11-21-2012 01:41 AM - edited 03-10-2019 07:48 PM
Hi,
I'm currently in the process of deploying 802.1x across 10,000 devices - Avaya IP phone, Hp t510 Thin Clients and a mixture of WinXP SP3 and Windows 7
The bombshell has been dropped that our desktop guys are going to use SCCM 2007 to manage/re-image PC's
Can anyone point me to any useful info as to how SCCM works on a Wired 802.1x network with User and Computer certificate authentication??
The most basic query I have is this, if we re-image a PC, both User and Computer certs will disappear therefore 802.1x authentication will fail and the device subsequently drops off the network :-(
Any ideas or suggestions?
Many thanks,
Matt
11-21-2012 07:15 AM
In what mode are your switchports configured (Low-Impact or Closed)? In Low-Impact you can tweak the pre-auth ACL to allow the protocols and ports needed from SCCM to successfully re-image a PC, get the PC to join to the domain, thus getting back the computer and user certs. Then if security is an issue you can go back and remove the ACL and go back to closed mode or lock down the ACL if you still want to remain in Low-Impact.
Thank you for rating!
12-03-2012 05:17 AM
Thanks Neno,
We are running in Low Impact with the pre-auth ACL, however we dont wish to expose any AD ports on the ACL. As you say we can re-image without issue by allowing PXE boot/WDS but any domain ports are locked down. Are there any other ways around this other than manual process of changing the ACL.
Cheers,
Matt
12-04-2012 01:22 PM
Depends on Where and How are your client certificates issued from? If they are part of a MS-Ent PKI with the certs stored in AD. Then your AD restrictions are going to be a problem.
12-16-2012 06:45 PM
Hello Matt-
The only other thing that I can think about is the device enrolment via SCEP. However, that process will not be fully automated and it will require users intervention. In addition, you can create a "White List" authorization rule where you can temporary and manually add/remote MACs. You can add the MAC(s) for the machine(s) that have to be re-imaged and then remove it when all set and done. Other than that I am not aware of any other methods that you can do this.
Thank you for rating!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide