PXE in an 802.1X environment

802.1 pxe-boot amt

Solution 1:

In the end, we decided the best way for us to use PXE with 802.1X, was to assign unauthenticated machines to a guest VLAN. At the router, the VLAN is ACL'd to only the DC (which also hosts DHCP), Enterprise CA, and PXE servers. We then added ip helper-address entries to the VLAN to both servers.

Once the machine is succesfully imaged on the guest VLAN, the operating system then takes over. Our task sequence has it automatically join the domain. Group Policy then directs the machine to obtain a client cert and participate in 802.1X authentication.

The advantage to this method is that we don't have to worry about MAC address bypass or manually disabling/reenabling 802.1X on a port.

MAC address bypass would be difficult for us to do, since it would require us to create user accounts in AD of the machine MAC address. Since the password is the MAC address as well, we would have to disable our password complexity policy, which is a non-starter.

In order for us to use AMT for the supplicant would require us to perform out-of-band provisioning, which puts us in a chicken-or-egg scenario.

Thank you to everyone who viewed/provided input on this question.

Related

IPv6: Should I have private addresses?
How to read an 8 inch floppy disk
Will there a difference in performance when a server (httpd or mysql) by building it from sources vs installing it using yum/apt repositories?
Logging with Resource Monitor?
Windows Event Log Performance
Microsoft System Center Virtual Machine Manager
Applying ACLs to a Dovecot public namespace
Load balancing a Windows File Share using HA-Proxy
How to reject/detect emails claiming to be from my own domain?
Logrotation when filenames includes date
How to get Linux udev to play nice with Hyper-V IC synthetic network driver
Upgrade openssl/mod_ssl on Mac OS X Server?