Re: ISE PXE Boot In Closed Mode

djlcurly · ‎03-09-2022

We somewhat recently rolled out 802.1x in a closed mode across the organization. Our Desktop team wants to be able to PXE boot devices and reimage them without having them need to be in a staging area. So far we have facilitated this by just logging into the devices and temporarily switching the ports to a different template.

I am aware that a Low-Impact Mode is probably the easiest solution and I'm not opposed to it. But what I would like to figure out is if there is a way for me to create a portal that the Desktop team could log into and make the MAB addition themselves and have them setup in such a way that they would automatically be removed after a period of time. I know this is close to some functionality that is available on the BYOD and Guest portals. Has anyone ever used it for something like this? Is it even possible?

My other thought is if there is a way to submit creds to ISE on the wired network that would allow a device to get some auth profile specific to the resources needed or not. Or if there is a way to add a mac address to a MAB based on whether it had been authorized previously that would be sufficient.

I have so far strayed away from low-Impact mode because I don't necessarily want to provide any level of network access to all devices plugged into the network just for these small number of instances where I will need to allow for PXE booting. It is preferable to me that unauthorized devices don't even have access to get an IP from the network let alone have access to our SCCM servers.

Greg Gibbs · ‎03-09-2022

Have a look at a similar conversation here:
PC Imaging on NAC secured ports
There is no built-in portal (apart from the Admin GUI) that the build team would be able to use for all PCs that need to be built as the My Devices portal is more of a per-user linkage. Your best bet would be to either try automating the process using either modifying the SCCM process as described in the other post or building a tool that can leverage the API to perform the necessary functions.

djlcurly · ‎03-09-2022

That's an interesting option, but doesn't that still just boil down to needing to configure all ports in Low-impact mode or delivering a DACL to devices that fail auth?

I'm not sure if I see really any benefit to doing it that way. Seems as though the only thing happening is that ISE recognizes the device mid-reimage as a currently reimaging device. You would still need to allow the device to get to SCCM in order to even get to the stage you outlined in the other post at which point you could, as you referenced, just use the DHCP attributes to profile the device.

Nicolai Borchorst · ‎03-10-2022

Take a look at the Vanilla ISE Project, although the custom GUI can do a lot more than just add MAC Address to an Endpoint Group, you may be able to use it.
https://github.com/obrigg/Vanilla-ISE

Alternatively, if you want to automate the process so that the helpdesk does not have to manually add a MAC Address, you could make it work by implementing a script as part of the pxeboot process that fetches the MAC Address and then adds it to an Endpoint Group in ISE using REST API's.

See this blog post: https://www.asquaredozen.com/2018/09/29/configuring-802-1x-authentication-for-windows-deployment-part-5-dynamic-whitelisting-using-the-cisco-ise-external-restful-service/

You would have to rid of the "Deny Access" AuthZ Result for the default rule for MAB Devices though. Unknown MAB devices will need to get enough access to be able to initiate PXEBoot to start the process though.

Best Regards
Nicolai Borchorst
CCIE Security #65775