08-16-2015 10:00 PM - edited 03-10-2019 10:58 PM
Hello,
I have a customer who wants to implement ISE on their wired network but they are very particular regarding their machine imaging process. I have given them alternatives as far as configuration is concerned but from their perspective all I have presented have shortcomings. Example alternatives given so far:-
Access list ACL-DEFAULT allows necessary traffic for imaging through - least appealing.
Use MAB to identify the machines and drop them into a VLAN which allows access - problem of identifying the machines in order to put them into an appropriate database.
Identify the switches the devices to be imaged are attached to and use Prime to manipulate the switch configuration appropriately - involves more than one division of the IT department.
Has anyone else come up with a scheme for allowing the required traffic through to imaging services whilst retaining the integrity of the security solution? Ideally I'd like to be able to cover off both the imaging of suites and individual machines.
Thanks
Alan
08-17-2015 06:17 PM
There is a possiblility you could do profiling using the DHCP class-ID (PXE boot). Based on that profiling you could give the precise access required. It all depends on the imaging setup been used but there is most likely a differentiating factor that would allow you to do this.
08-18-2015 10:31 AM
Yes, if you are using a PXE type imaging software like altiris or microsofts pxe solution, you can incorporate 802.1x authentication in the PXE image, and in the unattended script which runs the first time the machine boots after getting the image from the PXE server. This way, you in most caes only need the tftp ports that pxe boot uses to get the pxe image with. If your solution uses a WinPE type PXE image version 5.0 and higher, this is pretty the same as configuring windows to do 802.1x
This document has some pretty decent explanations of hpw this can be done :
http://blogs.technet.com/cfs-filesystemfile.ashx/__key/telligent-evolution-components-attachments/01-6127-00-00-03-31-62-58/windows-7-deployment-procedures-in-802-1x-wired-networks.pdf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide