https://community.cisco.com/t5/network-access-control/nac-policy-for-os-boot-vs-initial-boot/m-p/4776772#M579874 <P>Hi BB,<BR />No not PXE boot. This is just the initial boot screen, i.e. when the Laptop is first powered on.<BR />(Or for that matter it is left idle for some time....even here we seen at times the "Employee VLAN" gets lost and the Laptop for in the "Guest VLAN")<BR /><BR />Thanks!<BR />N</P> Thu, 16 Feb 2023 12:55:29 GMT network_geek1979 2023-02-16T12:55:29Z https://community.cisco.com/t5/network-access-control/nac-policy-for-os-boot-vs-initial-boot/m-p/4776748#M579871 <P>Folks,<BR />I needed some suggestion on Policies getting applied when the 802.1x authentication kicks in vs Initial Boot by a system.<BR /><BR />Our policies say that once the 802.1x authentication succeeds allow the machine to get authorized on the "Employee VLAN". This policy works just fine, but the catch here is when the system performs an initial boot the system does not get in the&nbsp;"Employee VLAN", which is expected as the OS cannot perform a 802.1x authentication.<BR /><BR />Any suggestions to overcome this challenge?<BR /><BR /><BR />Thanks!<BR />N.</P> Thu, 16 Feb 2023 12:23:38 GMT https://community.cisco.com/t5/network-access-control/nac-policy-for-os-boot-vs-initial-boot/m-p/4776748#M579871 network_geek1979 2023-02-16T12:23:38Z https://community.cisco.com/t5/network-access-control/nac-policy-for-os-boot-vs-initial-boot/m-p/4776753#M579872 <P>You mean PXE boot ?</P> Thu, 16 Feb 2023 12:29:54 GMT https://community.cisco.com/t5/network-access-control/nac-policy-for-os-boot-vs-initial-boot/m-p/4776753#M579872 balaji.bandi 2023-02-16T12:29:54Z https://community.cisco.com/t5/network-access-control/nac-policy-for-os-boot-vs-initial-boot/m-p/4776772#M579874 <P>Hi BB,<BR />No not PXE boot. This is just the initial boot screen, i.e. when the Laptop is first powered on.<BR />(Or for that matter it is left idle for some time....even here we seen at times the "Employee VLAN" gets lost and the Laptop for in the "Guest VLAN")<BR /><BR />Thanks!<BR />N</P> Thu, 16 Feb 2023 12:55:29 GMT https://community.cisco.com/t5/network-access-control/nac-policy-for-os-boot-vs-initial-boot/m-p/4776772#M579874 network_geek1979 2023-02-16T12:55:29Z https://community.cisco.com/t5/network-access-control/nac-policy-for-os-boot-vs-initial-boot/m-p/4776822#M579876 <P>I assume you are doing user auth?&nbsp; If so there is no 802.1X transaction by design until a user logs into the system.&nbsp; You should also enable machine authentication if you need to provide network access before login.&nbsp; That being said, why change VLANs at all?&nbsp; Why not use a dACL or some other enforcement method?</P> Thu, 16 Feb 2023 14:01:35 GMT https://community.cisco.com/t5/network-access-control/nac-policy-for-os-boot-vs-initial-boot/m-p/4776822#M579876 ahollifield 2023-02-16T14:01:35Z https://community.cisco.com/t5/network-access-control/nac-policy-for-os-boot-vs-initial-boot/m-p/4785908#M580170 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/199513">@ahollifield</a>&nbsp;: Thanks for the answer and apologies for the late response.<BR />Any details you can share on machine authentication? This is new to us and would like to check how this can work.<BR />Thanks a ton.<BR /><BR />Regards,</P><P>N!</P> Thu, 02 Mar 2023 12:52:22 GMT https://community.cisco.com/t5/network-access-control/nac-policy-for-os-boot-vs-initial-boot/m-p/4785908#M580170 network_geek1979 2023-03-02T12:52:22Z https://community.cisco.com/t5/network-access-control/nac-policy-for-os-boot-vs-initial-boot/m-p/4785935#M580171 <P>These are windows endpoints correct?&nbsp; If so enable "Computer Authentication" in the supplicant configuration.&nbsp;&nbsp;</P> Thu, 02 Mar 2023 13:19:04 GMT https://community.cisco.com/t5/network-access-control/nac-policy-for-os-boot-vs-initial-boot/m-p/4785935#M580171 ahollifield 2023-03-02T13:19:04Z https://community.cisco.com/t5/network-access-control/nac-policy-for-os-boot-vs-initial-boot/m-p/4792165#M580412 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/47004">@network_geek1979</a>&nbsp;Adding to what&nbsp;<A href="https://community.cisco.com/t5/user/viewprofilepage/user-id/199513" target="_blank"><SPAN class="text-large">ahollifield</SPAN></A> suggested...</P> <P><A href="https://www.asquaredozen.com/2018/07/29/configuring-802-1x-authentication-for-windows-deployment/" target="_self">Configuring 802.1x Authentication for Windows Deployment at A. Gross Blog</A> might be of interest to you.</P> Sun, 12 Mar 2023 18:24:40 GMT https://community.cisco.com/t5/network-access-control/nac-policy-for-os-boot-vs-initial-boot/m-p/4792165#M580412 hslai 2023-03-12T18:24:40Z