Security

Hey Everyone,

I set up a intune extension with EAP-TLS on a clearpass 6.11.7 cluster.

Without any issues and working fine, but we want to remove the on-prem AD and go to Entra AD.
Since there is integration in 6.11 I added the tenant id etc.. in the source of clearpass and tested the connection.

Which was succesful.

So far so good.

Now I want to see in which group the device or user is in.
I added the authentication source in the authorization list.

But when I do the dot1x authentication I don't see any groups coming by.

Also in the logs I don't see any errors.

All the intune attributes I can perfectly see.

What I'm doing wrong?

Hey Everyone,

I set up a intune extension with EAP-TLS on a clearpass 6.11.7 cluster.

Without any issues and working fine, but we want to remove the on-prem AD and go to Entra AD.
Since there is integration in 6.11 I added the tenant id etc.. in the source of clearpass and tested the connection.

Which was succesful.

So far so good.

Now I want to see in which group the device or user is in.
I added the authentication source in the authorization list.

But when I do the dot1x authentication I don't see any groups coming by.

Also in the logs I don't see any errors.

All the intune attributes I can perfectly see.

What I'm doing wrong?

Do you see any data coming in from your Entra ID (Azure AD in ClearPass 6.11) Authorization Source?

Check my presentation from Atmosphere Brussels last year.... Entra ID needs the User Principle Name (UPN) to get authorization (including Group Membership) information. Device membership is as far as I know not yet available.

Hey Everyone,

I set up a intune extension with EAP-TLS on a clearpass 6.11.7 cluster.

Without any issues and working fine, but we want to remove the on-prem AD and go to Entra AD.
Since there is integration in 6.11 I added the tenant id etc.. in the source of clearpass and tested the connection.

Which was succesful.

So far so good.

Now I want to see in which group the device or user is in.
I added the authentication source in the authorization list.

But when I do the dot1x authentication I don't see any groups coming by.

Also in the logs I don't see any errors.

All the intune attributes I can perfectly see.

What I'm doing wrong?

After more research, I found out that it was an Intune machine certificate.

And because you mention that we must use the UPN, it didn't return anything.

In the release notes of 6.12 I found out that I can use device groups in Clearpass in that version.

Issue is that this is a production environment and I don't like the vanilla versions.

Or is 6.12.1 ok to run in production environment, someone got experiences? 

Do you see any data coming in from your Entra ID (Azure AD in ClearPass 6.11) Authorization Source?

Check my presentation from Atmosphere Brussels last year.... Entra ID needs the User Principle Name (UPN) to get authorization (including Group Membership) information. Device membership is as far as I know not yet available.

Hey Everyone,

I set up a intune extension with EAP-TLS on a clearpass 6.11.7 cluster.

Without any issues and working fine, but we want to remove the on-prem AD and go to Entra AD.
Since there is integration in 6.11 I added the tenant id etc.. in the source of clearpass and tested the connection.

Which was succesful.

So far so good.

Now I want to see in which group the device or user is in.
I added the authentication source in the authorization list.

But when I do the dot1x authentication I don't see any groups coming by.

Also in the logs I don't see any errors.

All the intune attributes I can perfectly see.

What I'm doing wrong?