Security

Herman Robers did a good explanation here : Atmosphere23 Netherlands - Bussum 2023 | Atmosphere '23 I think it´s a good a Idea to Sync Intune Attributes Like Devicename / Intune DeviceID / EntraDeviceID with the Clearpass Intune Integration on a 30 Min Time Based Interval into Endpoint DB. Also insert the Intune Device ID / EntraDeviceID into the Client Certificate, so that y can do a Lookup into Intune and EntraID and Endpoint DB based on each of the Attributes. We switched from Intune Integration real time lookup to Lookup in Endpoint DB based on Device ID. This will work even when Intune / Entra API´s are not reachable (MS issues or WAN Issues), and will be updated every 30 Min.  I found a lot of usefull Information here Clearpass not getting group membership from EntraID | Security hope to help you a little. 

thanks for the response, 

i'm planning to test EAP-TEAP with the above scenario, that is UPN will be fetched from user certificate (method 2), and intune device ID from local computer certificate (method 1), then leverage on the attributes retrieved from entraid and intune to authorize the users ... is the above logic correct ? appreciate your insights if had previous experience with the above flow ... 

thank you !

When you are using EAP-TEAP ClearPass will only have certificate attributes from one of the certificates available for authorization. If you are only performing Method 1 authentication you will have the information from the computer certificate. If both Method 1 and 2 is successful you will only see the the user certificate attributes in ClearPass. On way to work around this is to populate the user certificate with machine information as well during certificate enrollment.

There are several discussions related to this.

thanks for the response, 

i'm planning to test EAP-TEAP with the above scenario, that is UPN will be fetched from user certificate (method 2), and intune device ID from local computer certificate (method 1), then leverage on the attributes retrieved from entraid and intune to authorize the users ... is the above logic correct ? appreciate your insights if had previous experience with the above flow ... 

thank you !

Herman Robers did a good explanation here : Atmosphere23 Netherlands - Bussum 2023 | Atmosphere '23 I think it´s a good a Idea to Sync Intune Attributes Like Devicename / Intune DeviceID / EntraDeviceID with the Clearpass Intune Integration on a 30 Min Time Based Interval into Endpoint DB. Also insert the Intune Device ID / EntraDeviceID into the Client Certificate, so that y can do a Lookup into Intune and EntraID and Endpoint DB based on each of the Attributes. We switched from Intune Integration real time lookup to Lookup in Endpoint DB based on Device ID. This will work even when Intune / Entra API´s are not reachable (MS issues or WAN Issues), and will be updated every 30 Min.  I found a lot of usefull Information here Clearpass not getting group membership from EntraID | Security hope to help you a little. 

hello Jonas,

Thanks for your response, then in this case i believe it is meaningless to use TEAP since authentication isnt taking place, the attributes needed can be retrieved from one certificate (e.g. UPN for entraID and DeviceID for intune), my question here is if we want to use machine authentication then we'll need to enroll the device with certificate with intune device ID as well as UPN in the SAN field, will clearpass be able to fetch the attributes from both entraID and intune ? Your insights on this are highly appreciated ! 

thanks 

When you are using EAP-TEAP ClearPass will only have certificate attributes from one of the certificates available for authorization. If you are only performing Method 1 authentication you will have the information from the computer certificate. If both Method 1 and 2 is successful you will only see the the user certificate attributes in ClearPass. On way to work around this is to populate the user certificate with machine information as well during certificate enrollment.

There are several discussions related to this.

thanks for the response, 

i'm planning to test EAP-TEAP with the above scenario, that is UPN will be fetched from user certificate (method 2), and intune device ID from local computer certificate (method 1), then leverage on the attributes retrieved from entraid and intune to authorize the users ... is the above logic correct ? appreciate your insights if had previous experience with the above flow ... 

thank you !

Yes, ClearPass should be able to read all the attributes in the SAN field. Make sure to have the latest version of the Intune Extension as there are updates in how the information is parsed.

I don't fully understand what you mean regarding authentication not taking place. With both EAP-TLS and EAP-TEAP in cooperation with Entra ID and Intune the authentication is a pure PKI based authentication based on the certificates. Authorization is done towards either Entra ID and/or Intune.

hello Jonas,

Thanks for your response, then in this case i believe it is meaningless to use TEAP since authentication isnt taking place, the attributes needed can be retrieved from one certificate (e.g. UPN for entraID and DeviceID for intune), my question here is if we want to use machine authentication then we'll need to enroll the device with certificate with intune device ID as well as UPN in the SAN field, will clearpass be able to fetch the attributes from both entraID and intune ? Your insights on this are highly appreciated ! 

thanks 

When you are using EAP-TEAP ClearPass will only have certificate attributes from one of the certificates available for authorization. If you are only performing Method 1 authentication you will have the information from the computer certificate. If both Method 1 and 2 is successful you will only see the the user certificate attributes in ClearPass. On way to work around this is to populate the user certificate with machine information as well during certificate enrollment.

There are several discussions related to this.

thanks for the response, 

i'm planning to test EAP-TEAP with the above scenario, that is UPN will be fetched from user certificate (method 2), and intune device ID from local computer certificate (method 1), then leverage on the attributes retrieved from entraid and intune to authorize the users ... is the above logic correct ? appreciate your insights if had previous experience with the above flow ... 

thank you !

Herman Robers did a good explanation here : Atmosphere23 Netherlands - Bussum 2023 | Atmosphere '23 I think it´s a good a Idea to Sync Intune Attributes Like Devicename / Intune DeviceID / EntraDeviceID with the Clearpass Intune Integration on a 30 Min Time Based Interval into Endpoint DB. Also insert the Intune Device ID / EntraDeviceID into the Client Certificate, so that y can do a Lookup into Intune and EntraID and Endpoint DB based on each of the Attributes. We switched from Intune Integration real time lookup to Lookup in Endpoint DB based on Device ID. This will work even when Intune / Entra API´s are not reachable (MS issues or WAN Issues), and will be updated every 30 Min.  I found a lot of usefull Information here Clearpass not getting group membership from EntraID | Security hope to help you a little.