PXE boot with dot1x

Amit Singh2000 · ‎04-18-2013

Hi guys.

We have dot1x ISE BASED. Solution running for a customer. Everything seems to work fine. Now they have a new requirement for clients with PXE boot. These are the laptops with no image on them. Atleast when they connect to the network. These laptops connect behind the ip phone as customer is using VoIP solution.

The problem I am facing is that when is configure dot1x authentication order dot1x mab. The PXE boot fails as it times out. If I configure dot1x authentication order mab dot1x. The PXE boot works fine. But in logs I end up with unnecessary logs that ISE tries to authenticate phone with mab but failed then tried dot1x. This means unnecessary logs and traffic in network.

Which timer or what should I configure so that the PXE boot works fine and phone uses dot1x ..

Has anyone seen that or any ideas ?

Thanks a lot.

Sent from Cisco Technical Support iPad App

ryan.lambert · ‎04-18-2013

Does your client use WinPE for deployment? I have this same issue right now with PXE timing out, and we're working on it this way:

http://support.microsoft.com/kb/972831

I haven't found any way to tweak the timers to help this problem, but I'd be interested to know if anyone else has.

Travis Stroebele · ‎11-07-2013

Did you ever get your issue figured out?

phaon.reid · ‎11-10-2013

We got PXE boot working with authentication order dot1x mab by setting

dot1x timeout tx-period 1

on the switchports (after a lot of experimentation)

Phaon

cgambrel · ‎01-13-2014

You might even try something like this on your swichport config.

authentication order mab dot1x
authentication priority dot1x mab

dot1x timeout tx-period 5 (I usually use somewhere between 5-10 for this setting)

This will allow MAB to happen first. Just make sure your endpoint doesn't match another policy and your default authorization policy is set to deny access. This should work unless your default is being used to default to a central web auth or something else.

I wouldn't advise dropping the "dot1x timeout tx-period" much below 5 as you may cause timeouts on your 802.1x configured supplicants and unnecessary retries. Just my opinion.

Stephen McBride · ‎01-14-2014

I have had problems with IAB (critical auth) when setting the following configuration:

authentication order mab dot1x

authentication priority dot1x mab

Now I might be doing something wrong but as I understand it when critical auth recovery occurs it reauths using the first method and then stops. The drama with this is that all 802.1x clients must manually connect and reconnect to the port or they are subject to MAB..

mchammer7 · ‎06-04-2019

dot1x timeout tx-period 1 helped me!

dot1x timeout tx-period 5 was also working but takes a little bit more time.....

Thank you

Tedwheat53 · ‎01-13-2014

Everything working for PXE. We are about to venture down this road. Just curious how you are handling pcs out of the box?

Auth-fail vlan? Guest vlan? Dedicate ports for initial imaging??

Sent from Cisco Technical Support iPhone App

Tedwheat53 · ‎01-13-2014

That's sort of how I think I'm going to do it. Going to use dot1x open. Oh pxe booting.

Sent from Cisco Technical Support iPhone App