Security

Reply
Frequent Contributor II
Posts: 110
Registered: ‎12-07-2007

PXE boot and hardwired access

I'm trying to find a way to get PXE boot clients access to the hardwired network using CPPM.  I want our desktop support people to be able to PXE boot and re-image a device using any port in our buildings.  I know what PXE boot traffic looks like and where it is headed but I can't get past DHCP.  The device has to be ID'd by CPPM to allow access but the device can't get an IP address until it gets access on the network.  If I write a rule classify DHCP traffic to allow access then every DHCP client will get access. 

 

Any ideas?  How do you guys get your desktop support people to their PXE image servers?

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: PXE boot and hardwired access

What are you identifying it as? Just Computer?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 110
Registered: ‎12-07-2007

Re: PXE boot and hardwired access

I'm identifying it as a PXE client (TIP Role).

 

Since we're not applying ACLs to the switch, we have an allow or deny as the enforement.

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: PXE boot and hardwired access

So are you manually adding them to the endpoint database? How are you mapping them to the PXE client TIPS role?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 110
Registered: ‎12-07-2007

Re: PXE boot and hardwired access

We are trying to map them to a role based on traffic pattern.

 

We're a very large entity and importing MACs is not something we want to do if at all possible.  We also hope to avoid guest licensing (again, we're very large) for financial reasons.

Frequent Contributor II
Posts: 110
Registered: ‎12-07-2007

Re: PXE boot and hardwired access

[ Edited ]

Using the Brandeis/Tim C  MSSQL tip I found, could we create a query in CPPM to search our SCCM2012 system for the MAC address to ID it as one of ours? Brandeis searched their legacy database for the mac which has an associated UID (from their database I believe).  Could we just search the SCCM MSSQL for the MAC and assign it as 'username' then check 'Exists' to make policy decisions?

 

This doesn't solve all of our problems but it would solve the normal/95% of the time issues.

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: PXE boot and hardwired access

Yes, you could do that. You would create a MAC Authentication policy that Allows Unknown MACs, and use MSSQL as an authorization source to drop them into the PXE role. 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: PXE boot and hardwired access

Are you worried more about the PXE boot when the computer is taken out of the Box for the 1st time or when the computer is pxe booted after being on the network?   

 

Frequent Contributor II
Posts: 110
Registered: ‎12-07-2007

Re: PXE boot and hardwired access

@sdr53, both actually but the everyday "we need to reimage this computer" situation is the biggest issue.  Mobile devices are normally done for the first time at  2 locations while desktops are normally done for the first time at the installation site.  I think the MSSQL into our SCCM may solve the daily issue. Now I need to find a solutuion for new installations of desktops (I might have a somewhat non-technical solution for this)

 

Thanks to all who posted!!

Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: PXE boot and hardwired access

Daily issue you can just use clearpass you don't officially have to hook into SCCM. You should be able to use the endpoint database and or insight to determine if it's a legit computer. If you have a designated switch at these locations you can easily set-up a very loose restriction on some ports to allow for first time imaging. If you unbox computers all over your network and want the most secure environment then you need to hook into your inventory with MAC address.
Search Airheads
Showing results for 
Search instead for 
Did you mean: