Implementing and Evaluating a ClearPass – Intune Integration for Secure Network Access Control
Granberg, Rasmus (2025)
2025
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2025051210721
https://urn.fi/URN:NBN:fi:amk-2025051210721
Tiivistelmä
Modern enterprise networks require dynamic and context-aware access control to mitigate risks associated with unauthorized or non-compliant devices. Traditional methods, such as static VLAN assignment and MAC address filtering, lack scalability and fail to account for device posture, and are vulnerable to misconfigurations and common attack techniques such as MAC spoofing. This thesis presents the implementation and evaluation of a certificate- and compliance-driven access control solution using Aruba ClearPass Policy Manager, Microsoft Intune, and an on-premises Public Key Infrastructure (PKI).
The project focused on securing wired LAN access by authenticating devices with EAP-TLS and evaluating their compliance status in real-time via Intune. ClearPass was configured as the central policy engine, dynamically assigning VLANs based on certificate presence and device compliance. Devices that passed authentication and posture checks were granted access to internal resources, while non-compliant or unknown devices were placed in restricted VLANs. Fallback MAC authentication was used for printers and legacy devices, restricting them to isolated VLANs.
The testing confirmed that the solution enforced access policies consistently across different switch platforms, including Aruba CX and HPE ProCurve. Integration challenges such as synchronization delays and limited legacy switch functionality were identified. The resulting architecture improved security, reduced administrative workload, and provided a scalable foundation for future network access control enhancements.
The thesis concludes that integrating ClearPass with Intune and PKI enables modern, secure and manageable access control aligned with zero trust principles. Recommendations for improving the setup include optimizing certificate lifecycle management and phasing out legacy network equipment. Future development could include extending the implementation to wireless networks, enhancing guest access capabilities, and enabling advanced features such as device profiling and dynamic role-based policies.
The project focused on securing wired LAN access by authenticating devices with EAP-TLS and evaluating their compliance status in real-time via Intune. ClearPass was configured as the central policy engine, dynamically assigning VLANs based on certificate presence and device compliance. Devices that passed authentication and posture checks were granted access to internal resources, while non-compliant or unknown devices were placed in restricted VLANs. Fallback MAC authentication was used for printers and legacy devices, restricting them to isolated VLANs.
The testing confirmed that the solution enforced access policies consistently across different switch platforms, including Aruba CX and HPE ProCurve. Integration challenges such as synchronization delays and limited legacy switch functionality were identified. The resulting architecture improved security, reduced administrative workload, and provided a scalable foundation for future network access control enhancements.
The thesis concludes that integrating ClearPass with Intune and PKI enables modern, secure and manageable access control aligned with zero trust principles. Recommendations for improving the setup include optimizing certificate lifecycle management and phasing out legacy network equipment. Future development could include extending the implementation to wireless networks, enhancing guest access capabilities, and enabling advanced features such as device profiling and dynamic role-based policies.