Our network is configured with 1.x authentication along with MAB (Mac address bypass), but this sort of is a problem, when we want to provision new clients. We have been trying to configure Intel RCS, in order to cope with the problem without having any luck until now. So we figured, it might be the "right time" for a reality check with the community before we keep on banging our heads against the wall and keep on cursing the technologies
- 802.1x authentication enabled network with MAB.
- New client prepared/configured with USB stick to add an 802.1x profile for IntelAMT.
Now to the problem, when we configure the clients, password and other options are sett. But we are unable to see any sort of certificate information or profile information in the AMT boot menu or what is now called, which you get after pressing Crtl + P
But because password and other settings are configured, we figure not showing certificates and policy is by design? Any how, when we now try to PXE boot nothing happens, as the Switch is only allowing EAPOL traffic. So now there are a couple of questions:
1) First off, is the configuration above mentioned ok? Or do we need to configure anything else?
2) In order for Intel SCS to work, does the server needs to be on the same vlan as the clients, even if the clients have been configured using USB pen?
3) Are there any network requirements in order to get PXE to work on an 802.1x enabled interface, i mean do we have to configure anything specifically on the switches or would it be broadcast traffic that is picked up by the Intel SCS server which in turn takes care of the rest?
4) When and 802.1x profile has been defined for Intel AMT, is a new certificated issued for each client that is PXE booted? And if so, which client receives the certificate, is it the Intel SCS server or the PXE booting client?
I cant seem to find any sort of documentation describing the purpose and theory behind 802.1x profiles and how they are used with Intel AMT, is there any documentation that I can get in order to learn more or implement this correctly? The only thing found in intel SCS is the procedure to set it up, without describing how the concept actually works and how it can assist in different scenarios. Hope some one/anyone can help me out here. We have 15K clients that are planned to be rolled out by this solution, if this is not supported, well I guess we have to start looking for new jobs ...
Looking for your configurations some think called my attention, you selected EAP-FAST but also defined an 802.1x certificate template, while the only certificate required is the root certificate to establish EAP tunnel. Can you confirm?
I don't have details about your 802.1x infrastructure, but at least for Microsoft infrastructure, i.e. Microsoft RADIUS/NPS using EAP-PEAP (MSCHAPv2) or EAP-TLS you can't provision by USB because you need "interaction" with your infrastructure, i.e. AD, CA, DNS, etc.
Assuming that you are using EAP-TLS or EAP-PEAP, you must provision from OS using the ACUConfig.exe utility (https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=20921 further details in chapter 6 of Intel SCS User Guide), and in the provision process, Intel SCS Server (aka. RCS) will act as a proxy to create computer object in AD to enable kerberos authentication/integration with AD, also will place the root CA in ME firmware and issue a authentication certificate (for EAP-TLS) and/or place the previous AD object created in the correspondent security group (in case that you use AD groups for this purpose).
With further details about your environment, I can better help you.
Thanks for the reply. Yes you are spot on. This profile has been taken from a test environment and is not configured correctly. Let me describe the environment a bit better
We have about 25,000 Client that are to be updated and most probably replaced by new machines. New machines will support intelAMT. Now the reason we want machines with vPro is because we want to be able to PXE boot one 802.1x enabled network the first time the machines are connected to wired network.
An Intel SCS server has been configured and the profiles above have been created. Further more, a usb pen is used to copy inn the profile (Intel AMT), this USB stick has been generated by using the SCS server where we had created the policies. The main reason we do want to use intelAMT is to be able to PXE boot the first time a machines is connected to the network. So in simple steps the logic what we think is as following
1) Configure machine's Intel Management engine Bios Extension (MEBx) using USB stick
2) PXE boot on LAN
3) --------------------------------------> Here the entire process breaks!
Because we have configured an 802.1x profile and it is set using the USB stick, we expect the machine to be able to PXE boot, but it does'nt as the Switch port i only allowing EAPOL traffic, while the klient is stuck with PXE traffic. Now no IP is assigned, neither is the switch alowing for
On the radius side we are using Avaya Radius solution, and we are as you identified using EAP-PEAP. The machines that we get, are not preinstalled, or contain any sort of image. So we are required to boot the machines up and install windows on them. But as you might see, the problem is that we are using 802.1x so the clients dont get connected to the network. We thought that some how Intel SCS will magically allow the client to receive IP address and be authenticated as the profile contains both the root CA certificate as well as SCS provisioning certificate. Could you please describe the available options we have? Our primary goal is to be able to PXE boot on 802.1x enabled network. If intel AMT, does not provide this added functionality or capability then we might even consider machines with Intel AMT. Thanking you in advance for the help.
Unfortunately, we can't put 802.1x parameters into firmware using USB Key - for further details, read pag 135 of https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=20921# _ga=1.146851319.1309797789.1400866221 Intel SCS Manual - that is the reason that you are not seeing in switch and RADIUS this machine as supplicant. In order to achieve what you need, you may use an USB Key with WinPE and into Windows Pre-installation environment, provision the machine using Host Based Configuration method. However, if your RADIUS requires AD integration, you probably won't succeed since it's required to connect to you AD to create AMT object and 802.1x will not allow - unless you provide access through a quarantine network.
Have a great weekend.
Thanks for the reply. That at least rules out the usage of Intel AMT to in order to support PXE boot on 802.1x enabled network. I had seen so many threads regarding that people had considered it, but then had chosen to take another path, I guess now I know why, and thanks to you guys. You rock