Alcatel Unleashed

The #1 Worldwide board for technical support on Alcatel-Lucent Voice & Data gear.
https://alcatelunleashed.com/

802.1x and PXE boot

https://alcatelunleashed.com/viewtopic.php?t=8006

Page 1 of 1

802.1x and PXE boot

Posted: 18 Oct 2009 13:09
by Rens_DUP
Hello everyone,

Currently I'm working on a network deployment where they want to use 802.1x to authenticate the network devices and I could use your help with this. The access guardian feature with it’s 802.1x and MAC authentications works great on the 6850 and 6400 switches. But now the catch. They also would like to use PXE boot to supply new images to the different hosts.

So when a host boot's it looks at the PXE boot server. If an new image is available for this host the host will boot from the network and install the image.

But how can the host access the network if it isn’t authenticated? (Like almost all stations the BIOS where the PXE boot is located doesn’t contain a 802.1x client)

I tried to use MAC authentication to authenticate the host and put it in a vlan where it can locate the PXE boot server. This seemed to solve my problem. Until I booted the host in it’s windows environment.

The MAC authentication stayed in place and the host was still authenticated.

Anyone any examples on the best way to address this issue?

I’m using the Alcatel-Lucent 6400 switches with AOS release 6.4.2.807 and IAS / AD2003 as the Radius server. The client uses the build in 802.1x client supplied by windows XP.

Regards,

Rens

Re: 802.1x and PXE boot

Posted: 19 Oct 2009 10:50
by cedric1
hello

Did you try with this command "802.1x slot/port reauthentication"

I don't know if it will trigg a complete reprocess of auth with 802.1X but cost nothing to test.

If it work you can configure period for re-auth.

Let me know

Cedric

Re: 802.1x and PXE boot

Posted: 29 Oct 2009 14:47
by Rens_DUP
Hello Cedric (and the rest)

I've configured the access guardian to first use 802.1x and second mac authentication. After the systems startup mac authentication is used to run the pxe boot. When this is finished windows starts. After a while, I think when the 802.1x client is started, the mac authentication is released and the station is authenticated based on 802.1x.

To enable the workstation to authenticate even when no user is logged on I had to use PEAP in windows and configure some registry settings.

But all seems to be working now,

Regards,

Rens

Re: 802.1x and PXE boot

Posted: 29 Oct 2009 15:30
by cedric1
hello

thanks for update.

Can you post a show 802.1X slot/port to see config of your port.

You use re-auth or the switch automaticaly probe to test if there is a 802.1x user (after pxe boot)

So you use machine authentication to logg station without user logging.

It will be great if you post a screenshot of registry settings (0,1 or 2 depend or how you want to auth your station)

If it can help other user it will be a good thing

Regards

Cedric

Re: 802.1x and PXE boot

Posted: 17 Nov 2009 13:28
by Rens_DUP
Hereby the settings in the switch as well as in the windows XP workstation.

Code: Select all

vlan port mobile 1/16
vlan port 1/16 802.1x enable
802.1x 1/16 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/16 captive-portal session-limit 12 retry-count 3
802.1x 1/16 supp-polling retry 2
802.1x 1/16 supplicant policy authentication pass default-vlan fail captive-portal
802.1x 1/16 non-supplicant policy authentication pass default-vlan fail captive-portal
802.1x 1/16 captive-portal policy authentication pass default-vlan fail block
The windows registry settings:

Code: Select all

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\Authmode
Change to 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode
change to 3
Some explanation about the registry settings:
Registry Key Authmode:
AuthMode
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
Value Type: REG_DWORD
Valid Range: 0-2
Default value: 0
Present by default: No
Values:
0. Computer authentication mode If computer authentication is successful, no user authentication is attempted. If the user logon is successful before computer authentication, then user authentication is performed. This is the default setting for Windows XP (prior to SP1).
1. Computer authentication with re-authentication If computer authentication completes successfully, a subsequent user logon results in a re-authentication with the user certificate. The user logon has to complete in 60 seconds or the existing network connectivity is terminated. The user certificate is used for subsequent authentication or re-authentication.
Computer authentication is not attempted again until the user logs off the computer. This is the default setting for Windows XP (SP1 and later).
2. Computer authentication only When a user logs on, it has no effect on the connection. 802.1X authentication is performed using the computer certificate only. The exception to this behaviour is that if you have a successful user logon and roam between wireless APs, then user authentication is performed.

Registry Key Supplicant Mode:
HKLM\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode
Typ:REG_DWORD
0. Disable IEEE 802.1X operation.
1. Inhibit transmission of EAPOL-Start and EAPOL-Logoff packets under all scenarios.
2. Include learning to determine when to initiate the transmission of EAPOL packets.
3. Compliant with IEEE 802.1X Specification.
What will happen with these settings is the following:
-System boots and sends bootp request with PXE boot.
-Radius server validates based on the Mac-address
-System is still waiting for DHCP response and finally gets a reply.
-If PXE image is available it boots PXE image otherwise it will boot windows XP
-During boot process system is still authenticated though mac authentication
-Halfway the boot process (I guess when windows activates the 802.1x service) The system authenticates using his hostname. If all credentials like are valid the system will we validated through 802.1x and mac-authentication will be dropped.

There seems to be one catch I've discoverd so far. When you unplug and replug a station from the network it will be authenticated based on it's mac-address. But this seems to be a windows issue.

Regards,

Rens

Re: 802.1x and PXE boot

Posted: 17 Nov 2009 16:56
by cedric1
hello Rens

thanks for this clarification.

When you unplug and replug pc, did the switch sned eapol-start message to the pc ? Did you try to sniff packet on the pc ?

One question : if you use option 1 in registry for Global value, if user don't connect after 60s , connection is dropped ?

but it still possile for a use to log 5 minutes after boot of the pc ? no

or 60 s is time to authenticate user after his logon ?

regards

Cedric

Re: 802.1x and PXE boot

Posted: 18 Nov 2009 13:04
by Rens_DUP
Hello Cedric,

I haven't traced the issue with wireshark so I cann't say if there is any 802.1x communication. Regarding your other question. I've tested this and it doesn't seem to be an issue. When nobody is logged on the systems stays connected based on the computer name. When someone logs in the 802.1x part in the switch detects this and activates the new setting deliverd by the radius server.

Regards,

Rens

Re: 802.1x and PXE boot

Posted: 19 Nov 2009 03:21
by cedric1
hello Rens

Thanks a lot for your contribution and clarification.

KR

Cedric
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited