Hello,
Set up:
- CA: ADCS
- MS Certificate connector.
- ClearPass 6.11.10 (only need to auth'z against Group membership so no need for 6.12 yet).
- Intune managed devices distributing profiles for root CA, WiFi profile and PKCS certificate.
- Entra ID auth'z source for Group lookup.
Certificate is being successfully enrolled on device and can authenticate with a very basic condition set in ClearPass, however...
Having difficulties getting authorisation attributes for Entra ID to populate in the access tracker:
I need these attributes in order to verify device group membership affiliation in Entra, in order to apply appropriate enforcement profiles. I cannot use the Intune extension to do this as I only have Entry licenses & there is no other information in the computed attributes > certificate values which can identify the group membership.
I have verified:
-Connection to Entra application is tested and working from ClearPass.
-The permissions are added within the application correctly (see below). I have added way more than I need but that has been through testing/ belts and braces approach.
I have followed this link https://support.hpe.com/hpesc/public/docDisplay?docId=sf000102074en_us
& followed the steps regarding the filter query to add into the auth source,
Query - as per the doc and replicated the attribute names etc.
device:devices?$select=id,displayName,accountEnabled,isComplaint&$filter=displayName eq %{Host:Name};deviceGroups:devices/%{device:id}/memberOf?$select=displayName
Service config:
Entra ID added within the auth'z source.
Attempted the following in role mapping to get something back to then build on.
Basic enforcement currently:
In the REJECT in AT > computed attributes:
Which the filter query is doing the following:
Filters on device displayName matching Host:Name from the certificate. Both of which match - the value displayed here in the AT and the displayName on the device record in Entra:
-------------------------------------------