear Support,

I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.

We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling. 

I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.

Thanks in advance!

We are in research / design phase before testing phase and I'm looking for the right configurations for the solution. The question is if I'm in the right corner or am I completely off (configuration wise).

Another question; for the solution I described above and the configuration steps you mentioned is there any documentation of that? Because Google is not helping me.

Can you describe the question you have in more detail?

At the moment it's a bit hard to understand if you need assistance with a configuration question or if you have problems with the autentications.

Hi Jonas,

The Authentication EAP-TLS Method is as follow:

Session Resumption: Enabled

Session Timeout: 6 hours

Authorization Required: Disabled

Certification Comparison: Do not compare

Authentication sources: Endpoint repository, local SQL DB

Authorization sources: Endpoint repository, local SQL DB - Addional: Microsoft Intune [HTTP]

Role Mapping condition: (Authorization:Microsoft Intune:Intune Azure AD Device Id  EXISTS   )

With enforcement profile: 

Hi

In Intune you have as I understand configured policies that enroll a certificate for the iPads. In addition to this you also need to create a SSID profile with correct 802.1x settings.

In this profile you should specify the certificate to use for the authentication of the client, the SSID to connect to and to trust the Radius certificate root certificate. Also add the name in the Radius certificate to the policy.

In ClearPass you need to complete a service performing EAP-TLS and in the autentication remove the option to do authorization.

Dear Support,

I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.

We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling. 

I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.

Thanks in advance!

One additional suggestion is to first get (one of your) iPads configured, then adapt the ClearPass policy to that by try an authentication and see what authentication/authorization information/attributes you have. From the above it seems you are attempting the reverse path (first ClearPass, adapt Intune/iPads).

We are in research / design phase before testing phase and I'm looking for the right configurations for the solution. The question is if I'm in the right corner or am I completely off (configuration wise).

Another question; for the solution I described above and the configuration steps you mentioned is there any documentation of that? Because Google is not helping me.

Can you describe the question you have in more detail?

At the moment it's a bit hard to understand if you need assistance with a configuration question or if you have problems with the autentications.

Hi Jonas,

The Authentication EAP-TLS Method is as follow:

Session Resumption: Enabled

Session Timeout: 6 hours

Authorization Required: Disabled

Certification Comparison: Do not compare

Authentication sources: Endpoint repository, local SQL DB

Authorization sources: Endpoint repository, local SQL DB - Addional: Microsoft Intune [HTTP]

Role Mapping condition: (Authorization:Microsoft Intune:Intune Azure AD Device Id  EXISTS   )

With enforcement profile: 

Hi

In Intune you have as I understand configured policies that enroll a certificate for the iPads. In addition to this you also need to create a SSID profile with correct 802.1x settings.

In this profile you should specify the certificate to use for the authentication of the client, the SSID to connect to and to trust the Radius certificate root certificate. Also add the name in the Radius certificate to the policy.

In ClearPass you need to complete a service performing EAP-TLS and in the autentication remove the option to do authorization.

Dear Support,

I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.

We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling. 

I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.

Thanks in advance!

Hi Herman,

Thanks for your support. What you were suggesting was a great idea.

Doing some trial and error and now I'm stuck.

So I'm currently testing the configuration.

The authentication is hitting the right service policy, but now we receive a reject message with the following statement:

And looking the logs:

Looking at the iPad certificate store, there are 2 certificates:
1. Microsoft Intune Root Certification Authority
2. ROOTCA (from our PKI)

And on the iPad
During manual authentication by selecting the SSID it's using the EAP-TLS:
identity Intune Device ID <string of characters xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx> and its issued by Microsoft Intune MDM Device CA

What am I missing here?

One additional suggestion is to first get (one of your) iPads configured, then adapt the ClearPass policy to that by try an authentication and see what authentication/authorization information/attributes you have. From the above it seems you are attempting the reverse path (first ClearPass, adapt Intune/iPads).

