vPro and wired 802.1x?

bri · ‎05-27-2007

I am a network engineer looking to find out how vPro and the various virtual appliances that run on it are going to impact our plans to roll out wired (not wireless!) 802.1x protected ports.

Information that presents a person like me with an overview of what a vPro-enabled device behaves like on the network seems a bit sparse. From what I have read it seems there is a base hypervisor that remains resident in the NIC and communicates over a mutually authenticated channel to a controller.

What I need to know is whether that base hypervisor can be configured to perform 802.1x EAP authentication (and what flavors of EAP are supported) with the network switch, which it will need to do before any traffic is allowed into the switch ethernet port, and this will have to re-occur any time the network link is interrupted or there is a problem on the switch side.

It seems that it is safe to assume that were the hypervisor to be authenticated, any virtual appliances would not need to do so as they would be sharing network communications with the hypervisor?

In addition, the behavior of the device when the system is in soft-off or suspend-to-disk state is a bit murky. Is the hypervisor (and attached VAs) up and running, or does it use a wake-on-lan like mechanism to only run when a console requests interaction? If the latter, I would be interested in the technicals of that protocol from a network configuration perspective.

Pointers to HOWTOs or overviews that are more tuned to the network administrator's perspective would be very appreciated.

Thanks.

fred29210 · ‎05-29-2007

When you reference the base hypervisor I assume you are referring to AMT. If this is the case, the current implementation of desktop AMT offers no support for 802.1x. If the PC is in an OOB state then no communication can occur as there is no authentication mechanism in the desktop version of AMT.

AMT 2.5 for mobile platforms and AMT 3.0 for desktops, desktop not released yet, have support for 802.1x. To what degree the support is offered and how it is implemented I am unsure.

A possible option is to implement a Guest VLAN in your 802.1x implementation. This will allow you to perform AMT/VA functions to repair the PC and then let it re-authenticate itself using the OS layer.

Ajith_I_Intel · ‎05-29-2007

Hello,

Thanks for the question. Support for 802.1x is available starting from AMT 2.5 onwards. Currently the virtual appliance model does not support 802.1x. As for deploying the vPro systems with 2.0, 2.1 firmware in an 802.1x environment, you can setup a VLAN for AMT to be functionalfor out of band scenario. This way you will have access to the box and be able to perform the remediation and utilize other AMT features.

Starting from AMT 2.5 and 3.0, 802.1x is supported and the AMT firmware will be able to perform the authentication in the case when host OS is not available. This will allow for the availability of AMT out of band regardless of the host OS state and power state. There are certain limitations on the availability of AMT in wireless platforms (AMT 2.5) and you can find more details here:

http://softwareblogs.intel.com/2007/05/22/intelr-amt-goes-mobile/

http://download.intel.com/business/business-pc/technical_white_paper.pdf

Hope this helps.

bri · ‎05-29-2007

Thank you both, this is very helpful. Probably more information on the types of EAP supported will be forthcoming when 3.0 desktop debuts, and I'm happy to wait until then for that part. We'd like to avoid guest vlanning these, but it is a workable alternative if it just doesn't work out.

Thanks again.