If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check
for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Mar 25, 2026 05:11 AM
From: sc2111
Subject: EntraID authorization issue
Even after upgrading to 6.12 we got this error in the tracker log
| 2026-03-25 10:06:35,857 | [HttpModule-ThreadPool-3-0x7f772d99e700 r=R000a0556-08-69c3a59b h=129] ERROR Http.HttpAutzSession - Failed to get value for attributes=Groups, device.Enabled, device.displayName, id] |
Original Message:
Sent: Feb 24, 2026 04:00 AM
From: Herman Robers
Subject: EntraID authorization issue
As far as I know, with ClearPass 6.11 you can only use the default queries; and you can only use a few attributes in your enforcement, which includes the User's group membership, but almost certain excludes device membership. The Azure AD integration in 6.11 is a first release, and 'limitations' mentioned and probably what you experience has been improved significantly in 6.12.
If you see an empty response in a Graph Explorer, you use the wrong device ID. As mentioned earlier, the Device_Id (Intune) is different/independent from the AAD_Device_ID. If you can't make a working Graph API call, it won't work in ClearPass. And if you need a customized Graph API, use ClearPass. 6.12. I would personally not spend any time on customizing the Entra ID integration with ClearPass 6.11.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 24, 2026 03:36 AM
From: sc2111
Subject: EntraID authorization issue
Hello @Herman Robers
Upgrading to 6.12 is certainly the next step we're going to make but in the meantime we'd like, if possible, to accomplish the "basic" group membership authorization using the deviceID.
In the SCEP profile we tried pushing the AAD_Device_ID both as CN and SAN but it seems that the query filter in clearpass is not able to identify the device and it returns nothing.
Even a query with graph explorer using the Device ID, that we see in the device properties in Entra, reports empty results.
If the query is made by the object ID it reports the device's membership.
So I wonder if such query "would be working" even with 6.11 or we better stop trying and wait for the 6,12 updates, but then we wonder how all others have been doing so far.
thanks for your help
Original Message:
Sent: Feb 20, 2026 10:02 AM
From: Herman Robers
Subject: EntraID authorization issue
If you want to do Device group lookups, you should upgrade to ClearPass 6.12. You can't reliably change the EntraID query in 6.11, which is one of the improvements in 6.12 to support full custom GraphAPI.
You would use the DeviceId to lookup Intune attributes, including Intune device group membership (note device group membership in Intune and Entra ID may be different); you mentioned you don't use the Intune extension, so this does not apply.
You would use the AAD_Device_ID to look up device information in EntraID, like Entra ID group membership; and use the EntraID Authentication source in ClearPass 6.12.
You would use the UserPrincipalName to look up user information in EntraID, like User group membership, email, department, etc; and use the Azure AD authentication source in 6.11 or Entra ID Authentication Source in 6.12.
If you want to do a bit more than only really basic in Entra ID, upgrading to ClearPass 6.12 is strongly recommended.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 18, 2026 02:52 AM
From: sc2111
Subject: EntraID authorization issue
Hello @mholden
Thanks for your help.
So if I get it right:
- Since we're still with 6.11.7 we should use following query ?
If you are looking for EntraID auth, note in earlier version of 6.11 there was an incorrect EntraID device Filter Query
The 6.12 documentation has the correct Device Query now.
device:devices?$select=id,displayName&$filter=displayName eq %{Certificate:Subject-CN};deviceGroups:devices/%{device:id}/memberOf?$select=displayName
But then in the Subject-CN we have to have the device "hostname" ?
Regarding the SCEP profile to use
should we need to change to the following then?
- DeviceId:{{DeviceId}} - Used for Intune attributes lookup.
- AAD_Device_ID:{{AAD_Device_ID}} - Used for both Intune attributes and Device group membership lookup.
- UserPrincipalName:{{UserPrincipalName}} - Used for User group lookup only when user group lookup using extension is enabled.
Just a note we did not install the intune integration we just need to make the authorization with entraID.
thanks
Original Message:
Sent: Feb 18, 2026 01:09 AM
From: mholden
Subject: EntraID authorization issue
It appears that your SAN's configuration in the SCEP template in Intune is incorrect.
Please check the Intune TechDoc "What's new in ClearPass Intune Extension v6.3"
The SCEP profile in Intune should be configured in the SAN as
- DeviceId:{{DeviceId}} - Used for Intune attributes lookup.
- AAD_Device_ID:{{AAD_Device_ID}} - Used for both Intune attributes and Device group membership lookup.
- UserPrincipalName:{{UserPrincipalName}} - Used for User group lookup only when user group lookup using extension is enabled.
Ref: https://arubanetworking.hpe.com/techdocs/NAC/clearpass/integrations/unified-endpoint-management/intune/#whats-new-in-clearpass-intune-extension-v63-
Also note,
"Any attribute value in the SAN URI that does not have any one of the above KEYs before them is considered as a standalone value and is considered as DeviceId by default to maintain backward compatibility for environments that are already setup with DeviceId in the SAN URI field of the client certificates for real-time lookpus against Intune or environments that have Strong Mapping enabled. "
The Keyed value abode doesn't appear to be one of the supported (DeviceId) and the unkeyed value appears to be the AAD Device ID which won't work with the http://{IP_of_the_Extension/device/info/id since that's looking for the Intune Device ID.
