7

My organization is about to implement 802.1X on our enterprise, but we currently use PXE-based OS deployment sequences in SCCM. I'm looking for a way to continue using PXE in an 802.1X environment. Our infrastructure uses Cisco network gear running at 12.2 (or newer). We are an all Windows network and all clients support 802.1X. All new workstations have Intel AMT available (but not factory configured).

In a worst case scenario, we'll use a guest vlan for OSD, but I'd rather have the OSD occur in an authenticated session. I've seen white papers that describe using AMT to act as a supplicant for PXE boot, but can't find any implementation details...

newmanth
  • 3,913
  • 4
  • 25
  • 46
  • My office is still working on this. So far, it appears that in order for us to use AMT as an 802.1X proxy, it has to be provisioned first. The only way to do this in SCCM without already having the client OS installed is to use out-of-band provisioning. This would require us to touch each machine with a USB key (not an option), or set up a guest vlan for OOB provisioning. Because it looks like a guest vlan is required either way (PXE boot or AMT provision), we're looking into that right now. Will post what we learn... – newmanth Dec 20 '10 at 20:24

2 Answers2

3

In the end, we decided the best way for us to use PXE with 802.1X, was to assign unauthenticated machines to a guest VLAN. At the router, the VLAN is ACL'd to only the DC (which also hosts DHCP), Enterprise CA, and PXE servers. We then added ip helper-address entries to the VLAN to both servers.

Once the machine is succesfully imaged on the guest VLAN, the operating system then takes over. Our task sequence has it automatically join the domain. Group Policy then directs the machine to obtain a client cert and participate in 802.1X authentication.

The advantage to this method is that we don't have to worry about MAC address bypass or manually disabling/reenabling 802.1X on a port.

MAC address bypass would be difficult for us to do, since it would require us to create user accounts in AD of the machine MAC address. Since the password is the MAC address as well, we would have to disable our password complexity policy, which is a non-starter.

In order for us to use AMT for the supplicant would require us to perform out-of-band provisioning, which puts us in a chicken-or-egg scenario.

Thank you to everyone who viewed/provided input on this question.

newmanth
  • 3,913
  • 4
  • 25
  • 46
0

You could do MAC based auth if 802.1X auth fails and then allow those authorized MAC's to be in a PXE only environment via a special PXE only VLAN.

tegbains
  • 1,956
  • 12
  • 27
  • Thanks tegbains, but that's what we're trying to avoid. I know that this may be the only practical way, but I'm hoping someone in the community has experience using Intel AMT to solve this problem. In order to create a separate VLAN, we would have to change our network architecture to support it (i.e. add a new subnet, configure a DHCP relay agent) and it would require us to go through a network control board. It is a lot easier for us to modify workstations and software images... – newmanth Dec 14 '10 at 20:30
  • When you do 802.1X auth, do you use System, Window, or User based auth? – tegbains Dec 14 '10 at 20:36
  • Our system is configured to use Computer or User authentication. We have access to the NPS server, but want to avoid adding exceptions to policy. – newmanth Dec 14 '10 at 20:40