Intel vProTrain Activation Module7
Transcript of Intel vProTrain Activation Module7
Intel® vPro™ Expert Training 1
Module 7:802.1x, Wireless and Cisco NAC
Intel® vPro™ Expert Training 2
Topics covered
• 802.1x Overview
– 802.1x network flow
– vPro™ and 802.1x
– 802.1x configuration steps
• Wireless and Intel® Centrino® with vPro™ technology
• Cisco NAC Overview
Exercise 1: Creating a 802.1x Profile
Exercise 2: Creating a Wireless Profile
Exercise 3: Creating a Cisco NAC Profile
Intel® vPro™ Expert Training 3
Intel® vPro™ Expert Center
• www.intel.com/go/vProexpert
Providing an open dialogue between Intel and the IT community (IT Experts, ISVs, OEMs) on Intel® vPro™ technology.
Intel® vPro™ Expert Training 4
802.1x Overview
• 802.1x defines extensible authentication protocol between supplicants (clients), authenticators (switches, AP’s) and authenticating servers (RADIUS) to perform authentication
• LAN port based Network Access Control…– Controls network access and prevents unauthorized network
access– Secures a network by controlling access at data link layer
• Network clients must authenticate themselves with the network before network access is granted
Intel® vPro™ Expert Training 5
Simplified 802.1x network flow
1. LAN port initially ‘CLOSED’ for general network traffic but ‘OPEN’ for 802.1x authentication traffic
2. Network client physically connects to LAN port
3. LAN switch (authenticator) requests client access credentials from network client
4. Network client (supplicant) responds with client access credentials. If client does not respond, port remains ‘CLOSED’ or network client optionally connected to ’GUEST’ network
Intel® vPro™ Expert Training 6
Simplified 802.1x network flow (cont.)
5. LAN switch passes client access credentials to RADIUS (authenticating server) for authentication and network access level determination
6. RADIUS authenticates client and determines access level (from dBase of valid users / computers) and responds to LAN switch with result
7. If authentication + access request PASSED, LAN port is ‘OPENED’ for general network traffic. Otherwise port remains ‘CLOSED’ or network client optionally connected to ‘GUEST’ network
Intel® vPro™ Expert Training 7
vPro and 802.1x
• ME firmware contains a 802.1x supplicant– Can ‘open’ network port and/or keep network port ‘open’ independent
of client Operating System – Configures 802.1x supplicant with ME client credentials – Network authentication protocol type determines RADIUS trust
• Authentication of ME requires active directory schema extension – 802.1x supplicant only supported in Enterprise mode;– SMB mode with 802.1x network includes client management via
‘Guest’ network or network authentication using client MAC address
• Validated authentication servers (i.e. RADIUS servers)– Microsoft* ACS– Cisco* ACS– Funk* Odyssey– Meetinghouse* Aegis
Intel® vPro™ Expert Training 8
802.1x Configuration Steps
1. Identify 802.1x protocol and RADIUS server in use on network
2. Create SCS profiles to define:
– Profile name and 802.1x authentication protocol
– CA and client authentication certificate template (if required)
– RADIUS servers trusted by vPro supplicant
3. Create / modify SCS client profile
4. Reference SCS 802.1x profile
5. Assign SCS client profile to vPro client(s)
6. Re-provision vPro client(s)
Intel® vPro™ Expert Training 9
Configuring SCS for RADIUS Vendor
• Different vendors RADIUS servers expect differing format entries in CN field of client authentication certificate
• Setup and Configuration Server can be configured to produce client authentication certificates with different format entries for CN field
Intel® vPro™ Expert Training 10
SCS 802.1x Profile
Root CAFor RADIUSCertificate
RADIUSCertificate
Subject
CertificateSubject
Type
802.X ProfileName
ProtocolType
ClientCertificate
Details
UseAnonymousCredentials
Intel® vPro™ Expert Training 11
SCS Client Profile
802.X ProfileName
Enable 802.1xauthentication
Intel® vPro™ Expert Training 12
Wireless supplicant protocols and authentication
• Encryption– Temporal Key Integrity Protocol (TKIP)– Counter Mode CBC MAC Protocol (CCMP)
• Key Management– Wi-Fi Protected Access (WPA)– Robust Secure Network (RSN)
• Supported Authentication
– Pre-Shared Key (PSK)
– 802.1x
Intel® vPro™ Expert Training 13
vPro and Wireless
