Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

802.1x and PXE/multicast

It is increasingly common for enterprises to use centralised desktop deployment e.g. Ghost, Altiris etc and also want to implement more stringent security. How can you implement 802.1x port authentication in an environment where PXE booting is required?

2 REPLIES
Community Member

Re: 802.1x and PXE/multicast

I'm guess that you can't, first of all if you set port control to auto, the switch starts in unauthorized state and initiates authentication, if it fails, it stays unauthorized, since with pxe booting, there is no way to have the dot1x client loaded, the there is no way it can authenticate, another issue would be for the machine to authenticate, there needs to be a certificate loaded on local machine store, don't know how that could be done without user intervention. Perhaps someone at cisco may know something I don't. Also up till this week, the dot1x client for microsoft didn't really work, there is a hotfix available to fix the client

Re: 802.1x and PXE/multicast

If the client can't do 802.1x then you can configure a 'Guest VLAN' that the port will be put it. If you put a server that the device can boot off in this VLAN you should be able to achieve what you want - i.e. the device to start the operating system and then re-initialise the network driver etc to start 802.1x and then get the correct VLAN assignment etc.

You would need to make the Guest VLAN non-routable or firewall it off some way so users can't get off this VLAN without initialising 802.1x.

Andy

289
Views
0
Helpful
2
Replies
CreatePlease to create content