I am new to Vpro and have quite a few questions. The scenario that I have, is that I need to get Vpro up and running using Active Directory integration. We are also using 8021x network security and this is the part that is causing me some consternation. I am far from being an expert in any of this, so please prepare your selves for some questions that may be fundamentally misguided or downright stupid.
When creating SCS profiles there are various passwords to consider but I am confused about them. For instance, if we take AD out of our thinking for a moment - am I correct in thinking that the MEBx password is the one that is used when performing a KVM session? So, if using VNC Plus, you have to enter the target AMT device admin id and password values? And this password has nothing to do with AD authentication, right? Or is the built in AMT device Admin account used? Or is this one and the same?
Now, thinking about AD integration, the AMT device is added into AD when it is provisioned. When a support engineer wants to remote control a computer that has I ssume that:
1. AD is used to check that the support agent has the rights to access the AMT AD object
2. If the support engineer does have the rights to the AMT AD object to, say, remote control using KVM, then he must enter the MEBx ID and password into VNC Plus to take control of the AMT device.
Ideally, we will be able to use authenticate these devices to be able to remote control out of band using 8021x methods - our network guy is working on that. However, just in case our 8021x implementation provide a stumbling block, we need to have another option for authentication. One idea is to have alist of all AMT devices and passwords held on our Cisco ACS thereby allowing an 8021x exception rule to be put in place. Is this feasible? I also know that you can specify a digest user; could this be used to access all AMT devices? Or is this inherrently insecure and stupid?
If it is feasible, then the next question is how do we set the passwords for the AMT devices? I thought that maybe we could use a Digest Master Password and somehow use this to authenticate all AMT devices and bypass 8201x. Is this possible? Or is there a better way? How do you guys do this? I'd like to avoid static passwords for all AMT devices if possible.
Of course, ideally we would like to get 8021X working with our PEAP and MS-Chap implentation. If anyone does have any experience of Vpro and 8021X then I would really be interested to know about your success and the pitfalls that you encountered.