Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11005
Views
0
Helpful
2
Replies

Best practice to use PXE on 802.1X network ?

chrbar.net
Level 1
Level 1

‎11-18-2014 01:07 PM - edited ‎02-21-2020 05:19 AM

Hello,

We use Cisco ISE 1.2.0.899 on our network (we plan to upgrade to 1.3 in some months).

Our network includes Cisco models 2960S (and some 2960T) about wired and 2602I (with WISM2) about wireless.

We have to allow PXE boot on one (or many) VLAN.

Do you know what's the best practice to use PXE on a 802.1X network ?

Does ISE and/or Switch can recognize PXE request?
Do we have to use settings/rules into ISE or on Switch?

Does the easy way is to allow PXE on WebAuth VLAN?

Regards,
Chris

1 person had this problem
0 Helpful
2 Replies 2

franklinb
Level 1
Level 1

‎12-03-2014 08:19 PM

I am in a similar position.

We would prefer to keep all switch ports common, even those used for imaging from scratch.

For PXE as far as I can see we need to allow the port to quickly fail 802.1X and MAB to a remediation VLAN.

Using ISE we can apply an ACL that allows PXE bootp and dhcp requests and responses along with any other traffic we want in that network i.e. access to internet proxy server, anti-virus updates for posturing etc.

I haven't configured this yet so I'm not sure of what issues we'll face with timing. We currently use an auth pattern of 802.1X first, then MAB, then fail open to the static VLAN. With ISE 1.3 this is the supposed suggested method instead of a hard "closed" mode. 


 switchport access vlan XX
 switchport mode access
 network-policy VV
 ip access-group ACL-ALLOW in
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan XX
 authentication event server dead action authorize voice
 authentication host-mode multi-domain
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎01-06-2015 07:57 PM

Yes, this is possible with what's called "Low Impact Mode" where you define a pre-auth ACL that allows things like PXE to traverse the port before successful authentication happens. The pre-auth ACL is then replaced by the DACL that you would return with your "Authorization Profile"

For more info check this document out:

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-24-Low_Impact_Mode.pdf

For full end-to-end design deployment you can check the rest of the docs here:

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

 

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card