We are in research / design phase before testing phase and I'm looking for the right configurations for the solution. The question is if I'm in the right corner or am I completely off (configuration wise).

Another question; for the solution I described above and the configuration steps you mentioned is there any documentation of that? Because Google is not helping me.

Can you describe the question you have in more detail?

At the moment it's a bit hard to understand if you need assistance with a configuration question or if you have problems with the autentications.

Hi Jonas,

The Authentication EAP-TLS Method is as follow:

Session Resumption: Enabled

Session Timeout: 6 hours

Authorization Required: Disabled

Certification Comparison: Do not compare

Authentication sources: Endpoint repository, local SQL DB

Authorization sources: Endpoint repository, local SQL DB - Addional: Microsoft Intune [HTTP]

Role Mapping condition: (Authorization:Microsoft Intune:Intune Azure AD Device Id  EXISTS   )

With enforcement profile: 

Hi

In Intune you have as I understand configured policies that enroll a certificate for the iPads. In addition to this you also need to create a SSID profile with correct 802.1x settings.

In this profile you should specify the certificate to use for the authentication of the client, the SSID to connect to and to trust the Radius certificate root certificate. Also add the name in the Radius certificate to the policy.

In ClearPass you need to complete a service performing EAP-TLS and in the autentication remove the option to do authorization.

Dear Support,

I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.

We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling. 

I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.

Thanks in advance!

Fatal alert by server: unknown_ca means that you have not imported and enabled the Root (and intermediates) CA that issued your client certificates with the type EAP into the ClearPass Certificate Trust Store.

Looks like you are really close now...

Hi Herman,

Thanks for your support. What you were suggesting was a great idea.

Doing some trial and error and now I'm stuck.

So I'm currently testing the configuration.

The authentication is hitting the right service policy, but now we receive a reject message with the following statement:

And looking the logs:

Looking at the iPad certificate store, there are 2 certificates:
1. Microsoft Intune Root Certification Authority
2. ROOTCA (from our PKI)

And on the iPad
During manual authentication by selecting the SSID it's using the EAP-TLS:
identity Intune Device ID <string of characters xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx> and its issued by Microsoft Intune MDM Device CA

What am I missing here?

One additional suggestion is to first get (one of your) iPads configured, then adapt the ClearPass policy to that by try an authentication and see what authentication/authorization information/attributes you have. From the above it seems you are attempting the reverse path (first ClearPass, adapt Intune/iPads).

We are in research / design phase before testing phase and I'm looking for the right configurations for the solution. The question is if I'm in the right corner or am I completely off (configuration wise).

Another question; for the solution I described above and the configuration steps you mentioned is there any documentation of that? Because Google is not helping me.

Can you describe the question you have in more detail?

At the moment it's a bit hard to understand if you need assistance with a configuration question or if you have problems with the autentications.

Hi Jonas,

The Authentication EAP-TLS Method is as follow:

Session Resumption: Enabled

Session Timeout: 6 hours

Authorization Required: Disabled

Certification Comparison: Do not compare

Authentication sources: Endpoint repository, local SQL DB

Authorization sources: Endpoint repository, local SQL DB - Addional: Microsoft Intune [HTTP]

Role Mapping condition: (Authorization:Microsoft Intune:Intune Azure AD Device Id  EXISTS   )

With enforcement profile: 

Hi

In Intune you have as I understand configured policies that enroll a certificate for the iPads. In addition to this you also need to create a SSID profile with correct 802.1x settings.

In this profile you should specify the certificate to use for the authentication of the client, the SSID to connect to and to trust the Radius certificate root certificate. Also add the name in the Radius certificate to the policy.

In ClearPass you need to complete a service performing EAP-TLS and in the autentication remove the option to do authorization.

Dear Support,

I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.

We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling. 

I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.

Thanks in advance!

Yes, that's where we get stuck, because we already have a working setup and have imported the Root CA and subordinate into the CPPM trust store and list. But for some reason it does display the message with the Shared iPad.

Fatal alert by server: unknown_ca means that you have not imported and enabled the Root (and intermediates) CA that issued your client certificates with the type EAP into the ClearPass Certificate Trust Store.

Looks like you are really close now...

Hi Herman,

Thanks for your support. What you were suggesting was a great idea.

Doing some trial and error and now I'm stuck.

So I'm currently testing the configuration.

The authentication is hitting the right service policy, but now we receive a reject message with the following statement:

And looking the logs:

Looking at the iPad certificate store, there are 2 certificates:
1. Microsoft Intune Root Certification Authority
2. ROOTCA (from our PKI)

And on the iPad
During manual authentication by selecting the SSID it's using the EAP-TLS:
identity Intune Device ID <string of characters xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx> and its issued by Microsoft Intune MDM Device CA

What am I missing here?

One additional suggestion is to first get (one of your) iPads configured, then adapt the ClearPass policy to that by try an authentication and see what authentication/authorization information/attributes you have. From the above it seems you are attempting the reverse path (first ClearPass, adapt Intune/iPads).

We are in research / design phase before testing phase and I'm looking for the right configurations for the solution. The question is if I'm in the right corner or am I completely off (configuration wise).

Another question; for the solution I described above and the configuration steps you mentioned is there any documentation of that? Because Google is not helping me.

Can you describe the question you have in more detail?

At the moment it's a bit hard to understand if you need assistance with a configuration question or if you have problems with the autentications.

Hi Jonas,

The Authentication EAP-TLS Method is as follow:

Session Resumption: Enabled

Session Timeout: 6 hours

Authorization Required: Disabled

Certification Comparison: Do not compare

Authentication sources: Endpoint repository, local SQL DB

Authorization sources: Endpoint repository, local SQL DB - Addional: Microsoft Intune [HTTP]

Role Mapping condition: (Authorization:Microsoft Intune:Intune Azure AD Device Id  EXISTS   )

With enforcement profile: 

Hi

In Intune you have as I understand configured policies that enroll a certificate for the iPads. In addition to this you also need to create a SSID profile with correct 802.1x settings.

In this profile you should specify the certificate to use for the authentication of the client, the SSID to connect to and to trust the Radius certificate root certificate. Also add the name in the Radius certificate to the policy.

In ClearPass you need to complete a service performing EAP-TLS and in the autentication remove the option to do authorization.

Dear Support,

I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.

We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling. 

I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.

Thanks in advance!

Yes, that's where we get stuck, because we already have a working setup and have imported the Root CA and subordinate into the CPPM trust store and list. But for some reason it does display the message with the Shared iPad.

Fatal alert by server: unknown_ca means that you have not imported and enabled the Root (and intermediates) CA that issued your client certificates with the type EAP into the ClearPass Certificate Trust Store.

Looks like you are really close now...

Hi Herman,

Thanks for your support. What you were suggesting was a great idea.

Doing some trial and error and now I'm stuck.

So I'm currently testing the configuration.

The authentication is hitting the right service policy, but now we receive a reject message with the following statement:

And looking the logs:

Looking at the iPad certificate store, there are 2 certificates:
1. Microsoft Intune Root Certification Authority
2. ROOTCA (from our PKI)

And on the iPad
During manual authentication by selecting the SSID it's using the EAP-TLS:
identity Intune Device ID <string of characters xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx> and its issued by Microsoft Intune MDM Device CA

What am I missing here?

One additional suggestion is to first get (one of your) iPads configured, then adapt the ClearPass policy to that by try an authentication and see what authentication/authorization information/attributes you have. From the above it seems you are attempting the reverse path (first ClearPass, adapt Intune/iPads).

We are in research / design phase before testing phase and I'm looking for the right configurations for the solution. The question is if I'm in the right corner or am I completely off (configuration wise).

Another question; for the solution I described above and the configuration steps you mentioned is there any documentation of that? Because Google is not helping me.

Can you describe the question you have in more detail?

At the moment it's a bit hard to understand if you need assistance with a configuration question or if you have problems with the autentications.

Hi Jonas,

The Authentication EAP-TLS Method is as follow:

Session Resumption: Enabled

Session Timeout: 6 hours

Authorization Required: Disabled

Certification Comparison: Do not compare

Authentication sources: Endpoint repository, local SQL DB

Authorization sources: Endpoint repository, local SQL DB - Addional: Microsoft Intune [HTTP]

Role Mapping condition: (Authorization:Microsoft Intune:Intune Azure AD Device Id  EXISTS   )

With enforcement profile: 

Hi

In Intune you have as I understand configured policies that enroll a certificate for the iPads. In addition to this you also need to create a SSID profile with correct 802.1x settings.

In this profile you should specify the certificate to use for the authentication of the client, the SSID to connect to and to trust the Radius certificate root certificate. Also add the name in the Radius certificate to the policy.

In ClearPass you need to complete a service performing EAP-TLS and in the autentication remove the option to do authorization.

Dear Support,

I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.

We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling. 

I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.

Thanks in advance!

Dear Support,

I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.

We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling. 

I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.

Thanks in advance!

What version of ClearPass? 

What PKI are you using?

We use a third party PKI. More details available in a PM.

We are working on EAP-TLS for Intune, but with Windows devices. i suspect iPads would be similar. For our iPad deployment we have chosen to use service accounts since they need a login to Apple anyway.

CPPM 6.10.x  Azure auth source will biot let you use certificate infio for authorization. They completely rewrote the code for CPPM 6.12. and certificate information works with the Entra ID auth source.

I can explain our 6.12 choices further, if you desire.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Mar 14, 2024 07:50 AM
From: Simpleexplained
Subject: ClearPass wireless 802.1x for Apple iOS (Shared iPads)

Dear Support,

I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.

We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling. 

I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.

Thanks in advance!

We are using CPPM 6.10.8 and we are using a Windows PKI.

For our corporate Windows devices and also for our corporate Android and Apple Phones are covered and that is working very well.
But the business has a need for shared tablet (Apple iPads) solution that will be used by multple users.
And the requirement is that the Shared iPad is authenticate to the wireless network without user intervention.
Currently we have a hybrid (on-prem & cloud) environment, but for the long term it will be cloud native.

Yes, sharing knowledge is always a good thing :).

What version of ClearPass? 

What PKI are you using?

We use a third party PKI. More details available in a PM.

We are working on EAP-TLS for Intune, but with Windows devices. i suspect iPads would be similar. For our iPad deployment we have chosen to use service accounts since they need a login to Apple anyway.

CPPM 6.10.x  Azure auth source will biot let you use certificate infio for authorization. They completely rewrote the code for CPPM 6.12. and certificate information works with the Entra ID auth source.

I can explain our 6.12 choices further, if you desire.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Mar 14, 2024 07:50 AM
From: Simpleexplained
Subject: ClearPass wireless 802.1x for Apple iOS (Shared iPads)

Dear Support,

I am researching the possibility of allowing shared Apple iPads to access the wireless network without an end user having to enter their corporate login credentials to do so. The authentication must then be granted at device level based on a certificate. This is because the shared iPads are used by several people.

We now use ClearPass with Intune integration for 802.1x authentication for corporate devices such as laptops and smartphones. The iPads are deployed via Intune MDM and are thus visible in Entra ID. Furthermore, we have a PKI environment that facilitates certificate handling. 

I am looking for the right combination configuration for Intune and ClearPass. What ensures that a shared Apple iPad accesses the wireless network without user intervention, so when the Apple iPad has a (device) certificate access is automatically granted.

Thanks in advance!