topic Yes, this is possible with in Network Security

Best practice to use PXE on 802.1X network ?

chrbar.net — Fri, 21 Feb 2020 13:19:46 GMT

Hello,

We use Cisco ISE 1.2.0.899 on our network (we plan to upgrade to 1.3 in some months).

Our network includes Cisco models 2960S (and some 2960T) about wired and 2602I (with WISM2) about wireless.

We have to allow PXE boot on one (or many) VLAN.

Do you know what's the best practice to use PXE on a 802.1X network ?

Does ISE and/or Switch can recognize PXE request?
Do we have to use settings/rules into ISE or on Switch?

Does the easy way is to allow PXE on WebAuth VLAN?

Regards,
Chris

I am in a similar position.We

franklinb — Thu, 04 Dec 2014 04:19:21 GMT

I am in a similar position.

We would prefer to keep all switch ports common, even those used for imaging from scratch.

For PXE as far as I can see we need to allow the port to quickly fail 802.1X and MAB to a remediation VLAN.

Using ISE we can apply an ACL that allows PXE bootp and dhcp requests and responses along with any other traffic we want in that network i.e. access to internet proxy server, anti-virus updates for posturing etc.

I haven't configured this yet so I'm not sure of what issues we'll face with timing. We currently use an auth pattern of 802.1X first, then MAB, then fail open to the static VLAN. With ISE 1.3 this is the supposed suggested method instead of a hard "closed" mode.

switchport access vlan XX
switchport mode access
network-policy VV
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan XX
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10

Yes, this is possible with

nspasov — Wed, 07 Jan 2015 03:57:52 GMT

Yes, this is possible with what's called "Low Impact Mode" where you define a pre-auth ACL that allows things like PXE to traverse the port before successful authentication happens. The pre-auth ACL is then replaced by the DACL that you would return with your "Authorization Profile"

For more info check this document out:

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-24-Low_Impact_Mode.pdf

For full end-to-end design deployment you can check the rest of the docs here:

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

Thank you for rating helpful posts!