topic PXE boot with dot1x in Network Access Control

PXE boot with dot1x

Amit Singh2000 — Mon, 11 Mar 2019 03:19:46 GMT

Hi guys.

We have dot1x ISE BASED. Solution running for a customer. Everything seems to work fine. Now they have a new requirement for clients with PXE boot. These are the laptops with no image on them. Atleast when they connect to the network. These laptops connect behind the ip phone as customer is using VoIP solution.

The problem I am facing is that when is configure dot1x authentication order dot1x mab. The PXE boot fails as it times out. If I configure dot1x authentication order mab dot1x. The PXE boot works fine. But in logs I end up with unnecessary logs that ISE tries to authenticate phone with mab but failed then tried dot1x. This means unnecessary logs and traffic in network.

Which timer or what should I configure so that the PXE boot works fine and phone uses dot1x ..

Has anyone seen that or any ideas ?

Thanks a lot.

Sent from Cisco Technical Support iPad App

Re: PXE boot with dot1x

ryan.lambert — Thu, 18 Apr 2013 17:51:24 GMT

Does your client use WinPE for deployment? I have this same issue right now with PXE timing out, and we're working on it this way:

http://support.microsoft.com/kb/972831

I haven't found any way to tweak the timers to help this problem, but I'd be interested to know if anyone else has.

PXE boot with dot1x

Travis Stroebele — Fri, 08 Nov 2013 05:13:12 GMT

Did you ever get your issue figured out?

PXE boot with dot1x

phaon.reid — Sun, 10 Nov 2013 23:20:11 GMT

We got PXE boot working with authentication order dot1x mab by setting

dot1x timeout tx-period 1

on the switchports (after a lot of experimentation)

Phaon

Re: PXE boot with dot1x

Tedwheat53 — Tue, 14 Jan 2014 02:47:58 GMT

Everything working for PXE. We are about to venture down this road. Just curious how you are handling pcs out of the box?

Auth-fail vlan? Guest vlan? Dedicate ports for initial imaging??

Sent from Cisco Technical Support iPhone App

Re: PXE boot with dot1x

cgambrel — Tue, 14 Jan 2014 03:47:05 GMT

You might even try something like this on your swichport config.

authentication order mab dot1x
authentication priority dot1x mab

dot1x timeout tx-period 5 (I usually use somewhere between 5-10 for this setting)

This will allow MAB to happen first. Just make sure your endpoint doesn't match another policy and your default authorization policy is set to deny access. This should work unless your default is being used to default to a central web auth or something else.

I wouldn't advise dropping the "dot1x timeout tx-period" much below 5 as you may cause timeouts on your 802.1x configured supplicants and unnecessary retries. Just my opinion.

Re: PXE boot with dot1x

Tedwheat53 — Tue, 14 Jan 2014 04:51:29 GMT

That's sort of how I think I'm going to do it. Going to use dot1x open. Oh pxe booting.

Sent from Cisco Technical Support iPhone App

Re: PXE boot with dot1x

Stephen McBride — Tue, 14 Jan 2014 22:20:43 GMT

I have had problems with IAB (critical auth) when setting the following configuration:

authentication order mab dot1x

authentication priority dot1x mab

Now I might be doing something wrong but as I understand it when critical auth recovery occurs it reauths using the first method and then stops. The drama with this is that all 802.1x clients must manually connect and reconnect to the port or they are subject to MAB..

Re: PXE boot with dot1x

mchammer7 — Tue, 04 Jun 2019 10:32:20 GMT

dot1x timeout tx-period 1 helped me!

dot1x timeout tx-period 5 was also working but takes a little bit more time.....

Thank you