• Intel® Centrino® with vPro™ features– Uses Intel Wireless WiFi Link 4965AGN– Quad mode 802.11a/b/g/Draft-N support– 802.11i security support
• ME v2.5 and later (mobile) contains a wireless supplicant– Can associate and authenticate with wireless access points
independent of client OS– Enables Out-of-Band client management– Supported in SMB and Enterprise mode– Can be configured manually (Intel® AMT WebUI) or automatically
Intel® vPro™ Expert Training 14
vPro and Wireless:Manual Configuration Steps
1. Identify wireless access point parameters in use on network
2. Provision client in SMB or Enterprise mode
3. Open browser and login to Intel® AMT WebUI
4. Add wireless profile
5. Enable management over wireless
Intel® vPro™ Expert Training 15
Intel® AMT WebUIWireless Configuration
WirelessProfiles
Wireless Profile
Management
WirelessSettings
Intel® vPro™ Expert Training 16
vPro and Wireless:Automatic Configuration Steps
1. Identify - wireless access point parameters in use- network authentication parameters in use
2. Create SCS profiles:- Configure SCS for 802.1x and create SCS 802.1x profile if wireless
network uses 802.1x authentication, - Create SCS wireless profile to define wireless SSID, ciphers, key
management protocol, pre-shared key (PSK) or profile
3. Assign SCS client profile to vPro client(s)
4. Re-provision vPro client(s)
Intel® vPro™ Expert Training 17
Intel® AMT WebUIWireless Configuration
Wireless ProfileName
Access PointSSID
Access Point KeyManagement Type
Access Point DataEncryption Type
AuthenticationPass Phrase (PSK)
Intel® vPro™ Expert Training 18
SCS Wireless Profile
Access PointSSID
Wireless ProfileName
Access Point KeyManagement Type
Access Point DataEncryption Type
AuthenticationPass Phrase (PSK)
802.1x ProfileName
Intel® vPro™ Expert Training 19
SCS Client Profile
ActiveWireless Profile
Names
InactiveWireless Profile
Names
Wireless ProfileConnection
Priority Order
Intel® vPro™ Expert Training 20
Troubleshooting
• 802.1x configuration
– Check initial client credentials to “open” network port for provisioning
– Make sure the SCS is configured for RADIUS vendor When the ME requires client authentication certificate
– Point SCS 802.1x profile at Root CA (and not subordinate) when specifying RADIUS certificates that ME should trust, must
• Working with wireless
– Check to make sure wireless hardware has not been disabled by hardware switch, BIOS setting or keyboard hotkey sequence
Intel® vPro™ Expert Training 21
Overview: vPro and Cisco* NAC
• What is Cisco* NAC?
– Network Admission Control– Prevents unsafe clients connecting to production network– Secures a network by controlling access at data link layer– Requires network clients to provide information before granting
access and traffic flow
Intel® vPro™ Expert Training 22
Overview: vPro and Cisco* NAC
• Cisco* NAC support provided by ME firmware
– ME firmware generates ME posture information– That information provided to local Cisco Trust Agent (CTA) for In-
Band operation with Cisco NAC network– Also delivered by ME firmware to Cisco Policy Server for Out of
Band client management with Cisco NAC network– Driver set v2.5 and later (mobile), and ME v3.0 and later (desktop)
Intel® vPro™ Expert Training 23
vPro and Cisco* NACIn-Band Support
Management Engine
12-78-45AC-4D-2298-BE-00
12-78-45AC-4D-2298-BE-00
Signed Posture Data
User NotificationService (UNS)
Cisco* Trust Agentwith Intel Posture
Plug-In
Cisco* ACS
Posture ValidationServer (PVS)
DigitalCertificate
DigitalCertificate
Intel® vPro™ Expert Training 24
Intel® vPro™ Client
vPro and Cisco* NACOut-of-Band Support
Management Engine
12-78-45AC-4D-2298-BE-00
12-78-45AC-4D-2298-BE-00
Signed Posture Data
Cisco* ACS
Posture ValidationServer (PVS)
DigitalCertificate
DigitalCertificate
Intel® vPro™ Expert Training 25
vPro and Cisco* NAC Configuration
1. Install vPro driver set onto client (including UNS and NAC posture plug-in) and configure UNS
2. Install Cisco* Trust Agent (CTA) onto client
3. Install Posture Validation Server (PVS) into infrastructure
4. Configure Cisco* Access Control System (ACS) to use PVS
Intel® vPro™ Expert Training 26
vPro and Cisco* NAC Configuration
5. Configure network switch for NAC
6. Provision vPro client for NAC
7. Export vPro client digital certificate and install in PVS
Intel® vPro™ Expert Training 27
Quick review
• What is an 802.1x network ?
• How does vPro work with 802.1x networks ?
• How does vPro work with wireless networks ?
• How to configure vPro to connect to 802.1x, wireless and NAC networks?
• How does vPro work with Cisco* NAC?
Intel® vPro™ Expert Training 28
Exercise 1: Creating an 802.1x Profile
Intel® vPro™ Expert Training 29
• Login to SMS server
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 30
• Open Setup and Configuration (SCS) console
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 31
• Click 802.1x Profiles on left-hand navigator
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 32
• Click <Add…> to create new SCS 802.1x profile
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 33
• Enter ‘EAP-TLS’ for profile name
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 34
• Select EAP-TLS for Protocol
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 35
• Click <…> to enter certificate details for AMT Client Authentication
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 36
• Select CA and template used to issue client certificates
• Click <OK> to accept CA Hostname and Certificate Template
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 37
• Click <…> to enter certificate details for Radius Server Authentication
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 38
• Select Root CA used to sign RADIUS server authentication certificate
• Click <OK> to accept root certificate details
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 39
• Click <OK> to save SCS 802.1x profile
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 40
• You have successfully create an SCS 802.1x profile called ‘EAP-TLS’
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 41
• Click Profiles on left-hand navigator
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 42
• Select ‘No TLS’ profile and click <Edit…> to edit this profile
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 43
• Select Wired 802.1x tab
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 44
• Check 802.1x Profile
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 45
• Click <…> to select the SCS 802.1x profile
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 46
• Select the ‘EAP-TLS’ profile
• Click <OK> to use ‘EAP-TLS’ profile
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 47
• Click <OK> to save the edited SCS ‘No TLS’ profile
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 48
• You have successfully edited the SCS ‘No TLS’ profile to reference the SCS 802.1x profile called ‘EAP-TLS’
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 49
• Click <Apply> to save the edited SCS ‘No TLS’ profile
Module 7 - Lab Exercise 1 Create SCS 802.1x Profile
Intel® vPro™ Expert Training 50
Exercise 2: Creating a Wireless Profile
Intel® vPro™ Expert Training 51
• Login to SMS server
Module 7 - Lab Exercise 2 Create a Wireless Profile
Intel® vPro™ Expert Training 52
• Open Setup and Configuration (SCS) console
Module 7 - Lab Exercise 2 Create a Wireless Profile
Intel® vPro™ Expert Training 53
• Click Wireless Profiles on left-hand navigator
Module 7 - Lab Exercise 2 Create a Wireless Profile
Intel® vPro™ Expert Training 54
• Click <Add…> to create new SCS wireless profile
Module 7 - Lab Exercise 2 Create a Wireless Profile
Intel® vPro™ Expert Training 55
• Enter ‘Wireless Profile’ for profile name
• Enter ‘ProDemoAP’ for SSID
• Select WPA for Key Management
• Select TKIP for Encryption Algorithm
• Enter ‘P@ssw0rd’ for Pass phrase
Module 7 - Lab Exercise 2 Create a Wireless Profile
Intel® vPro™ Expert Training 56
• Click <OK> to save SCS Wireless profile
Module 7 - Lab Exercise 2 Create a Wireless Profile
Intel® vPro™ Expert Training 57
• You have successfully create an SCS Wireless profile called ‘Wireless Profile’
Module 7 - Lab Exercise 2 Create a Wireless Profile
Intel® vPro™ Expert Training 58
• Click Profiles on left-hand navigator
Module 7 - Lab Exercise 2 Create a Wireless Profile
Intel® vPro™ Expert Training 59
• Select ‘No TLS’ profile and click <Edit…> to edit this profile
Module 7 - Lab Exercise 2 Create a Wireless Profile
Intel® vPro™ Expert Training 60
• Select Wireless Profiles tab
Module 7 - Lab Exercise 2 Create Wireless Profile
Intel® vPro™ Expert Training 61
• Select ‘Wireless Profile’ and move to Selected Wireless profiles
• Click <OK> to save the edited SCS ‘No TLS’ profile
Module 7 - Lab Exercise 2 Create a Wireless Profile
Intel® vPro™ Expert Training 62
• You have successfully edited the SCS ‘No TLS’ profile to reference the SCS Wireless profile called ‘Wireless Profile’
Module 7 - Lab Exercise 2 Create a Wireless Profile
Intel® vPro™ Expert Training 63
Exercise 3: Creating a Cisco* NAC Profile
Intel® vPro™ Expert Training 64
• Login to SMS server
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 65
• Open Setup and Configuration (SCS) console
