Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


Best practice to use PXE on 802.1X network ?


We use Cisco ISE on our network (we plan to upgrade to 1.3 in some months).

Our network includes Cisco models 2960S (and some 2960T) about wired and 2602I (with WISM2) about wireless.

We have to allow PXE boot on one (or many) VLAN.

Do you know what's the best practice to use PXE on a 802.1X network ?

Does ISE and/or Switch can recognize PXE request?
Do we have to use settings/rules into ISE or on Switch?

Does the easy way is to allow PXE on WebAuth VLAN?


Everyone's tags (1)

I am in a similar position.We

I am in a similar position.

We would prefer to keep all switch ports common, even those used for imaging from scratch.

For PXE as far as I can see we need to allow the port to quickly fail 802.1X and MAB to a remediation VLAN.

Using ISE we can apply an ACL that allows PXE bootp and dhcp requests and responses along with any other traffic we want in that network i.e. access to internet proxy server, anti-virus updates for posturing etc.

I haven't configured this yet so I'm not sure of what issues we'll face with timing. We currently use an auth pattern of 802.1X first, then MAB, then fail open to the static VLAN. With ISE 1.3 this is the supposed suggested method instead of a hard "closed" mode. 

 switchport access vlan XX
 switchport mode access
 network-policy VV
 ip access-group ACL-ALLOW in
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan XX
 authentication event server dead action authorize voice
 authentication host-mode multi-domain
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 dot1x pae authenticator
 dot1x timeout tx-period 10

Cisco Employee

Yes, this is possible with

Yes, this is possible with what's called "Low Impact Mode" where you define a pre-auth ACL that allows things like PXE to traverse the port before successful authentication happens. The pre-auth ACL is then replaced by the DACL that you would return with your "Authorization Profile"

For more info check this document out:

For full end-to-end design deployment you can check the rest of the docs here:


Thank you for rating helpful posts!

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here