PXE And 802.1X, Like Oil And Water
If I have ever tossed out the idea that 802.1X is simple, useable, and simple, then I misspoke. Where the road to 802.1X gets bumpy is trying to integrate port-based authentication with other LAN processes.
February 1, 2008
If I have ever tossed out the idea that 802.1X is simple, usable, and simple, then I misspoke. Setting up 802.1X for testing is pretty straightforward, but where the road to 802.1X gets bumpy is trying to integrate port-based authentication with other LAN processes. Some things never occur to me until they get in my way. I have been testing NAC products for a while and I'm starting to test out-of-band and host-based NAC, either of which can use 802.1X as an enforcement mechanism. That's fine, but in order to make testing cleaner, I want each vendor to have its own environment. PXE -- Pre-boot eXecutable Environment, a technology where an agent on the NIC gets a DHCP address and can execute programs pulled off the network such as image installation -- and 802.1X don't mix.
At least as far as I know, they don't mix, but I'm still investigating. PXE and 802.1X are a classic case of chicken and egg. 802.1X is supposed to authenticate a host before granting access to the network. Ports that are "unauthenticated," or closed, allow only 802.1X between a host and the switch. PXE wants to get a DHCP address on boot-up and if a job is waiting, connect to the server and run the job. Unfortunately, often the PXE agents don't have an 802.1X supplicant installed, so they can't do DHCP to get things going.
There are a few possible solutions available. We could use MAC auth and configure the switch port as a supplicant, provided the switch OS allows that. However, then we might lose the ability to do user 802.1X when the OS boots. We could disable 802.1X temporarily, but that's just asking for trouble. We could configure the switch port for a default VLAN in the event of auth failure or no supplicant, but then we have to make sure the PXE agent will continue to try DHCP long enough for the port to time out and end up in the default VLAN. That may be the way to go.
I, along with my lab assistant extraordinaire, Kwame, will be looking deeper into how to make this stuff work together and we'll post the results here. If you have any suggestions, please toss them our way.
About the Author
You May Also Like