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 66
• Click 802.1x Profiles on left-hand navigator
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 67
• Click <Add…> to create new SCS 802.1x profile
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 68
• Enter ‘EAP-FAST’ for profile name
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 69
• Select EAP-FAST for Protocol
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 70
• Click <…> to enter certificate details for AMT Client Authentication
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 71
• Select CA and template used to issue client certificates
• Click <OK> to accept CA Hostname and Certificate Template
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 72
• Click <…> to enter certificate details for Radius Server Authentication
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 73
• Select Root CA used to sign RADIUS server authentication certificate
• Click <OK> to accept root certificate details
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 74
• Click <OK> to save SCS 802.1x profile
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 75
• You have successfully create an SCS 802.1x profile called ‘EAP-FAST’
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 76
• Click Profiles on left-hand navigator
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 77
• Select ‘No TLS’ profile and click <Edit…> to edit this profile
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 78
• Select Wired 802.1x tab
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 79
• Check 802.1x Profile
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 80
• Click <…> to select the SCS 802.1x profile
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 81
• Select the ‘EAP-FAST’ profile
• Click <OK> to use ‘EAP-FAST’ profile
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 82
• Select NAC tab
• Check Enabled NAC
• Click <…> to select the NAC certificate
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 83
• Select CA and template used to issue NAC posture signing certificates
• Click <OK> to accept CA Hostname and Certificate Template
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 84
• Click <OK> to save the edited SCS ‘No TLS’ profile
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 85
• You have successfully edited the SCS ‘No TLS’ profile to add Cisco NAC support
Module 7 - Lab Exercise 3 Create a Cisco* NAC Profile
Intel® vPro™ Expert Training 86
Intel® vPro™ Expert Center
• www.intel.com/go/vProexpert
Providing an open dialogue between Intel and the IT community (IT Experts, ISVs, OEMs) on Intel® vPro™ technology.
Intel® vPro™ Expert Training 87
Legal Information
Copyright NoticeCopyright © 2008, Intel Corporation. All rights reserved.
Trademark InformationCentrino, Centrino Inside, Core Inside, Intel, the Intel logo, Intel Core, Intel vPro, and vPro Inside are trademarks of Intel Corporation in the U.S. and other countries.
* Other names and brands may be claimed as the property of others.
Intel® vPro™ Expert Training 88
Backup
Intel® vPro™ Expert Training 89
SCS Client Profile
802.1x supplicantactive in client
S0 State
Time 802.1x supplicantkeeps port openduring PXE boot
802.X ProfileName
Enable 802.1xauthentication
Intel® vPro™ Expert Training 90
SCS Client Profile
Enable ClientAccess via“in-band”
VPN Routing
Allow ME to use“in-band” wireless
connection
ActiveWireless Profile
Names
InactiveWireless Profile
Names
Wireless ProfileConnection
Priority Order
Intel® vPro™ Expert Training 91
Example 802.1x Using EAP-PEAP
Intel AMT Client Radius Server
Root CA Certificate(Trust of Radius Server
Authentication Certificate)
Radius ServerAuthentication Certificate
(issued by CA Chain)
CA Chain
CA Chain Certificates(including Root CA)
Active Directory
802.1X CompliantSwitch
(Cisco 3560)
Intel® vPro™ Expert Training 92
Example 802.1x Using EAP-TLS
CA Chain Certificates(Trust of AMT User
Authentication Certificate)
Intel AMT Client Radius Server
AMT UserAuthentication Certificate
(issued by CA Chain)
Root CA Certificate(Trust of Radius Server
Authentication Certificate)
Radius ServerAuthentication Certificate
(issued by CA Chain)
CA Chain
CA Chain Certificates(including Root CA)
802.1X CompliantSwitch
(Cisco 3560)Active Directory
Intel® vPro™ Expert Training 93
ME and 802.1x
Intel® vPro™ Expert Training 94
Cisco NAC Pictorial ExampleCourtesy Cisco Systems
Intel® vPro™ Expert Training 95
Intel® vPro™ Expert Center
• www.intel.com/go/vproexpert
Providing an open dialogue between Intel and the IT community (IT Experts, ISVs, OEMs) on Intel® vPro™ technology.
Intel® vPro™ Expert Training 96
Intel® vPro™ Expert Center
• www.intel.com/go/vProexpert
Providing an open dialogue between Intel and the IT community (IT Experts, ISVs, OEMs) on Intel® vPro™ technology.