cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1861
Views
0
Helpful
2
Replies

ISE wired configuration for imaging

ALAN MURRAY
Level 1
Level 1

Hello,

I have a customer who wants to implement ISE on their wired network but they are very particular regarding their machine imaging process. I have given them alternatives as far as configuration is concerned but from their perspective all I have presented have shortcomings. Example alternatives given so far:-

Access list ACL-DEFAULT allows necessary traffic for imaging through - least appealing.

Use MAB to identify the machines and drop them into a VLAN which allows access - problem of identifying the machines in order to put them into an appropriate database.

Identify the switches the devices to be imaged are attached to and use Prime to manipulate the switch configuration appropriately - involves more than one division of the IT department.

Has anyone else come up with a scheme for allowing the required traffic through to imaging services whilst retaining the integrity of the security solution? Ideally I'd like to be able to cover off both the imaging of suites and individual machines.

 

Thanks

Alan

 

2 Replies 2

Stephen McBride
Level 1
Level 1

There is a possiblility you could do profiling using the DHCP class-ID (PXE boot). Based on that profiling you could give the precise access required. It all depends on the imaging setup been used but there is most likely a differentiating factor that would allow you to do this.

jan.nielsen
Level 7
Level 7

Yes, if you are using a PXE type imaging software like altiris or microsofts pxe solution, you can incorporate 802.1x authentication in the PXE image, and in the unattended script which runs the first time the machine boots after getting the image from the PXE server. This way, you in most caes only need the tftp ports that pxe boot uses to get the pxe image with. If your solution uses a WinPE type PXE image version 5.0 and higher, this is pretty the same as configuring windows to do 802.1x

This document has some pretty decent explanations of hpw this can be done :

http://blogs.technet.com/cfs-filesystemfile.ashx/__key/telligent-evolution-components-attachments/01-6127-00-00-03-31-62-58/windows-7-deployment-procedures-in-802-1x-wired-networks.pdf