This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I'm currently in the process of deploying 802.1x across 10,000 devices - Avaya IP phone, Hp t510 Thin Clients and a mixture of WinXP SP3 and Windows 7
The bombshell has been dropped that our desktop guys are going to use SCCM 2007 to manage/re-image PC's
Can anyone point me to any useful info as to how SCCM works on a Wired 802.1x network with User and Computer certificate authentication??
The most basic query I have is this, if we re-image a PC, both User and Computer certs will disappear therefore 802.1x authentication will fail and the device subsequently drops off the network :-(
Any ideas or suggestions?
In what mode are your switchports configured (Low-Impact or Closed)? In Low-Impact you can tweak the pre-auth ACL to allow the protocols and ports needed from SCCM to successfully re-image a PC, get the PC to join to the domain, thus getting back the computer and user certs. Then if security is an issue you can go back and remove the ACL and go back to closed mode or lock down the ACL if you still want to remain in Low-Impact.
Thank you for rating!
We are running in Low Impact with the pre-auth ACL, however we dont wish to expose any AD ports on the ACL. As you say we can re-image without issue by allowing PXE boot/WDS but any domain ports are locked down. Are there any other ways around this other than manual process of changing the ACL.
Depends on Where and How are your client certificates issued from? If they are part of a MS-Ent PKI with the certs stored in AD. Then your AD restrictions are going to be a problem.
The only other thing that I can think about is the device enrolment via SCEP. However, that process will not be fully automated and it will require users intervention. In addition, you can create a "White List" authorization rule where you can temporary and manually add/remote MACs. You can add the MAC(s) for the machine(s) that have to be re-imaged and then remove it when all set and done. Other than that I am not aware of any other methods that you can do this.
Thank you for rating!