Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


802.1x Wired using EAP-TLS with Microsoft SCCM 2007


I'm currently in the process of deploying 802.1x across 10,000 devices - Avaya IP phone, Hp t510 Thin Clients and a mixture of WinXP SP3 and Windows 7

The bombshell has been dropped that our desktop guys are going to use SCCM 2007 to manage/re-image PC's

Can anyone point me to any useful info as to how SCCM works on a Wired 802.1x network with User and Computer certificate authentication??

The most basic query I have is this, if we re-image a PC, both User and Computer certs will disappear therefore 802.1x authentication will fail and the device subsequently drops off the network :-(

Any ideas or suggestions?

Many thanks,


Cisco Employee

In what mode are your switchports configured (Low-Impact or Closed)? In Low-Impact you can tweak the pre-auth ACL to allow the protocols and ports needed from SCCM to successfully re-image a PC, get the PC to join to the domain, thus getting back the computer and user certs. Then if security is an issue you can go back and remove the ACL and go back to closed mode or lock down the ACL if you still want to remain in Low-Impact.

Thank you for rating!

Thanks Neno,

We are running in Low Impact with the pre-auth ACL, however we dont wish to expose any AD ports on the ACL. As you say we can re-image without issue by allowing PXE boot/WDS but any domain ports are locked down. Are there any other ways around this other than manual process of changing the ACL.



Depends on  Where and How are your client certificates issued from?  If they are part of a MS-Ent PKI with the certs stored in AD.  Then your AD restrictions are going to be a problem.

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James

Hello Matt-

The only other thing that I can think about is the device enrolment via SCEP. However, that process will not be fully automated and it will require users intervention. In addition, you can create a "White List" authorization rule where you can temporary and manually add/remote MACs. You can add the MAC(s) for the machine(s) that have to be re-imaged and then remove it when all set and done. Other than that I am not aware of any other methods that you can do this.

Thank you for rating!

Content for Community-Ad