Intel vProTrain Activation Module7

Intel® vPro™ Expert Training 1

Module 7:802.1x, Wireless and Cisco NAC


Topics covered

• 802.1x Overview

– 802.1x network flow

– vPro™ and 802.1x

– 802.1x configuration steps

• Wireless and Intel® Centrino® with vPro™ technology

• Cisco NAC Overview

Exercise 1: Creating a 802.1x Profile

Exercise 2: Creating a Wireless Profile

Exercise 3: Creating a Cisco NAC Profile


Intel® vPro™ Expert Center

• www.intel.com/go/vProexpert

Providing an open dialogue between Intel and the IT community (IT Experts, ISVs, OEMs) on Intel® vPro™ technology.


802.1x Overview

• 802.1x defines extensible authentication protocol between supplicants (clients), authenticators (switches, AP’s) and authenticating servers (RADIUS) to perform authentication

• LAN port based Network Access Control…– Controls network access and prevents unauthorized network

access– Secures a network by controlling access at data link layer

• Network clients must authenticate themselves with the network before network access is granted


Simplified 802.1x network flow

1. LAN port initially ‘CLOSED’ for general network traffic but ‘OPEN’ for 802.1x authentication traffic

2. Network client physically connects to LAN port

3. LAN switch (authenticator) requests client access credentials from network client

4. Network client (supplicant) responds with client access credentials. If client does not respond, port remains ‘CLOSED’ or network client optionally connected to ’GUEST’ network


Simplified 802.1x network flow (cont.)

5. LAN switch passes client access credentials to RADIUS (authenticating server) for authentication and network access level determination

6. RADIUS authenticates client and determines access level (from dBase of valid users / computers) and responds to LAN switch with result

7. If authentication + access request PASSED, LAN port is ‘OPENED’ for general network traffic. Otherwise port remains ‘CLOSED’ or network client optionally connected to ‘GUEST’ network


vPro and 802.1x

• ME firmware contains a 802.1x supplicant– Can ‘open’ network port and/or keep network port ‘open’ independent

of client Operating System – Configures 802.1x supplicant with ME client credentials – Network authentication protocol type determines RADIUS trust

• Authentication of ME requires active directory schema extension – 802.1x supplicant only supported in Enterprise mode;– SMB mode with 802.1x network includes client management via

‘Guest’ network or network authentication using client MAC address

• Validated authentication servers (i.e. RADIUS servers)– Microsoft* ACS– Cisco* ACS– Funk* Odyssey– Meetinghouse* Aegis


802.1x Configuration Steps

1. Identify 802.1x protocol and RADIUS server in use on network

2. Create SCS profiles to define:

– Profile name and 802.1x authentication protocol

– CA and client authentication certificate template (if required)

– RADIUS servers trusted by vPro supplicant

3. Create / modify SCS client profile

4. Reference SCS 802.1x profile

5. Assign SCS client profile to vPro client(s)

6. Re-provision vPro client(s)


Configuring SCS for RADIUS Vendor

• Different vendors RADIUS servers expect differing format entries in CN field of client authentication certificate

• Setup and Configuration Server can be configured to produce client authentication certificates with different format entries for CN field


SCS 802.1x Profile

Root CAFor RADIUSCertificate

RADIUSCertificate

Subject

CertificateSubject

Type

802.X ProfileName

ProtocolType

ClientCertificate

Details

UseAnonymousCredentials


SCS Client Profile

802.X ProfileName

Enable 802.1xauthentication


Wireless supplicant protocols and authentication

• Encryption– Temporal Key Integrity Protocol (TKIP)– Counter Mode CBC MAC Protocol (CCMP)

• Key Management– Wi-Fi Protected Access (WPA)– Robust Secure Network (RSN)

• Supported Authentication

– Pre-Shared Key (PSK)

– 802.1x


vPro and Wireless

• Intel® Centrino® with vPro™ features– Uses Intel Wireless WiFi Link 4965AGN– Quad mode 802.11a/b/g/Draft-N support– 802.11i security support

• ME v2.5 and later (mobile) contains a wireless supplicant– Can associate and authenticate with wireless access points

independent of client OS– Enables Out-of-Band client management– Supported in SMB and Enterprise mode– Can be configured manually (Intel® AMT WebUI) or automatically


vPro and Wireless:Manual Configuration Steps

1. Identify wireless access point parameters in use on network

2. Provision client in SMB or Enterprise mode

3. Open browser and login to Intel® AMT WebUI

4. Add wireless profile

5. Enable management over wireless


Intel® AMT WebUIWireless Configuration

WirelessProfiles

Wireless Profile

Management

WirelessSettings


vPro and Wireless:Automatic Configuration Steps

1. Identify - wireless access point parameters in use- network authentication parameters in use

2. Create SCS profiles:- Configure SCS for 802.1x and create SCS 802.1x profile if wireless

network uses 802.1x authentication, - Create SCS wireless profile to define wireless SSID, ciphers, key

management protocol, pre-shared key (PSK) or profile

3. Assign SCS client profile to vPro client(s)

4. Re-provision vPro client(s)


Intel® AMT WebUIWireless Configuration

Wireless ProfileName

Access PointSSID

Access Point KeyManagement Type

Access Point DataEncryption Type

AuthenticationPass Phrase (PSK)


SCS Wireless Profile

Access PointSSID

Wireless ProfileName

Access Point KeyManagement Type

Access Point DataEncryption Type

AuthenticationPass Phrase (PSK)

802.1x ProfileName


SCS Client Profile

ActiveWireless Profile

Names

InactiveWireless Profile

Names

Wireless ProfileConnection

Priority Order


Troubleshooting

• 802.1x configuration

– Check initial client credentials to “open” network port for provisioning

– Make sure the SCS is configured for RADIUS vendor When the ME requires client authentication certificate

– Point SCS 802.1x profile at Root CA (and not subordinate) when specifying RADIUS certificates that ME should trust, must

• Working with wireless

– Check to make sure wireless hardware has not been disabled by hardware switch, BIOS setting or keyboard hotkey sequence


Overview: vPro and Cisco* NAC

• What is Cisco* NAC?

– Network Admission Control– Prevents unsafe clients connecting to production network– Secures a network by controlling access at data link layer– Requires network clients to provide information before granting

access and traffic flow


Overview: vPro and Cisco* NAC

• Cisco* NAC support provided by ME firmware

– ME firmware generates ME posture information– That information provided to local Cisco Trust Agent (CTA) for In-

Band operation with Cisco NAC network– Also delivered by ME firmware to Cisco Policy Server for Out of

Band client management with Cisco NAC network– Driver set v2.5 and later (mobile), and ME v3.0 and later (desktop)


vPro and Cisco* NACIn-Band Support

Management Engine

12-78-45AC-4D-2298-BE-00

12-78-45AC-4D-2298-BE-00

Signed Posture Data

User NotificationService (UNS)

Cisco* Trust Agentwith Intel Posture

Plug-In

Cisco* ACS

Posture ValidationServer (PVS)

DigitalCertificate

DigitalCertificate


Intel® vPro™ Client

vPro and Cisco* NACOut-of-Band Support

Management Engine

12-78-45AC-4D-2298-BE-00

12-78-45AC-4D-2298-BE-00

Signed Posture Data

Cisco* ACS

Posture ValidationServer (PVS)

DigitalCertificate

DigitalCertificate


vPro and Cisco* NAC Configuration

1. Install vPro driver set onto client (including UNS and NAC posture plug-in) and configure UNS

2. Install Cisco* Trust Agent (CTA) onto client

3. Install Posture Validation Server (PVS) into infrastructure

4. Configure Cisco* Access Control System (ACS) to use PVS


vPro and Cisco* NAC Configuration

5. Configure network switch for NAC

6. Provision vPro client for NAC

7. Export vPro client digital certificate and install in PVS


Quick review

• What is an 802.1x network ?

• How does vPro work with 802.1x networks ?

• How does vPro work with wireless networks ?

• How to configure vPro to connect to 802.1x, wireless and NAC networks?

• How does vPro work with Cisco* NAC?


Exercise 1: Creating an 802.1x Profile


• Login to SMS server

Module 7 - Lab Exercise 1 Create SCS 802.1x Profile


• Open Setup and Configuration (SCS) console



• Click 802.1x Profiles on left-hand navigator



• Click <Add…> to create new SCS 802.1x profile



• Enter ‘EAP-TLS’ for profile name



• Select EAP-TLS for Protocol



• Click <…> to enter certificate details for AMT Client Authentication



• Select CA and template used to issue client certificates

• Click <OK> to accept CA Hostname and Certificate Template



• Click <…> to enter certificate details for Radius Server Authentication



• Select Root CA used to sign RADIUS server authentication certificate

• Click <OK> to accept root certificate details



• Click <OK> to save SCS 802.1x profile



• You have successfully create an SCS 802.1x profile called ‘EAP-TLS’



• Click Profiles on left-hand navigator



• Select ‘No TLS’ profile and click <Edit…> to edit this profile



• Select Wired 802.1x tab



• Check 802.1x Profile



• Click <…> to select the SCS 802.1x profile



• Select the ‘EAP-TLS’ profile

• Click <OK> to use ‘EAP-TLS’ profile



• Click <OK> to save the edited SCS ‘No TLS’ profile



• You have successfully edited the SCS ‘No TLS’ profile to reference the SCS 802.1x profile called ‘EAP-TLS’



• Click <Apply> to save the edited SCS ‘No TLS’ profile



Exercise 2: Creating a Wireless Profile



Module 7 - Lab Exercise 2 Create a Wireless Profile





• Click Wireless Profiles on left-hand navigator



• Click <Add…> to create new SCS wireless profile



• Enter ‘Wireless Profile’ for profile name

• Enter ‘ProDemoAP’ for SSID

• Select WPA for Key Management

• Select TKIP for Encryption Algorithm

• Enter ‘P@ssw0rd’ for Pass phrase



• Click <OK> to save SCS Wireless profile



• You have successfully create an SCS Wireless profile called ‘Wireless Profile’









• Select Wireless Profiles tab

Module 7 - Lab Exercise 2 Create Wireless Profile


• Select ‘Wireless Profile’ and move to Selected Wireless profiles




• You have successfully edited the SCS ‘No TLS’ profile to reference the SCS Wireless profile called ‘Wireless Profile’



Exercise 3: Creating a Cisco* NAC Profile



Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile





• Click 802.1x Profiles on left-hand navigator



• Click <Add…> to create new SCS 802.1x profile



• Enter ‘EAP-FAST’ for profile name



• Select EAP-FAST for Protocol



• Click <…> to enter certificate details for AMT Client Authentication



• Select CA and template used to issue client certificates




• Click <…> to enter certificate details for Radius Server Authentication



• Select Root CA used to sign RADIUS server authentication certificate

• Click <OK> to accept root certificate details



• Click <OK> to save SCS 802.1x profile



• You have successfully create an SCS 802.1x profile called ‘EAP-FAST’









• Select Wired 802.1x tab



• Check 802.1x Profile



• Click <…> to select the SCS 802.1x profile



• Select the ‘EAP-FAST’ profile

• Click <OK> to use ‘EAP-FAST’ profile



• Select NAC tab

• Check Enabled NAC

• Click <…> to select the NAC certificate



• Select CA and template used to issue NAC posture signing certificates







• You have successfully edited the SCS ‘No TLS’ profile to add Cisco NAC support







Legal Information

Copyright NoticeCopyright © 2008, Intel Corporation. All rights reserved.

Trademark InformationCentrino, Centrino Inside, Core Inside, Intel, the Intel logo, Intel Core, Intel vPro, and vPro Inside are trademarks of Intel Corporation in the U.S. and other countries.

* Other names and brands may be claimed as the property of others.


Backup


SCS Client Profile

802.1x supplicantactive in client

S0 State

Time 802.1x supplicantkeeps port openduring PXE boot

802.X ProfileName

Enable 802.1xauthentication


SCS Client Profile

Enable ClientAccess via“in-band”

VPN Routing

Allow ME to use“in-band” wireless

connection

ActiveWireless Profile

Names

InactiveWireless Profile

Names

Wireless ProfileConnection

Priority Order


Example 802.1x Using EAP-PEAP

Intel AMT Client Radius Server

Root CA Certificate(Trust of Radius Server

Authentication Certificate)

Radius ServerAuthentication Certificate

(issued by CA Chain)

CA Chain

CA Chain Certificates(including Root CA)

Active Directory

802.1X CompliantSwitch

(Cisco 3560)


Example 802.1x Using EAP-TLS

CA Chain Certificates(Trust of AMT User


Intel AMT Client Radius Server

AMT UserAuthentication Certificate


Root CA Certificate(Trust of Radius Server


Radius ServerAuthentication Certificate


CA Chain

CA Chain Certificates(including Root CA)

802.1X CompliantSwitch

(Cisco 3560)Active Directory


ME and 802.1x


Cisco NAC Pictorial ExampleCourtesy Cisco Systems



• www.intel.com/go/vproexpert






Intel vProTrain Activation Module7

Documents

network flow vpro

x profile

intel vpro technology

intel vpro expert center

vpro supplicant

network flow1

unauthorized network

scs client profile