Security

Hi All, 

We are working to enhance ClearPass authentication by integrating both Intune and Microsoft Entra ID. Our goal is to combine device and user information to enable a machine/user authentication model.

Specifically:

• We want to leverage Intune to retrieve device details.

• We want to use Entra ID (Azure AD) to fetch user details.

• By combining both sources, we aim to provide a unified authentication mechanism that considers both the device and the user.

To achieve this, we have implemented the Intune extension in ClearPass and added Entra ID as an additional authentication source. The next step is to create a ClearPass service that utilizes both sources to perform authentication, ensuring that both device compliance and user identity are verified during the login process.

With Intune Sources Attributes as:

and Entra Attributes as: 

user query:users:users/?$select=userPrincipalName,displayName,id,accountEnabled,companyName,createdDateTime,department,employeeId,lastPasswordChangeDateTime,registeredDevices&$filter=mail eq %{Authentication:Username};group:/users/%{users:id}/memberOf?$select=displayName,id,groupTypes
Device Query: device:devices?$select=id,displayName,accountEnabled,isCompliant&$filter=deviceId eq %{Certificate:Subject-L};deviceGroups:devices/%{device:id}/memberOf?$select=displayName

But we having issue with following error:

Enforcement Policy:
Role Mapping

But we get error everytime 

Thanks for help
Ash

What information do you have in the certificates for the user and computer? Is it Windows computers or other devices you have in Intune?

With EAP-TLS you will only utilize one certificate, either the computer certificate or the user certificate. The machine certificate is presented when no user is authenticated and the user certificate when a user has logged on to Windows.

With EAP-TEAP you can send both certificates at the same time, but ClearPass will only utilize information from one of the certificates for Authorization. I think it's the user certificate it will utilize if a computer has a logged on user, otherwise the machine certificate information.

In your case the Intune lookup in the Endpoints repository should be able to find the MAC address of the WLAN NIC, but remember that a wired NIC MAC address isn't populated by Intune and thus not searchable in the Endpoints repository or the Intune Extension. If you are planning to use wired NIC's you must have the Intune ID in the certificate and search for this information.

Have you verified that the username in the certificate and Entra ID is matching?

Hi All, 

We are working to enhance ClearPass authentication by integrating both Intune and Microsoft Entra ID. Our goal is to combine device and user information to enable a machine/user authentication model.

Specifically:

• We want to leverage Intune to retrieve device details.

• We want to use Entra ID (Azure AD) to fetch user details.

• By combining both sources, we aim to provide a unified authentication mechanism that considers both the device and the user.

To achieve this, we have implemented the Intune extension in ClearPass and added Entra ID as an additional authentication source. The next step is to create a ClearPass service that utilizes both sources to perform authentication, ensuring that both device compliance and user identity are verified during the login process.

With Intune Sources Attributes as:

and Entra Attributes as: 

user query:users:users/?$select=userPrincipalName,displayName,id,accountEnabled,companyName,createdDateTime,department,employeeId,lastPasswordChangeDateTime,registeredDevices&$filter=mail eq %{Authentication:Username};group:/users/%{users:id}/memberOf?$select=displayName,id,groupTypes
Device Query: device:devices?$select=id,displayName,accountEnabled,isCompliant&$filter=deviceId eq %{Certificate:Subject-L};deviceGroups:devices/%{device:id}/memberOf?$select=displayName

But we having issue with following error:

Enforcement Policy:
Role Mapping

But we get error everytime 

Thanks for help
Ash