09-24-2003 04:43 AM - edited 03-02-2019 10:33 AM
It is increasingly common for enterprises to use centralised desktop deployment e.g. Ghost, Altiris etc and also want to implement more stringent security. How can you implement 802.1x port authentication in an environment where PXE booting is required?
09-24-2003 06:40 AM
I'm guess that you can't, first of all if you set port control to auto, the switch starts in unauthorized state and initiates authentication, if it fails, it stays unauthorized, since with pxe booting, there is no way to have the dot1x client loaded, the there is no way it can authenticate, another issue would be for the machine to authenticate, there needs to be a certificate loaded on local machine store, don't know how that could be done without user intervention. Perhaps someone at cisco may know something I don't. Also up till this week, the dot1x client for microsoft didn't really work, there is a hotfix available to fix the client
09-24-2003 08:03 AM
If the client can't do 802.1x then you can configure a 'Guest VLAN' that the port will be put it. If you put a server that the device can boot off in this VLAN you should be able to achieve what you want - i.e. the device to start the operating system and then re-initialise the network driver etc to start 802.1x and then get the correct VLAN assignment etc.
You would need to make the Guest VLAN non-routable or firewall it off some way so users can't get off this VLAN without initialising 802.1x.
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide