Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2633
Views
0
Helpful
4
Replies

802.1x Wired using EAP-TLS with Microsoft SCCM 2007

pic_whizz
Level 1
Level 1

‎11-21-2012 01:41 AM - edited ‎03-10-2019 07:48 PM

Hi,

I'm currently in the process of deploying 802.1x across 10,000 devices - Avaya IP phone, Hp t510 Thin Clients and a mixture of WinXP SP3 and Windows 7

The bombshell has been dropped that our desktop guys are going to use SCCM 2007 to manage/re-image PC's

Can anyone point me to any useful info as to how SCCM works on a Wired 802.1x network with User and Computer certificate authentication??

The most basic query I have is this, if we re-image a PC, both User and Computer certs will disappear therefore 802.1x authentication will fail and the device subsequently drops off the network :-(

Any ideas or suggestions?

Many thanks,

Matt

Labels:
0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎11-21-2012 07:15 AM

In what mode are your switchports configured (Low-Impact or Closed)? In Low-Impact you can tweak the pre-auth ACL to allow the protocols and ports needed from SCCM to successfully re-image a PC, get the PC to join to the domain, thus getting back the computer and user certs. Then if security is an issue you can go back and remove the ACL and go back to closed mode or lock down the ACL if you still want to remain in Low-Impact.

Thank you for rating!

0 Helpful

pic_whizz
Level 1
Level 1
In response to nspasov

‎12-03-2012 05:17 AM

Thanks Neno,

We are running in Low Impact with the pre-auth ACL, however we dont wish to expose any AD ports on the ACL. As you say we can re-image without issue by allowing PXE boot/WDS but any domain ports are locked down. Are there any other ways around this other than manual process of changing the ACL.

Cheers,

Matt

0 Helpful

jw.sl9
Level 1
Level 1
In response to pic_whizz

‎12-04-2012 01:22 PM

Depends on  Where and How are your client certificates issued from?  If they are part of a MS-Ent PKI with the certs stored in AD.  Then your AD restrictions are going to be a problem.

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James
0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to pic_whizz

‎12-16-2012 06:45 PM

Hello Matt-

The only other thing that I can think about is the device enrolment via SCEP. However, that process will not be fully automated and it will require users intervention. In addition, you can create a "White List" authorization rule where you can temporary and manually add/remote MACs. You can add the MAC(s) for the machine(s) that have to be re-imaged and then remove it when all set and done. Other than that I am not aware of any other methods that you can do this.

Thank you for rating!

0 Helpful
Customers Also Viewed These Support Documents