Community
cancel
Showing results for 
Search instead for 
Did you mean: 
idata
Community Manager
873 Views

AMT on SNAC/NAC

Running Intel AMT with FW 5.0.2.1121 in Enterprise (PKI) mode along with Symantec SNAC on Cisco switches.

 

We want to utilize the option to wake up powered off machines with AMT, but with our current config the machine is unauthenticated to radius and hence is not assigned a VLAN while powered off. Is there a way to hard-code a username/password in the AMT firmware so the machine is authenticated and assigned a VLAN while powered down?

An option would be to use the IOS port config "authentication event no-response action authorize vlan X" to assign the port to a specific VLAN when the machine is unauthenticated. Then the port would sit in that VLAN (even if gets powered on) until the port is set to re-authenticate, by default after 60 minutes.

This solution will also invalidate the complete SNAC solution as any unauthorized machine will be assigned VLAN X instead of the remediation VLAN.

Any thoughts on this? What's your experience on running AMT along with NAC?

Cheers

Rolf

This is our current port config (IOS 12.2(50)SE3)

interface FastEthernet0/1

 

switchport access vlan XXX

 

switchport mode access

 

switchport voice vlan YY

 

authentication control-direction in

 

authentication host-mode multi-domain

 

authentication port-control auto

 

mab

 

dot1x pae authenticator

 

dot1x timeout tx-period 10

 

spanning-tree portfast

 

!
0 Kudos
1 Reply
idata
Community Manager
62 Views

A recommendation from our testers:

1. Configure Intel AMT to use a power package that is on in S5. In this way, Intel AMT will be on when the host is off.

 

2. Configure Intel AMT to work with 802.1x and NAC. Then Intel AMT can maintain a connection and send postures when the host is off.

 

3. Use a hardcoded username and password.
Reply