- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Running Intel AMT with FW 5.0.2.1121 in Enterprise (PKI) mode along with Symantec SNAC on Cisco switches.
We want to utilize the option to wake up powered off machines with AMT, but with our current config the machine is unauthenticated to radius and hence is not assigned a VLAN while powered off. Is there a way to hard-code a username/password in the AMT firmware so the machine is authenticated and assigned a VLAN while powered down?
An option would be to use the IOS port config "authentication event no-response action authorize vlan X" to assign the port to a specific VLAN when the machine is unauthenticated. Then the port would sit in that VLAN (even if gets powered on) until the port is set to re-authenticate, by default after 60 minutes.
This solution will also invalidate the complete SNAC solution as any unauthorized machine will be assigned VLAN X instead of the remediation VLAN.
Any thoughts on this? What's your experience on running AMT along with NAC?
Cheers
Rolf
This is our current port config (IOS 12.2(50)SE3)
interface FastEthernet0/1
switchport access vlan XXX
switchport mode access
switchport voice vlan YY
authentication control-direction in
authentication host-mode multi-domain
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A recommendation from our testers:
1. Configure Intel AMT to use a power package that is on in S5. In this way, Intel AMT will be on when the host is off.
2. Configure Intel AMT to work with 802.1x and NAC. Then Intel AMT can maintain a connection and send postures when the host is off.
3. Use a hardcoded username and password.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page