Security

I'm working on trying to get the username of the macbook during the authentication request.  I have clearpass and jamf integrated and its passing the attributes fine.  For when a mac address is already known in the clearpass database and when a macbook authenticates, i can retrieve that information, thats fine and easy.  I have an enforcement policy that just changes the username from the serial number of the macbook to the username associated to that mac address from the endpoint db.   radius:ietf --> username --> %{authorization result}. 

My problem is when the macbook connecting is either A.) using mac randomization  or B.) is plugging into a hub monitor. 

Our macbooks from jamf are configured to use the serial numbers as the username. 

With those two scenarios, when the mac address of the macbook changes based either on randomization or using a hub monitor, how can i get the username of the person logging into the macbook?  Clearpass and Jamf both wouldn't know if the macbook decided to use a new mac address based on randomization or when plugging into any hub monitor and begins using a new mac address. 

The other problem i run into with the hub monitors and macbooks, is if User 1 plugs in and auth's fine, the jamf db gets updated saying User 1 is associated with the mac address of the hub monitor and then that gets sync'ed to clearpass.   Well lets say User 1 leaves and User 2 comes in and plus their macbook into the same hub monitor, clearpass and jamf both still say that mac address belongs to User1 not User2.  

The problem im really trying to resolve here though is I need to pass the username of the macbooks to our palo's so they can dynamically open up firewall rules based on whatever they base it on. Without having accurate macbook data, its hard to ensure what im sending them is 100% accurate.  

Is there a way to either do a live lookup into jamf that takes the serial number and returns the username?  or is there anything else i could do within clearpass and looking in its databases?  

Are you using EAP-TLS with certificates? The correct way would be to use user certificates deployed to each user account via JAMF when the user logs in. That user certificate is presented to ClearPass via EAP-TLS.
Disable MAC randomization on JAMF.

They aren't domain joined or part of our AD grouping.   Jamf is using adcs to get the certificates from the pki servers directly.  So all i get is the serial number of the device or the computer name.  The only way i can get user data is via the jamf clearpass integration to get contextual data.  

Our desktop team is looking at possibly moving and adding the macbooks to Intune for a few reasons and it may help this.