New PC Imagining

Jerry10 · ‎03-06-2024

Hello,

I have been tasked to secure the ports our helpdesk uses to imagine new machines. They used to use a secured room to do this but they have since changed to imagine laptops at their work stations. My first thought was to use an ACL to limit what the switchport had access to talk with. We use ISE with MAB and after looking into this some more, could I use ISE to create a splash screen where the help desk person would have to enter their login cred's after connecting the laptop? Or has someone found a better solution for this?

Thanks!!!

Rob Ingram · ‎03-06-2024

@Jerry10 yes, you could use Central Web Authentication (CWA) portal which uses AD for authentication. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html

You could also push down a DACL to the authenticated users (post CWA) to allow the devices only enough access to image the devices.

Arne Bier · ‎03-06-2024

I know of a customer who gives their IT folks limited access to ISE to add Ethernet MAC addresses to an ISE PXEBoot Endpoint Identity Group. The access is so limited that all they see is the Context Visibility, and they only have write permission to the PXEBoot Endpoint Identity Group. That's as close to a portal as you'll get.

An ISE AuthZ rule then applies a dACL to permit any any when it sees that MAC address. You can try to make the dACL more watertight but then you must study the traffic flows carefully (DHCP/BOOTP, DNS, TFTP, etc.)

That Identity Group gets purged every 24 hours. Enough time to allow someone to re-image a PC. If you got really smart about it, you could integrate your ticketing system (e.g. Service Now) to poke the MAC address into ISE via REST API.

Greg Gibbs · ‎03-06-2024

See a similar discussion in the following post. It's an old discussion, but still relevant. Other options you could consider are inserting API calls into build process tree.

PC Imaging on NAC secured ports