Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2738
Views
0
Helpful
3
Replies

ISE 2.3 - Windows 10 PXEboot with dot1x switchports

Go to solution
rsebille
Level 1
Level 1

‎06-25-2019 07:42 AM

Our desktop team has recently approached us stating they are changing the pc rebuild process. The current process if for them to physically remove the desktop and take them to out staging area, which has non-ise configured ports for them to use.

 

Now they want to be able to PXE boot on the ISE configured dot1x ports and build this way. So far we're having no luck as ISE is putting them in the default policy which has a dACL of "Internet Only". The build process does not have a certificate currently until it joins the domain during the final step of the build process. Just wondering if there was any good documentation / suggestions on the best practices or ways to make this work

 

Here is our basic access port config:

 

interface GigabitEthernet2/0/41
switchport access vlan 
switchport mode access
switchport voice vlan 
device-tracking
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 10
dot1x timeout ratelimit-period 300
dot1x timeout held-period 300
auto qos trust dscp
spanning-tree portfast
end

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-25-2019 08:41 AM

I am curious to see what others post as well, but here is my opinion:
If you have a ticketing system you can have admins in the field wishing to image, open a ticket and put relevant information in the ticket which would include the MAC. You could then grant RBACL into ISE that would allow your imaging team to add L2 MACs via context visibility or if already in ISE DB add them to an endpoint group. That endpoint group could then be used as a condition in your mab policies. The result on a match could then push down a dacl (assuming you are not using CTS). The dacl would grant restricted access to your resources (sccm, dhcp, wsus, etc) for the pxe boot/imaging process. If this is something you wanted to do ensure you use endpoint purging to purge stale MACs that no longer need to be in that group. Something else you would want to consider are the dot1x timers and some sort of pre-auth base acl on your interfaces. Based on your config you could probably lower the dot1x timers a little. Reference: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp387273
Another option that would be different from a design perspective could be to use a self-registered guest portal. Where your default mab policy could be a field admin hitting the portal to then register their mac to an endpoint group. This type of scenario IMO is more complex, but could be something worth looking into.
Good luck & HTH!

View solution in original post

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎06-26-2019 07:10 AM

You will need to tilize low-impact mode instead of closed mode. With closed mode (your configuration) only EAPoL traffic is allowed on the port until a successful authentication is completed. With low-impact mode you define a pre-auth ACL that can allow additional traffic such as PXE. For more info you can take a look at this old but very good document:

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_24_low_impact_mode.pdf

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-25-2019 08:41 AM

I am curious to see what others post as well, but here is my opinion:
If you have a ticketing system you can have admins in the field wishing to image, open a ticket and put relevant information in the ticket which would include the MAC. You could then grant RBACL into ISE that would allow your imaging team to add L2 MACs via context visibility or if already in ISE DB add them to an endpoint group. That endpoint group could then be used as a condition in your mab policies. The result on a match could then push down a dacl (assuming you are not using CTS). The dacl would grant restricted access to your resources (sccm, dhcp, wsus, etc) for the pxe boot/imaging process. If this is something you wanted to do ensure you use endpoint purging to purge stale MACs that no longer need to be in that group. Something else you would want to consider are the dot1x timers and some sort of pre-auth base acl on your interfaces. Based on your config you could probably lower the dot1x timers a little. Reference: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp387273
Another option that would be different from a design perspective could be to use a self-registered guest portal. Where your default mab policy could be a field admin hitting the portal to then register their mac to an endpoint group. This type of scenario IMO is more complex, but could be something worth looking into.
Good luck & HTH!
0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎06-26-2019 07:10 AM

You will need to tilize low-impact mode instead of closed mode. With closed mode (your configuration) only EAPoL traffic is allowed on the port until a successful authentication is completed. With low-impact mode you define a pre-auth ACL that can allow additional traffic such as PXE. For more info you can take a look at this old but very good document:

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_24_low_impact_mode.pdf

I hope this helps!

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents