Configuring 802.1x Authentication for Windows Deployment-A Square Dozen | A. Gross Blog

[utterances-bot]

Configuring 802.1x Authentication for Windows Deployment-A Square Dozen | A. Gross Blog

A.Gross Blog | Adam Gross Enterprise Mobility MVP

https://www.asquaredozen.com/2018/07/29/configuring-802-1x-authentication-for-windows-deployment/

[candrews67]

Where can I read "Part 3"? Thanks!

[candrews67]

Looks like Part 3 is here:

https://www.asquaredozen.com/2018/07/29/configuring-802-1x-authentication-for-windows-deployment-part-3-integrating-802-1x-authentication-into-a-bare-metal-task-sequence/

[tuaninbox]

Hello,

First, I'm sorry if I misunderstand this series of articles and post this comment. Please correct me if I'm wrong.

When reading part 5 of this series, it's mentioned that the MAC addresses of endpoints need to be whitelisted in ISE. Doing that is MAC Authentication Bypass which is used when the client doesn't support 802.1X authentication. This contradicts all the previous steps to build the authentication capability for PXE client.

These articles caused misconception to one of my customers so I want to put a comment to discuss it further or correct my misunderstanding if I missed anything. Thanks

[AdamGrossTX]

You didn't misunderstand, however I think that the scope of the use case may assist. While the intent of NAC is to provide secure network access to trusted devices, I found that this wasn't easy to achieve when working within PXE/WinPE/Task Sequence. Parts 1-4 describe the more secure way to achieve secure NAC within this process, but it tends to be quite cumbersome to achieve. So the solution described in part 5 provides a more manageable solution that does use MAB, but for a very limited scope of devices and only during the imaging process. There is a risk that someone could connect to our network with their device, PXE boot and get whitelisted in ISE, then reboot into Windows and gain network access. However we deemed this risk to be minimal given the other controls we have in place (physical security, gated access, etc, other network security, firewall, etc) so this solution works well for us. It's all about identifying, assessing and accepting the risks.