Security

Hi all

We have integrated Clearpass with Intune and Azure AD. Everything works fine, we are able to deploy over SCEP Certs from our internal CA and also later connect with a client to 802.1 WLAN with device authentication (EAP-TLS).

Right now we have created next to our standard Service (802.1X Wireless) a new specific service (802.1X Wireless) for intune.

The difference between them are:

1. Standard Service (802.1X Wireless):
   Authentication Methods: EAP PEAP, EAP MSCHAPv2
   Authentication Sources: Our local AD Domain
   Roles: Conditions which are checking some Groups, UserDN etc.
   
   
2. Intune Service (8021.X Wireless)
   Authentication Methods: EAP TLS for Intune
   Authentication Sources: Local SQL DB
   Roles: Checking Intune Azure AD Device ID if it exists.

Both services are connecting the same SSID.
Right know for testing purpose I just limited the rule in 2. Intune Service with "Client-Mac-Address" EQUALS to my test machine. For that reason, there is no conflict between these two services. But when I would remove this Rule it would get in a conflict with all other clients, which dont receive any Certificate from the SCEP Profile.

Question:
Whats the best practice to combine them together?
Or how to make sure, that in the 2. Service for intune only devices from Intune with a deployed SCEP Profile from intune are doing the authentication?

Let me know if you need more information. Thanks.

You probably can filter these out based on the username being used, as PEAP (deprecated, but you probably know that) uses DOMAIN\user or host/computername format, where Intune managed client often use User Principle Name or email (user@domain). You can use that (begins_with, ends_with, regex) to filter for the different services.

One other option would be to combine everything in a single service and in role mapping / enforcement send different enforcement based on the authentication method and/or authentication/authorization sources.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 18, 2023 10:15 AM
From: devlo
Subject: Clearpass with Intune - How to combine or solve two Services (802.1X Wireless)?

Hi all

We have integrated Clearpass with Intune and Azure AD. Everything works fine, we are able to deploy over SCEP Certs from our internal CA and also later connect with a client to 802.1 WLAN with device authentication (EAP-TLS).

Right now we have created next to our standard Service (802.1X Wireless) a new specific service (802.1X Wireless) for intune.

The difference between them are:

1. Standard Service (802.1X Wireless):
   Authentication Methods: EAP PEAP, EAP MSCHAPv2
   Authentication Sources: Our local AD Domain
   Roles: Conditions which are checking some Groups, UserDN etc.
   
   
2. Intune Service (8021.X Wireless)
   Authentication Methods: EAP TLS for Intune
   Authentication Sources: Local SQL DB
   Roles: Checking Intune Azure AD Device ID if it exists.

Both services are connecting the same SSID.
Right know for testing purpose I just limited the rule in 2. Intune Service with "Client-Mac-Address" EQUALS to my test machine. For that reason, there is no conflict between these two services. But when I would remove this Rule it would get in a conflict with all other clients, which dont receive any Certificate from the SCEP Profile.

Question:
Whats the best practice to combine them together?
Or how to make sure, that in the 2. Service for intune only devices from Intune with a deployed SCEP Profile from intune are doing the authentication?

Let me know if you need more information. Thanks.

Hi Herman Robers, thank you very much for your reply. Im really sorry  for my late reply, I had to take an unexpected break for a while. However I'm still struggling with this challange. Let me explain, you might help me further.

First Option:

At which point Intune managed client often use the User Principle Name / email? Do you mean the values inside the certificate? If yes, which one do you mean user or client? As additional, how owuld the Service filter would look like, could you please tell me an example of "Type, Name, Operator, Value"?

Second Option:

Not sure if this will get more complicated than the first option. If you agree, I would suggest to focus on the first option.

EDIT:

I would like to add that our devices are doing the authentication with their host machine, not user.
Additional, what I found out is, when I use in Filter "Endpoint, Client-Mac-Address, Equals, (RealdMacAddress)" it workes.
But same when I change the Filter to "Endpoint, Intune Azure AD Device ID, Equals, (RealdDeviceID)" it doesn't work. Even I tell them, just check if its exist.
What would be the way to add a filter that i can check in ClearPass Services? Maybe I have to add some more attributes when I push the Certificate over Intune. But which one is recommened and secure?

I appreciate your answer and help. Thank you.

Original Message:
Sent: Oct 20, 2023 10:04 AM
From: Herman Robers
Subject: Clearpass with Intune - How to combine or solve two Services (802.1X Wireless)?

You probably can filter these out based on the username being used, as PEAP (deprecated, but you probably know that) uses DOMAIN\user or host/computername format, where Intune managed client often use User Principle Name or email (user@domain). You can use that (begins_with, ends_with, regex) to filter for the different services.

One other option would be to combine everything in a single service and in role mapping / enforcement send different enforcement based on the authentication method and/or authentication/authorization sources.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 18, 2023 10:15 AM
From: devlo
Subject: Clearpass with Intune - How to combine or solve two Services (802.1X Wireless)?

Hi all

We have integrated Clearpass with Intune and Azure AD. Everything works fine, we are able to deploy over SCEP Certs from our internal CA and also later connect with a client to 802.1 WLAN with device authentication (EAP-TLS).

Right now we have created next to our standard Service (802.1X Wireless) a new specific service (802.1X Wireless) for intune.

The difference between them are:

1. Standard Service (802.1X Wireless):
   Authentication Methods: EAP PEAP, EAP MSCHAPv2
   Authentication Sources: Our local AD Domain
   Roles: Conditions which are checking some Groups, UserDN etc.
   
   
2. Intune Service (8021.X Wireless)
   Authentication Methods: EAP TLS for Intune
   Authentication Sources: Local SQL DB
   Roles: Checking Intune Azure AD Device ID if it exists.

Both services are connecting the same SSID.
Right know for testing purpose I just limited the rule in 2. Intune Service with "Client-Mac-Address" EQUALS to my test machine. For that reason, there is no conflict between these two services. But when I would remove this Rule it would get in a conflict with all other clients, which dont receive any Certificate from the SCEP Profile.

Question:
Whats the best practice to combine them together?
Or how to make sure, that in the 2. Service for intune only devices from Intune with a deployed SCEP Profile from intune are doing the authentication?

Let me know if you need more information. Thanks.

You would need to check what is the username that your client (initially) sends to ClearPass for the authentication. With EAP-TLS, that normally is the UPN which is in the certificate, or the Common Name if it's not there, but you can configure the supplicant to send basically anything (use different username option). For TEAP it's normally an anonymous identity, which can be configured but I think it's anonymous by default. For PEAP-MSCHAPv2, it's the SAMAccountName by default, but you can override that with an anonymous identity.

What is a bit confusing, is that during the authentication, that initial identity can be overridden with the one used in the certificate. If you have a very basic service, which does TLS and/or TEAP, you can see the used identity. Alternatively you can run a packet capture and collect it from the RADIUS packets.

Some examples from my lab server:

TLS with ADCS certificates (User; nl.arubalab.com is my AD Domain name):

TEAP with filtering on the anonymous identity (anonymous [default] or teap [configured]):

Intune EAP-TLS computer certificate (host/Intune UUID):

Intune EAP-TLS users (azure.arubalab.com is my Azure domain):

And I think a PEAP computer sends HOST/COMPUTERNAME$, and a PEAP user DOMAIN\user. If you know which username is sent, you can probably by setting the order of your services and filtering most specific first, make sure that each authentication ends up in the right service.

Hi Herman Robers, thank you very much for your reply. Im really sorry  for my late reply, I had to take an unexpected break for a while. However I'm still struggling with this challange. Let me explain, you might help me further.

First Option:

At which point Intune managed client often use the User Principle Name / email? Do you mean the values inside the certificate? If yes, which one do you mean user or client? As additional, how owuld the Service filter would look like, could you please tell me an example of "Type, Name, Operator, Value"?

Second Option:

Not sure if this will get more complicated than the first option. If you agree, I would suggest to focus on the first option.

EDIT:

I would like to add that our devices are doing the authentication with their host machine, not user.
Additional, what I found out is, when I use in Filter "Endpoint, Client-Mac-Address, Equals, (RealdMacAddress)" it workes.
But same when I change the Filter to "Endpoint, Intune Azure AD Device ID, Equals, (RealdDeviceID)" it doesn't work. Even I tell them, just check if its exist.
What would be the way to add a filter that i can check in ClearPass Services? Maybe I have to add some more attributes when I push the Certificate over Intune. But which one is recommened and secure?

I appreciate your answer and help. Thank you.

Original Message:
Sent: Oct 20, 2023 10:04 AM
From: Herman Robers
Subject: Clearpass with Intune - How to combine or solve two Services (802.1X Wireless)?

You probably can filter these out based on the username being used, as PEAP (deprecated, but you probably know that) uses DOMAIN\user or host/computername format, where Intune managed client often use User Principle Name or email (user@domain). You can use that (begins_with, ends_with, regex) to filter for the different services.

One other option would be to combine everything in a single service and in role mapping / enforcement send different enforcement based on the authentication method and/or authentication/authorization sources.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 18, 2023 10:15 AM
From: devlo
Subject: Clearpass with Intune - How to combine or solve two Services (802.1X Wireless)?

Hi all

We have integrated Clearpass with Intune and Azure AD. Everything works fine, we are able to deploy over SCEP Certs from our internal CA and also later connect with a client to 802.1 WLAN with device authentication (EAP-TLS).

Right now we have created next to our standard Service (802.1X Wireless) a new specific service (802.1X Wireless) for intune.

The difference between them are:

1. Standard Service (802.1X Wireless):
   Authentication Methods: EAP PEAP, EAP MSCHAPv2
   Authentication Sources: Our local AD Domain
   Roles: Conditions which are checking some Groups, UserDN etc.
   
   
2. Intune Service (8021.X Wireless)
   Authentication Methods: EAP TLS for Intune
   Authentication Sources: Local SQL DB
   Roles: Checking Intune Azure AD Device ID if it exists.

Both services are connecting the same SSID.
Right know for testing purpose I just limited the rule in 2. Intune Service with "Client-Mac-Address" EQUALS to my test machine. For that reason, there is no conflict between these two services. But when I would remove this Rule it would get in a conflict with all other clients, which dont receive any Certificate from the SCEP Profile.

Question:
Whats the best practice to combine them together?
Or how to make sure, that in the 2. Service for intune only devices from Intune with a deployed SCEP Profile from intune are doing the authentication?

Let me know if you need more information. Thanks.