Hi
A customer is looking to deploy 802.1X For Wired Access and wants to use Dynamic VLAN Assignment to assign VLANs to all of their Profiled devices such as Printers, Cameras, TV's, Access Points etc.They also use PXEBoot to roll out new devices and reimage existing devices. This does not happen in a central location, but instead users and remote users are instructed to simply press a button upon startup in which SCCM begins re-enrolling the machine.Normally i would go for low impact mode and simply allow PXE in the Preauth-ACL, but in the ISE Prescriptive Deployment Guide they mention not to use Low Impact mode for Dynamic VLAN Authorizations
Note: Dynamic VLAN assignment is not a recommended authorization option for low-impact mode. Since endpoints acquire IP address before network authentication in the default VLAN, a change in the VLAN assignment forces the endpoints to renew their IP addresses, which might not happen automatically, thereby locking them out of the network in spite of an authorized access as per ISE policy.
The logic seems pretty valid. Of course devices wont renew their IP if they already have one despite the fact that we just changed the VLAN on their switchport. So i'm left with one option: Go Closed mode.
In closed mode no traffic is allowed on the switchport until the device has been authenticated, this way the device does not receive an IP-Address before we have sent the VLAN Change Authorization from ISE. So the missing puzzle is now Pxeboot. This happens before the port is authenticated, so i need to somehow allow PXEBoot without the port being authenticated.. My first thought was that there must be a way to identify if a device is pxebooting through Profiling, but i heard from multiple sources that this is probably not a good idea..
The only other workaround i can see is to have a MAB Policy set containing all my Profiling policies for AP's, TV's, Cameras etc. and then at the bottom have a "Default catch all" rule that applies to anyone that does not match any other policies. This would either throw in a DACL to allow Internet access only + PXEBOOT or assign the port to a VLAN that is being firewalled to only permit internet access and PXEBoot. Haven't quite decided which option to go with yet. I would then lower the dot1x timeout so that the pxeboot does not fail because it first has to wait for dot1x to time out before moving forward to MAB. It would then hit the catch all policy in the bottom of the MAB Policy Set and be assigned a VLAN or receive a DACL with access to only internet and PXEBoot. Once it is done enrolling the image and reboots it should authenticate using 802.1X.
Low impact mode also concerns me if the connection to ISE is dead, there is no way i can still bring up the switchport as the Preauth ACL would still be in place on every single switchport not granting any access for the clients where in closed mode i could just reinitialise the port in a specific VLAN in case the connection to ISE is lost.
Does this seem like a good way to solve this issue or are there any better ways? Which deployment method do you prefer (Low Impact/Closed) and why? Has anyone done profiling of PXEBoot and had this working?
PS: I know if you run WinPE you can technically do PXEBoot and have the device authenticate with a certificate, this is not an option in this case.
No comments:
Post a Comment