Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2835 Discussions

Vpro Authentication

idata
Employee
‎03-23-2012 09:04 AM
1,658 Views

Hello,

I am new to Vpro and have quite a few questions. The scenario that I have, is that I need to get Vpro up and running using Active Directory integration. We are also using 8021x network security and this is the part that is causing me some consternation. I am far from being an expert in any of this, so please prepare your selves for some questions that may be fundamentally misguided or downright stupid.

When creating SCS profiles there are various passwords to consider but I am confused about them. For instance, if we take AD out of our thinking for a moment - am I correct in thinking that the MEBx password is the one that is used when performing a KVM session? So, if using VNC Plus, you have to enter the target AMT device admin id and password values? And this password has nothing to do with AD authentication, right? Or is the built in AMT device Admin account used? Or is this one and the same?

Now, thinking about AD integration, the AMT device is added into AD when it is provisioned. When a support engineer wants to remote control a computer that has I ssume that:

1. AD is used to check that the support agent has the rights to access the AMT AD object

2. If the support engineer does have the rights to the AMT AD object to, say, remote control using KVM, then he must enter the MEBx ID and password into VNC Plus to take control of the AMT device.

Ideally, we will be able to use authenticate these devices to be able to remote control out of band using 8021x methods - our network guy is working on that. However, just in case our 8021x implementation provide a stumbling block, we need to have another option for authentication. One idea is to have alist of all AMT devices and passwords held on our Cisco ACS thereby allowing an 8021x exception rule to be put in place. Is this feasible? I also know that you can specify a digest user; could this be used to access all AMT devices? Or is this inherrently insecure and stupid?

If it is feasible, then the next question is how do we set the passwords for the AMT devices? I thought that maybe we could use a Digest Master Password and somehow use this to authenticate all AMT devices and bypass 8201x. Is this possible? Or is there a better way? How do you guys do this? I'd like to avoid static passwords for all AMT devices if possible.

Of course, ideally we would like to get 8021X working with our PEAP and MS-Chap implentation. If anyone does have any experience of Vpro and 8021X then I would really be interested to know about your success and the pitfalls that you encountered.

Thanks,

DJN.

0 Kudos

Link Copied

0 Replies
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.