06-17-2019 12:44 PM
Hi guys,
I've reviewed the "Low Impact Mode" 802.1x guides as well as other posts that allow PXE booting with a Pre-Auth ACL.
Scenario 1: Low Impact mode with Pre-Auth ACL
Scenario 2: Closed mode
With Scenario 2, has anyone had good experiences with PXE booting?
Thanks!
Solved! Go to Solution.
06-18-2019 02:12 PM
I think I may have worded my last response poorly... apologies.
There's two ways to look at it...
1] Use low-impact mode and apply the preauth ACL as a default. This will apply to anything that fails (normal for low-impact mode). Successful authentications can and will still be authorized by ISE though and a specific dACL can be pushed for desired devices, groups, etc.
2] Use closed mode and allow MAB failures to be authorized by ISE to apply a dACL to those devices, as well as successfully-authenticated devices.
The difference between the two is that in closed mode only EAPoL traffic will pass through the port until the device is authenticated and authorised - a preauth ACL won't work in closed mode. In allowing unauthenticated devices to be authorised in closed mode you're effectively just emulating low-impact mode though, hence mentioning that it's probably pointless.
If you're worried about ISE becoming inaccessible that would also push me towards low-impact mode. However, you could look at using Inaccessible Authentication Bypass instead. When ISE is unavailable the switch will drop everything into a specific VLAN. That may or may not be suitable in your scenario though, but it's an option for some.
06-17-2019 03:18 PM
Configured correctly, it'll work. Generally though, if authentication fails, in closed mode the port won't pass any traffic.
However, you can use MAB to allow unknown MAC addresses to pass authentication. This will give you what you want but to be honest I'd say it's just an unnecessary overhead for ISE to deal with in your scenario, given that you're allowing internet access too. Low-impact mode does it without having to process the request via authorization rules (as authentication fails so authorization rules will never be queried) so unless you need to apply something via RADIUS there's little-to-no point in doing it in Closed mode.
06-18-2019 12:23 PM
Thanks for the response. I'll give it a shot with PXE booting. I'm a little skeptical that it will work but I'll let you know.
The reason we still send MAB to ISE is for the following scenarios:
06-18-2019 02:12 PM
I think I may have worded my last response poorly... apologies.
There's two ways to look at it...
1] Use low-impact mode and apply the preauth ACL as a default. This will apply to anything that fails (normal for low-impact mode). Successful authentications can and will still be authorized by ISE though and a specific dACL can be pushed for desired devices, groups, etc.
2] Use closed mode and allow MAB failures to be authorized by ISE to apply a dACL to those devices, as well as successfully-authenticated devices.
The difference between the two is that in closed mode only EAPoL traffic will pass through the port until the device is authenticated and authorised - a preauth ACL won't work in closed mode. In allowing unauthenticated devices to be authorised in closed mode you're effectively just emulating low-impact mode though, hence mentioning that it's probably pointless.
If you're worried about ISE becoming inaccessible that would also push me towards low-impact mode. However, you could look at using Inaccessible Authentication Bypass instead. When ISE is unavailable the switch will drop everything into a specific VLAN. That may or may not be suitable in your scenario though, but it's an option for some.
06-19-2019 09:34 AM
Thanks. I still need to figure out how to handle the PXE booting.
It's very much a chicken or the egg.
Basically, when a laptop does an upgrade via PXE booting, the machine loses it's supplicant configuration.
The machine would need access to PXE (SCCM), our windows PKI and windows AD to enroll in order to become fully authenticated again.
Options I am considering:
06-19-2019 01:50 PM
You're absolutely right.
Using MAB with an endpoint group (for devices needing to PXE) in an authz rule is generally how I've seen and done if PXE booting is required at any switchport in any location. This at least enables you to identify what's using PXE and what isn't (guests or other devices, for example), so the right attributes get pushed to the switch. Unfortunately there's not much more that you can do that's simple to implement if you want to apply a specific dACL/VLAN to devices needing to be rebuilt via WDS/SCCM. DHCP profiling can be used in conjunction with an authz rule but you obviously have to a) be using profiling and b) be sending DHCP info to ISE. Remember, profiling can be hard on ISE if it isn't configured correctly.
WinPE can use user-based 802.1x so you could create a policy in ISE that allows devices to authenticate using a specific user account (backed-off to AD if you want) when they boot into WinPE, but you'd need to allow some access beforehand using MAB (or a default preauth ACL in low-impact mode). Microsoft has some good resources which show how to configure the XML file required to configure the supplicant in WinPE.
Most places I've seen that use a secure switch/area to do imaging will just have a pretty-flat switch with nothing on it apart from maybe a bit of multicast config. Obviously that's highly restrictive in terms of where you can rebuild machines though.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide