Windows 7 Deployment under 802.1x Wired LAN Authentication
Hi Folks:
I know, I'm gonna ask most interesting and challenging question of the year :) I know about all Windows 7 deployment tools, i.e. MDT 2010, WDS (2008 R2), WAIK, Auto attended installation, PE 3.0, etc, etc. But in our case, there is 802.1x for wired LAN authentication. So what happens, when we try to boot our clients via WinPE, they fall in to public VLAN so therefore they couldn't connect with our PXE server. If we boot via USB in case, they couldn't connect with AD as they are assigned public address.
I also know that recently Microsoft released couple of following hot-fixes for 802.1x:
http://news.softpedia.com/news/Windows-Preinstall-Environment-Now-Supports-the-IEEE-802-1X-Protocol-132179.shtml
http://support.microsoft.com/kb/976210/en-us
http://support.microsoft.com/kb/972831
But there is no guide for usage.
Did someone find solution of it?
I know, I'm gonna ask most interesting and challenging question of the year :) I know about all Windows 7 deployment tools, i.e. MDT 2010, WDS (2008 R2), WAIK, Auto attended installation, PE 3.0, etc, etc. But in our case, there is 802.1x for wired LAN authentication. So what happens, when we try to boot our clients via WinPE, they fall in to public VLAN so therefore they couldn't connect with our PXE server. If we boot via USB in case, they couldn't connect with AD as they are assigned public address.
I also know that recently Microsoft released couple of following hot-fixes for 802.1x:
http://news.softpedia.com/news/Windows-Preinstall-Environment-Now-Supports-the-IEEE-802-1X-Protocol-132179.shtml
http://support.microsoft.com/kb/976210/en-us
http://support.microsoft.com/kb/972831
But there is no guide for usage.
Did someone find solution of it?
I guess you would need the PXE part (the prom...) to be able to use 802.1x in order for your clients to be authenticated using this method (in the "correct VLAN").
Unfortunately, I do not know about any implementation of PXE that can use 802.1x. The IP stack in PXE is very basic.
You can try a gPXE trick: boot using gPXE. It seems that gPXE can use 802.1x (but I never tried it myself).
Another way around would be to make sure that your PXE-booted environment (WinPE would be my best choice) can use 802.1x. It might require updating some of the components and drivers in your WinPE environment .
You would then:
1/ use default VLAN to load WInPE (using PXE)
2/ WinPE would initialize its network stack and get an IP configuration. This would be a new IP conf (not the one used by PXE) and it would have used 802.1x to do so.
But maybe the easiest path is to make your deployment environment available on the default VLAN...
Unfortunately, I do not know about any implementation of PXE that can use 802.1x. The IP stack in PXE is very basic.
You can try a gPXE trick: boot using gPXE. It seems that gPXE can use 802.1x (but I never tried it myself).
Another way around would be to make sure that your PXE-booted environment (WinPE would be my best choice) can use 802.1x. It might require updating some of the components and drivers in your WinPE environment .
You would then:
1/ use default VLAN to load WInPE (using PXE)
2/ WinPE would initialize its network stack and get an IP configuration. This would be a new IP conf (not the one used by PXE) and it would have used 802.1x to do so.
But maybe the easiest path is to make your deployment environment available on the default VLAN...
Another solution would be to use mac authentication bypass, if you are using cisco switches (feature may be available from other vendrs though).
Create a username with the mac adresse of the device as username and password on your radius server, then configure the switch to fallback to MAB, so if the computer do not send 802.1x crednetials, the switch will use its mac address. Then once deployed you can deactivate the mac address account.
Create a username with the mac adresse of the device as username and password on your radius server, then configure the switch to fallback to MAB, so if the computer do not send 802.1x crednetials, the switch will use its mac address. Then once deployed you can deactivate the mac address account.
ASKER
Regarding Intel VPro, we have only few laptops that use this technology so it is automatically ruled out.
With reference to MAC authentication bypass, our network folks invested lot of time and bucks in implementation of 802.1x technology and hardware so therefore we cannot even think about disbaling or changing 802.1x.
Regarding WINPE, I need to know the mecahnism that how can I use it in 802.1x environment?
Yes we are using Cisco hardware and bluesocket as well.
With reference to MAC authentication bypass, our network folks invested lot of time and bucks in implementation of 802.1x technology and hardware so therefore we cannot even think about disbaling or changing 802.1x.
Regarding WINPE, I need to know the mecahnism that how can I use it in 802.1x environment?
Yes we are using Cisco hardware and bluesocket as well.
For WinPE, the hotfixes are here:
WinPE 2.1: http://support.microsoft.com/kb/975483
WinPE 3.0: http://support.microsoft.com/kb/972831
And how-tos are available here:
http://blogs.technet.com/b/deploymentguys/archive/2010/03/02/adding-support-for-802-1x-to-winpe.aspx
I have not tried it myself tough.
WinPE 2.1: http://support.microsoft.com/kb/975483
WinPE 3.0: http://support.microsoft.com/kb/972831
And how-tos are available here:
http://blogs.technet.com/b/deploymentguys/archive/2010/03/02/adding-support-for-802-1x-to-winpe.aspx
I have not tried it myself tough.
ASKER
I already knew about this guide. Look at the comments, I already asked a question over there. For reference I am pasting here as well:
Najam 28 Apr 2010 7:06 AM
The real issue with 802.1x environment is getting IP address while booting via network. When you hit F12 and select boot via network, it tries to find IP address, if it couldn't, how it can see my PXE/WDS server?
Jeremias Jansson 26 May 2010 1:48 AM
Yes, the real issue is how to PXEboot in a 802.1X environment, any thoughts around that? I guess you had to deal with that in your real world customer cases?
Thank you for a great guide by the way!
Daniel Oxley 26 May 2010 7:01 AM
@Jeremias Jansson
This is a scenario that is not contemplated in the published guide. I've never had to work it out so as yet I have no answer for you. However, I can't immediately think of a way that it would be possible.
Daniel
So he also didn't cover this scenario in his guide :(
Najam 28 Apr 2010 7:06 AM
The real issue with 802.1x environment is getting IP address while booting via network. When you hit F12 and select boot via network, it tries to find IP address, if it couldn't, how it can see my PXE/WDS server?
Jeremias Jansson 26 May 2010 1:48 AM
Yes, the real issue is how to PXEboot in a 802.1X environment, any thoughts around that? I guess you had to deal with that in your real world customer cases?
Thank you for a great guide by the way!
Daniel Oxley 26 May 2010 7:01 AM
@Jeremias Jansson
This is a scenario that is not contemplated in the published guide. I've never had to work it out so as yet I have no answer for you. However, I can't immediately think of a way that it would be possible.
Daniel
So he also didn't cover this scenario in his guide :(
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@Vivigatt:
Thanks for your reply. Our network folks helped us a lot in this regard. They build a test environment with bluesocket (as I mentioned, we use this device for 802.1x authentication). As I mentioned earlier, when our PXE client boots, it falls in to public vLAN and got IP address from Bluesocket's DHCP. They opened trunk on the port where PXE client was connected. Then they mentioned NBP file path and PXE address in BlueSocket's DHCP.
Now when PXE client boots, it gets IP address from BlueSocket and NBP file from our PXE server (WDS Server). Now we are working on the second path that how can that client will contact with AD because after image deployment, it falls again in to vLAN.
Thanks for your reply. Our network folks helped us a lot in this regard. They build a test environment with bluesocket (as I mentioned, we use this device for 802.1x authentication). As I mentioned earlier, when our PXE client boots, it falls in to public vLAN and got IP address from Bluesocket's DHCP. They opened trunk on the port where PXE client was connected. Then they mentioned NBP file path and PXE address in BlueSocket's DHCP.
Now when PXE client boots, it gets IP address from BlueSocket and NBP file from our PXE server (WDS Server). Now we are working on the second path that how can that client will contact with AD because after image deployment, it falls again in to vLAN.
@A1opus
Thanks for the update.
For the AD stuff, Inter VLAN routing will be needed.
You may then "just" need to specify the IP addresses of WINS servers (DHCP option 44, AFAIR)
Thanks for the update.
For the AD stuff, Inter VLAN routing will be needed.
You may then "just" need to specify the IP addresses of WINS servers (DHCP option 44, AFAIR)
ASKER
Can anyone tell that which ports are used by WDS or MDT 2010 server to communicate with Active Directory?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
thanks for the credit!
if you use Cisco switches, take a look here
http://cisco.biz/en/US/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtml
{ CiscoCat2(config-if)#spann
CiscoCat2(config-if)#dot
CiscoCat2(config-if)#dot1x
CiscoCat2(config-if)#dot1x
CiscoCat2(config-if)#
}