Aruba Apps

Hello,

We are in the process of deploying a new CPPM cluster. All cluster members are online and connected to our publisher. When we thought about building AuthN policies, we thought InTune would be helpful. Using the ClearPass Integration Guide for MS InTune the extension was installed and configured for periodic sync mode. We don't need real time, so we didn't configure HTTP AuthZ. We carved out a /24 for the extension network, using the same IP for the extension on the publisher and subscriber. The API configuration in AAD is straight from the document, using Application.Read.All instead of the other options for Graph.

These lines in the logs showed as green and proves connectivity to InTune is working.

[2023-01-12T15:02:32.937] [INFO] Intune - Getting page 17 of devices...
[2023-01-12T15:02:33.194] [DEBUG] Intune - Request "GET 'https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$top=50&$skiptoken=LastDeviceName'" took 257 ms.
[2023-01-12T15:02:33.194] [INFO] Intune - Got 50 devices to process.

These are failures and the logs were taken from different times. Wanted to show different errors I have seen.

[2023-01-12T15:02:36.008] [DEBUG] Intune - Failed request "GET '/endpoint'" took 2.810 Seconds.
[2023-01-12T15:02:36.008] [ERROR] Intune - There was a problem loading existing endpoints for the device *-*-*-*-* (connect EHOSTUNREACH 172.25.127.5:443).
[2023-01-12T13:50:21.612] [DEBUG] Intune - Failed request "GET '/server/version'" took 3.192 Seconds.
[2023-01-12T13:50:21.612] [ERROR] Intune - Error loading version information. connect EHOSTUNREACH 172.25.127.5:443
[2023-01-12T13:50:21.615] [DEBUG] Intune - Failed request "GET '/endpoint/mac-address/************'" took 3.076 Seconds.

Troubleshooting has been painful, in that there is no documentation. We sit behind a proxy and have a dedicated Fortigate in Azure. I created an IPv4 permit policy at the top of our list for CPPM, and the extension still gets errors. The new policy gets hits showing permitted connections, not that it was showing denies before. This policy was created to eliminate any issues. Well, that's it. If you see something I missed, or have a question please let me know.

Thanks

From the logs, it appears that the Intune extension is configured for the IP address 172.25.127.5, which should be the same on all of your nodes, as well the Intune extension needs to be installed and run on each of your nodes.

The second block of messages tells you that the IP 172.25.127.5 is not reachable, which either means the Intune extension is not running on the system where you see the message, or the extension is running on a different IP address. The extension subnet is only accessible from the ClearPass node itself.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

I can help you out with this, as I have this fully setup in our environment.  Aruba support is pretty trash, so I wouldn't suggest that.

Check your Extensions Network Address on both servers in the cluster:
Policy Manager -> Administration -> Server Manager -> Server Configuration -> select your server -> Service Parameters -> Select ClearPass system services.

Under Extensions, make sure you have a network setup that is not being used anywhere else.  The default value is 172.17.0.1/16.  The clearpass server will create an internal network (not accessible by anything) to communicate with the extensions.

When you setup/install your extension, make sure to give it a address on the 172.17.0.0/16 network (or what ever network you setup) and ensure that you do not us the IP address that was setup for the clearpass extensions address (172.17.0.1).  When you set this up, make sure to use the same IP on the extension for the publisher and subscriber.

Here is my Extension Config:

Publisher - 172.17.0.2

{
    "logLevel": "DEBUG",
    "verifySSLCerts": true,
    "azureADEndpoint": "login.microsoftonline.com",
    "graphEndpoint": "graph.microsoft.com",
    "tenantId": "REMOVED",
    "clientId": "REMOVED",
    "clientSecret": "********",
    "syncPageSize": 50,
    "enableSyncAll": true,
    "syncAllSchedule": "30 * * * *",
    "syncUpdatedOnly": true,
    "syncAllOnStart": false,
    "enableEndpointCache": true,
    "endpointCacheTimeSeconds": 900,
    "intuneAttributes": null,
    "enableUserGroups": true,
    "userGroupUpdateSchedule": "30 * * * *",
    "bypassProxy": true,
    "enableStats": true,
    "statsUsername": "",
    "statsPassword": "********",
    "restartPolicy": "always"
}

Subscriber - 172.17.0.2:
{
    "logLevel": "DEBUG",
    "verifySSLCerts": true,
    "azureADEndpoint": "login.microsoftonline.com",
    "graphEndpoint": "graph.microsoft.com",
    "tenantId": "REMOVED",
    "clientId": "REMOVED",
    "clientSecret": "********",
    "syncPageSize": 50,
    "enableSyncAll": true,
    "syncAllSchedule": "0 * * * *",
    "syncUpdatedOnly": true,
    "syncAllOnStart": false,
    "enableEndpointCache": true,
    "endpointCacheTimeSeconds": 900,
    "intuneAttributes": null,
    "enableUserGroups": true,
    "userGroupUpdateSchedule": "0 * * * *",
    "bypassProxy": true,
    "enableStats": false,
    "statsUsername": "",
    "statsPassword": "********",
    "restartPolicy": "always"
}

Things to note:
The user group mapping - I have that enabled but I haven't been able to use it.  It isnt a supported feature.  I can see in the debug logs where is is working perfectly but I have no way to query it.
"restartPolicy": "always" - Make sure to add this.  Not in the documentation but if you don't have it, the extenstion will not start when the server is rebooted and you will need to manually restart the extenstion.
syncAllSchedule - Make sure your Publisher and Subscriber is set to sync at different times.  I have one system to sync at 30 mins past the hour and the other to sync on the hour.

Azure:
Go to AAD Admin center -> Applications -> App registrations -> Create an App or go to the app you created -> API permissions:
Intune: get_device_compliance : Type Application
Graph: DeviceManagementApps.Read.All: Type Application
Graph: DeviceManagementManagedDevices.PrivilegedOperations.All: Type Application
Graph: DeviceManagementManagedDevices.Read.All: Type Application
Graph: DeviceManagementManagedDevices.ReadWrite.All: Type Application (only need write permissions if you want to CSA)
Graph: Directory.Read.All: Type Application
Graph: Group.Read.All: Type Application (needed for the unsupported sync users group option)
Graph: User.Read.All: Type Application (needed for the unsupported sync users group option)
Remove the delegated permission that the user guide shows.  The delegated permission will not work.
Make sure the status for all of your API permissions shows a green checkmark for admin consent.

Go to AAD Admin center -> Applications -> App registrations -> Create an App or go to the app you created -> Certificates & secrets:
You will need to create a secret here for clientSecret in the JSON config.  The Value is what you want and not the actual Secret ID.  Make sure you have something that will alert you to when this expires, as you do not want this randomally failing on you due to the client secret expiring. 

That should get the extension working for you.  I can help you with policies/auth methods/CSAs if you need - just let me know.

Also, if you need to get user groups/device groups, I can help with that as well.  I use an Azure auth source to group user group information.  I have the Aruba ClearPass Universal Authentication Proxy extension running against graph to grab device group information (very custom/not documented anywhere).

If all else fails, try uninstalling and reinstalling the extension.

Good luck and let me know if you have any issues!

The CPPM cluster is online and connected to the publisher, and InTune is being used to build AuthN policies.

The InTune extension is installed and configured for periodic sync mode, and a /24 network has been carved out for it.

Connectivity to InTune is confirmed to be working with successful requests, but errors have been encountered with failed requests while troubleshooting.