Security

I'm trying to find a way to get PXE boot clients access to the hardwired network using CPPM.  I want our desktop support people to be able to PXE boot and re-image a device using any port in our buildings.  I know what PXE boot traffic looks like and where it is headed but I can't get past DHCP.  The device has to be ID'd by CPPM to allow access but the device can't get an IP address until it gets access on the network.  If I write a rule classify DHCP traffic to allow access then every DHCP client will get access. 

 

Any ideas?  How do you guys get your desktop support people to their PXE image servers?

What are you identifying it as? Just Computer?

I'm identifying it as a PXE client (TIP Role).

 

Since we're not applying ACLs to the switch, we have an allow or deny as the enforement.

So are you manually adding them to the endpoint database? How are you mapping them to the PXE client TIPS role?

We are trying to map them to a role based on traffic pattern.

 

We're a very large entity and importing MACs is not something we want to do if at all possible.  We also hope to avoid guest licensing (again, we're very large) for financial reasons.

Using the Brandeis/Tim C  MSSQL tip I found, could we create a query in CPPM to search our SCCM2012 system for the MAC address to ID it as one of ours? Brandeis searched their legacy database for the mac which has an associated UID (from their database I believe).  Could we just search the SCCM MSSQL for the MAC and assign it as 'username' then check 'Exists' to make policy decisions?

 

This doesn't solve all of our problems but it would solve the normal/95% of the time issues.

Yes, you could do that. You would create a MAC Authentication policy that Allows Unknown MACs, and use MSSQL as an authorization source to drop them into the PXE role. 

Are you worried more about the PXE boot when the computer is taken out of the Box for the 1st time or when the computer is pxe booted after being on the network?   

 

@sdr53, both actually but the everyday "we need to reimage this computer" situation is the biggest issue.  Mobile devices are normally done for the first time at  2 locations while desktops are normally done for the first time at the installation site.  I think the MSSQL into our SCCM may solve the daily issue. Now I need to find a solutuion for new installations of desktops (I might have a somewhat non-technical solution for this)

 

Thanks to all who posted!!

Daily issue you can just use clearpass you don't officially have to hook into SCCM. You should be able to use the endpoint database and or insight to determine if it's a legit computer. If you have a designated switch at these locations you can easily set-up a very loose restriction on some ports to allow for first time imaging. If you unbox computers all over your network and want the most secure environment then you need to hook into your inventory with MAC address.

How would I know if something in the endpoint database belongs to the company or not?  It has to be by MAC address in some manner.  I would have to do a manual dump of devices into CPPM?  Currently I'm not seeing devices being dumped into the endpoint repository.  We currently use AD to ID devices or our MDM for policy decisions.  The issue is we cannot use AD through 'normal' channels because a PXE boot computer won't have access to AD yet.  I know you can add attributes to endpoints but that brings up several new issues: how do I get all of our AD devices into the endpoint db, how does it stay up to date, how do I get the attribute into the endpoints which need it, etc.?

 

At this point, I'm trying to find someone who knows MSSQL and CPPM.  Running into issues with queries which should work but keep getting errors.

Machine authenticated should show up in your roles if you have use cached roles enabled. In your dot1x service place a rule near the top of the enforcement that says if endpoint=unknown and tips role equals machine authenticated then mark endpoint as known and send a COA to terminate the session. You can update other attributes here also. You can use insight to allow only computers on for just a few days after they have machine authenticated

First: thanks to all who have replied.  It is really helping me get this figured out.

 

Second: What about this logic -

 

When a device is seen on CPPM and it is [Machine Authenticated] by AD as a machine, I am doing a post-auth enforcement where I update the endpoint as known (just to be sure) and I put an attribute where owner = MYCOMPANY.

 

In my Role evaluation, I have a rule- Endpoint: Owner EQUALS MYCOMPANY  -->  Role = PXE boot

 

THEN

 

In enforcement, I have a rule- Tips: Role EQUALS PXE boot  -->  allow access

 

This allows it on the network so it can be re-imaged!!

 

Seems to be working thus far.  Not sure about the efficiency of my configuration though.  Thoughts or suggestions?

Yup; that sequence works. It really all depends on what information you want to see in clearpass. You just have to figure out what you want to get done. Let me know how you handle the computers the first arrive on your network. I'm looking for solutions.

Marking theses computers as known will help you when you run into computers that have been removed from domain. If you want to immediately block computers that have been deleted from domain then consider using the machine authenticated role.

Many manufacturers can now provide a CSV of the MAC addresses of the machines. You could build an excel sheet with concat functions to build the import file.