Ref: https://arubanetworking.hpe.com/techdocs/NAC/clearpass/integrations/unified-endpoint-management/intune/#whats-new-in-clearpass-intune-extension-v63-
I think you're likely looking for Intune AuthZ (Graph calls via the Intune Extension Docker, then Graph), rather than EntraID AuthZ (Graph Calls to Microsoft not the Docker Extension)
It could work with the "HTTP://IP_of_the_Extension/realtimeDeviceGroup/" but I think that's set to look for a keyed value.
If you are looking for EntraID auth, note in earlier version of 6.11 there was an incorrect EntraID device Filter Query
The 6.12 documentation has the correct Device Query now.
device:devices?$select=id,displayName&$filter=displayName eq %{Certificate:Subject-CN};deviceGroups:devices/%{device:id}/memberOf?$select=displayName
Ref: https://arubanetworking.hpe.com/techdocs/ClearPass/6.12/PolicyManager/Content/CPPM_UserGuide/Auth/AuthSource_Entra.htm
Hope that helps!
Original Message:
Sent: Feb 17, 2026 05:34 AM
From: sc2111
Subject: EntraID authorization issue
We're having issue while trying to use EntraID to authorize devices based on group membership.
Authentication is successful but then the authorization part fails.
The Azure Authorization source connection has been tested and working
Looking at the log for the device connection we found the following errors.
| 2026-02-17 11:15:58,257 | [RequestHandler-1-0x7fc6dffe2700 h=34451617 c=R00a9c1e6-08-69943fde] INFO Core.PETaskScheduler - ** Starting PETaskRoleMapping ** |
| 2026-02-17 11:15:58,258 | [RequestHandler-1-0x7fc6dffe2700 r=R00a9c1e6-08-69943fde h=34451617 c=R00a9c1e6-08-69943fde] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction ** |
| 2026-02-17 11:15:58,258 | [HttpModule-ThreadPool-6-0x7fc727fff700 r=R00a9c1e6-08-69943fde h=132] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =azure/getAuthorization?username=%{device:id}&auth_source=3008, error=No values for param=device:id |
| 2026-02-17 11:15:58,258 | [HttpModule-ThreadPool-6-0x7fc727fff700 r=R00a9c1e6-08-69943fde h=132] ERROR Http.HttpAutzSession - queryAutzAttributes: Failed to construct path from azure/getAuthorization?username=%{device:id}&auth_source=3008 |
| 2026-02-17 11:15:58,258 | [HttpModule-ThreadPool-6-0x7fc727fff700 r=R00a9c1e6-08-69943fde h=132] ERROR Http.HttpAutzSession - Failed to get value for attributes=Groups, device.Enabled, device.displayName, id] |
| 2026-02-17 11:15:58,259 | [RequestHandler-1-0x7fc6dffe2700 h=34451619 c=R00a9c1e6-08-69943fde] INFO Core.PETaskRoleMapping - Roles: Guest], Machine Authenticated] |
| 2026-02-17 11:15:58,259 | [RequestHandler-1-0x7fc6dffe2700 r=R00a9c1e6-08-69943fde h=34451617 c=R00a9c1e6-08-69943fde] INFO Core.PETaskScheduler - ** Completed PETaskRoleMapping ** |
| 2026-02-17 11:15:58,259 | [RequestHandler-1-0x7fc6dffe2700 r=R00a9c1e6-08-69943fde h=34451617 c=R00a9c1e6-08-69943fde] INFO Core.PETaskScheduler - ** Starting PETaskPolicyResult ** |
EDIT:
The error above was due to the query filter which was, probably, inserted with some extra characters and now we don't get such error anymore but still cannot fetch device's properties from EntraID
| 2026-02-17 11:49:12,618 | [RequestHandler-1-0x7fc6dffe2700 h=34516459 c=R00a9ce52-08-699447a7] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement |
| 2026-02-17 11:49:12,619 | [RequestHandler-1-0x7fc6dffe2700 r=R00a9ce52-08-699447a7 h=34516457 c=R00a9ce52-08-699447a7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg= |
| 2026-02-17 11:49:12,619 | [RequestHandler-1-0x7fc6dffe2700 r=R00a9ce52-08-699447a7 h=34516457 c=R00a9ce52-08-699447a7] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device |
| 2026-02-17 11:49:12,619 | [RequestHandler-1-0x7fc6dffe2700 r=R00a9ce52-08-699447a7 h=34516454 c=R00a9ce52-08-699447a7] WARN Core.PETaskRadiusCoAEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg= |
| 2026-02-17 11:49:12,619 | [RequestHandler-1-0x7fc6dffe2700 r=R00a9ce52-08-699447a7 h=34516446 c=R00a9ce52-08-699447a7] INFO Core.PETaskScheduler - ** Completed PETaskRadiusEnfProfileBuilder ** |
| 2026-02-17 11:49:12,619 | [RequestHandler-1-0x7fc6dffe2700 r=R00a9ce52-08-699447a7 h=34516446 c=R00a9ce52-08-699447a7] INFO Core.PETaskScheduler - ** Completed PETaskCliEnforcement ** |
here is the device's certificate
EDIT2:
Looks like the query using the "device id", in the certificate, does not return any results since it should be used the "object id" which is not available as parameter usable by intune to create the certificate
thanks
-------------------------------------------