Security

Our current setup does not allow us to boot into a USB WinPE environment to build computers on NAC enabled switchports. Is there a way to add a custom attribute that Clearpass will recognize in a WinPE boot environment and allow the machine to MAC auth so it can temporarily reach an image deployment server? Our workaround is to remove the NAC configuration from switchports.

Do you use network boot, i.e. PXE ?
If so you can use the category "Network Boot Agent" in you Macauth Policy to handle this.

No, we are using a thumb drive  to boot into a WindowsPE OS, which then connects to a network share to pull down the image file

If you know the mac address of the computer you could add it to a static mac list and create a rule to allow it to authenticate to install the image.

You can remove the mac address afterwards from the static list.

I would use MDT/pxe boot for that and not bother with a USB drive

You could also redirect the unknown WinPE to a portal for authentifaction, or just allow the boot file from unknown connections (not the best, but it could work)

Can someone give me guidance on setting up a portal for authentication? Sorry I have no experience in that area. Can that be done in CPPM? Basically I would need the portal to authenticate a user from a specific AD container and allow network access so the machine can pull down its image. Thanks in advance!!

I can't seem to find network boot agent anywhere, would that be in the Role Map of my MAC service?

network boot agent?

Booting a computer onto something like Microsoft Deployment Toolkit so you can deploy images to the computer would be separate from Clearpass.

You would allow the computer onto the network using clearpass and it would pick up network boot from DHCP in conjunction with something like MDT.