cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
640
Views
0
Helpful
2
Replies

802.1x and PXE/multicast

habgooda
Level 1
Level 1

It is increasingly common for enterprises to use centralised desktop deployment e.g. Ghost, Altiris etc and also want to implement more stringent security. How can you implement 802.1x port authentication in an environment where PXE booting is required?

2 Replies 2

mschooley
Level 1
Level 1

I'm guess that you can't, first of all if you set port control to auto, the switch starts in unauthorized state and initiates authentication, if it fails, it stays unauthorized, since with pxe booting, there is no way to have the dot1x client loaded, the there is no way it can authenticate, another issue would be for the machine to authenticate, there needs to be a certificate loaded on local machine store, don't know how that could be done without user intervention. Perhaps someone at cisco may know something I don't. Also up till this week, the dot1x client for microsoft didn't really work, there is a hotfix available to fix the client

If the client can't do 802.1x then you can configure a 'Guest VLAN' that the port will be put it. If you put a server that the device can boot off in this VLAN you should be able to achieve what you want - i.e. the device to start the operating system and then re-initialise the network driver etc to start 802.1x and then get the correct VLAN assignment etc.

You would need to make the Guest VLAN non-routable or firewall it off some way so users can't get off this VLAN without initialising 802.1x.

Andy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: