Authenticating pre-imaged computers on NAC enabled ports

Ricky Sandhu · ‎04-22-2024

Good morning, we're currently in the process of deploying NAC on all our Wired ethernet ports. So far the process is going smoothly albeit we are having to leave some ports in open authentication state to allow for imaging of new computers by our end-user support team. These are the brand new computers that currently don't have our company image and hence are not on our domain. These obviously fail authentication as they do not have the normal dot1x settings required for NAC. Currently the way imaging is done is by booting a computer into PXE environment which then downloads the image. However due to NAC, these ports are blocked and this never works unless we leave the port open.

Just curious how others are implementing NAC in their environment and whether you have come up with a solution for similar problem?

Aref Alsouqi · ‎04-22-2024

Hi Ricky,

If those ports are protected by a physical security measures such as restricted access to the comms room then I think that is absolutely considered an acceptable way to deal with this scneario.

Alternatively, you can think about deploying the NAC solution in low-impact mode where you will have to define an ACL allowing PXE services in this case and apply that ACL to the users switch ports. Alternatively you can configure MAB on those specific ports and add the new devices MAC addresses as you go. It would seem cumbersome but I think it's worth the effort compared to leaving the ports open.

Another option you might have would be to configure the dot1x supplicant in hardware, but obviously the NIC firmware would need to support this, I think an example of this would be Intel vPro cards.