Solved: PXE boot on 802.1x enabled networks

zeglory · ‎11-28-2014

Hi guys, We have configures 802.1x on Our infrastructure and have used Intel AMT, which enables adding .1x profiles to Bios, which should enable authentication bypass and thus allow PXE boot on machines. We are using Cisco Catalyst 3000 series mostly, however in a testing lab i have tried configuring this without any Luck! the switch configuration is rather basic, but Radius authentication is working both while in fully operational Windows environment as well in BIOS, but still while PXE booting no DHCP information is aquired, could you please guide us what we are missing? I am not a network person, and am a newbie.

Switch configuration:

Current configuration : 2165 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname 2950

!

aaa new-model

aaa authentication login default line none

aaa authentication dot1x default group radius

aaa authentication dot1x group group radius

aaa authorization network default group radius

!

ip subnet-zero

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

dot1x system-auth-control

!

interface FastEthernet0/1

!

interface FastEthernet0/2

switchport access vlan 50

switchport mode access

dot1x port-control auto

dot1x guest-vlan 30

spanning-tree portfast

!

interface FastEthernet0/3

switchport access vlan 50

switchport mode access

dot1x port-control auto

dot1x guest-vlan 30

spanning-tree portfast

!

interface FastEthernet0/4

switchport access vlan 30

switchport mode access

dot1x port-control auto

dot1x guest-vlan 30

spanning-tree portfast

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

switchport access vlan 50

switchport mode trunk

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

no ip address

no ip route-cache

shutdown

!

interface Vlan50

ip address 10.11.12.90 255.255.255.0

ip helper-address 10.11.12.3

no ip route-cache

!

ip default-gateway 10.11.12.1

ip http server

radius-server host 10.11.12.40 auth-port 1812 acct-port 1813 key 123

radius-server retransmit 3

!

line con 0

line vty 0 4

password keepOut

line vty 5 15

password keepOut

!

end

When the Client i operating in Windows OS we are seeing:

2950#show dot1x interface fastEthernet 0/2

Supplicant MAC ecf4.bb63.1cd6

AuthSM State = AUTHENTICATED

BendSM State = IDLE

Posture = N/A

PortStatus = AUTHORIZED

MaxReq = 2

MaxAuthReq = 2

HostMode = Single

Port Control = Auto

ControlDirection = Both

QuietPeriod = 60 Seconds

Re-authentication = Disabled

ReAuthPeriod = 3600 Seconds

ServerTimeout = 30 Seconds

SuppTimeout = 30 Seconds

TxPeriod = 30 Seconds

Guest-Vlan = 30

While the Client is PXE booting:

2950#show dot1x interface fastEthernet 0/2

Supplicant MAC ecf4.bb63.1cd6

AuthSM State = AUTHENTICATED

BendSM State = IDLE

Posture = N/A

PortStatus = AUTHORIZED

MaxReq = 2

MaxAuthReq = 2

HostMode = Single

Port Control = Auto

ControlDirection = Both

QuietPeriod = 60 Seconds

Re-authentication = Disabled

ReAuthPeriod = 3600 Seconds

ServerTimeout = 30 Seconds

SuppTimeout = 30 Seconds

TxPeriod = 30 Seconds

Guest-Vlan = 30

But nothing happens on the Client side, it stays stuck on waiting on DHCP server, on the Radius server I can see the request being authorized and getting full Access in response. The same behaviour is also being shown in the Switch, but why are not we able to PXE boot? Is this some sort of a Routing problem or is it something else? If I Connect to a different port, but without Dot1x, I am able to PXe boot, as the PXE server is also placed in the same vlan.

Hope someone can guide me, thanking you all in advance.

Best regards,
Sean

hdussa · ‎11-28-2014

Hi Sean,

you need to configure LOW IMPACT MODE. There is ACL on te switchport, which allows Layer 2 Trafic.

Expample:

ip access-list extended ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS

permit udp any any eq domain

remark Ping

permit icmp any any

remark PXE / TFTP

permit udp any any eq tftp

permit ip any host 10.135.31.68

remark Drop all the rest

deny ip any any log

!

int gi0/1

ip access-group ACL-DEFAULT in

After Authentication your Radius should send a dACL with permit ip any any

PORTCONFIG:

interface GigabitEthernet0/2
switchport access vlan 998
switchport mode access
switchport voice vlan 24
authentication event fail action next-method
authentication host-mode multi-auth
authentication order mab dot1x
authentication port-control auto
authentication timer restart 900
authentication timer inactivity server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 1
dot1x max-req 3
dot1x max-reauth-req 1
no cdp enable
no cdp tlv server-location
no cdp tlv app
spanning-tree portfast
spanning-tree bpduguard enable

Regards Horst

View solution in original post

hdussa · ‎11-28-2014

Hi Sean,

you need to configure LOW IMPACT MODE. There is ACL on te switchport, which allows Layer 2 Trafic.

Expample:

ip access-list extended ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS

permit udp any any eq domain

remark Ping

permit icmp any any

remark PXE / TFTP

permit udp any any eq tftp

permit ip any host 10.135.31.68

remark Drop all the rest

deny ip any any log

!

int gi0/1

ip access-group ACL-DEFAULT in

After Authentication your Radius should send a dACL with permit ip any any

PORTCONFIG:

interface GigabitEthernet0/2
switchport access vlan 998
switchport mode access
switchport voice vlan 24
authentication event fail action next-method
authentication host-mode multi-auth
authentication order mab dot1x
authentication port-control auto
authentication timer restart 900
authentication timer inactivity server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 1
dot1x max-req 3
dot1x max-reauth-req 1
no cdp enable
no cdp tlv server-location
no cdp tlv app
spanning-tree portfast
spanning-tree bpduguard enable

Regards Horst

zeglory · ‎11-28-2014

Hi Horst, and thanks for the reply. I have tried adding the ACL, but cant seem to get it to work. I get an error which says

%Error:The field sets of all the ACEs in an 
ACL on Ethernet interface should match. Please 
refer to the Software Configuration Guide to 
understand one mask restriction for ACLs on 
Ethernet interface

This error message means that one or more of the ACEs in an ACL must have the same mask.

Change the ACEs to have the same mask as the other ACEs in the ACL.

I must also mention that I only have a 2950 at home, in the lab environment, but will have 3000 series available at the office. But anyways, it seems like the 2950 also has the option to add ACL on port level. I had to omit some lines from the ACL as you provided above, as I was getting errors. So I ended up adding

ip access-list extended ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS

permit udp any any eq domain

remark PXE / TFTP

permit udp any any eq tftp

Now when i try to assign the ACL to a port I get the error mentioned above. I have tried to search a bit around, but can seem to really understand what the error means. So what is the error actually refering to as masks? Its not submask, that im sure of :) its not that we are defining to conditions in the DHCP rule?

And thank you sooo much for the help and guidance till now. Have a great weekend.

Best regards,

Sean