NOTE: This resource is a re-post of information provided at http://juice.altiris.com/node/4730. Although the title and material make reference to Altiris, the core concepts apply to any Intel SCS based solution
This article assumes the reader has a core understanding of provisioning the Intel® vProtechnology within an Altiris environment. Other articles and materials on Altiris Juice and so forth provide the fundamentals. In exploring endpoint access control (EAC) and 802.1x configuration options, the guidelines provided with http://juice.altiris.com/node/4480 should be referenced. Environments deploying Intel® vPro may benefit by first using a "Standard" provisioning approach, followed by extending the provision profile to pursue "Advanced" provisioning approaches.
How does Intel® vPro negotiate network access security situations?
If you have or are planning to implement various network or endpoint access control solutions, this article provides an overview of considerations and insights to assist in getting Intel® vPro systems to negotiate when the operating system is unavailable. The article is written for an Altiris environment with some inclusion of Intel® SCS console. The concepts within this article provide a foundation for mixed or hybrid environments where Intel® vPro is used.
The core issue at hand is that an increasing number of situations and deployments require enhanced network or endpoint access control solutions. Without going into great detail on each, the items targeted are 802.1x Extensible Authentication Protocol (EAP) with an associated RADIUS server or Endpoint Access Control (EAC) based protocols and solutions. Two key EAC solutions mentioned herein are Cisco NAC (Network Access Control) and the upcoming Microsoft NAP (Network Access Protection - part of Windows Server 2008)
From an operating system standpoint, agents or configurations are added or installed on the operating system to gain access to the network EAC or EAP security methods are used. However, if an operating system is not running yet the underlying Intel® vPro management engine is configured - How does the system gain access for out-of-band management?
If the Intel® vPro management engine does not have an awareness of the EAC or EAP based solution configuration, then the following scenario will likely happen:
While the operating system is on and the network security protocols are in place, Intel® vPro functionality works as expected. When the operating system is off or unable to negotiate the network security protocols, than communications to the Intel® vPro engine are not possible. Thus the idea of true out-of-band management is broken due to network security environment restrictions.
The good news is that configuration options exist to configure or enable the Intel® vPro management engine to handle EAC and EAP situations. Getting the right configuration settings for your environment will require collaboration with network security or infrastructure teams which manage the RADIUS server, Cisco NAC, or related environments.
One key resource in putting together this article is the Intel® AMT SCS Installation and User Manual available at http://softwarecommunity.intel.com/UserFiles/en-us/Intel_AMT_SCS_Installation_and_User_Manual.pdf
What versions of RADIUS servers, Intel® AMT and Intel® SCS are needed to support?
For 802.1x environments, a RADIUS server is required to handle the authentication, authorization, and access of system requests onto the network. Intel® AMT has been tested with the following RADIUS servers
Cisco ACS with 802.1x protocols EAP-TLS, EAP-PEAP, EAP-FAST/GTC and EAP-FAST/MS-CHAPv2
Funk Odyssey with 802.1x protocols EAP-TLS, EAP-PEAP and EAP-TTLS
Meetinghouse Aegis with 802.1x protocols EAP-GTC and EAP-TLS
Microsoft IAS with 802.1x EAP-TLS
Per Intel® SCS release notes available at http://softwarecommunity.intel.com/articles/eng/1025.htm, Intel® SCS version 3.2 or higher provides latest support in configuration Intel® AMT systems. In an Altiris environment, the validated Intel® SCS release is version 3.2.1 available via Altiris Knowledge base article KB40076 (http://kb.altiris.com/). It is recommended that KB40117 also be installed. The SCS 3.2.1 update to the Altiris environment will likely change the AMTSCS virtual web-directory to SSL enabled. See article http://juice.altiris.com/node/3690.
For environments supporting Cisco NAC, the option will not appear in the Altiris Out-of-Band Management interface. However, the option is supported by the underlying Intel® SCS and will be referenced later in this article.
With Microsoft NAP just starting to appear, public materials are fairly light on Intel® AMT support. The table below shows plans in place to support, with the expectation that more data and clarification will be provided in the future.
Regarding the Intel® AMT firmware versions supporting these configuration options, the following table may be of interest. Future release versions are stated targets, applying to versions 3.2 and above.
Intel® AMT version
Cisco NAC support
Microsoft NAP support
Configuring 802.1x in the Provision Profile
Definition and usage of 802.1x in the provision profile requires Integration with Microsoft Active Directory to be enabled (see http://juice.altiris.com/node/4492). Defining and applying the 802.1x profile is performed in two steps. First the 802.1x profile is created and then it is added to the provision profile.
Creating the 802.1x Profile
The full details and options available for this profile will not be documented in this article. Those familiar with their 802.1x environment including RADIUS server configuration, certificates and protocols used, and so forth will have sufficient environmental understanding to provide the needed details. My recommendation is to ensure the client management and infrastructure security teams collaborate to define the custom settings needed for a specific environment. Additional details on the Intel® SCS options for 802.1x can be found in the manual previously referenced and linked in this article.
Access the Altiris Provisioning console by selecting Configure > Solutions > Out of Band Management (Note: This is another method of accessing the provisioning options)
802.1x profiles can be viewed, created, and modified via Out of Band Management Configuration > Provisioning > Configuration Service Settings > Auxiliary Profiles > 802.1x Profiles
Click on to add a new profile. The image below provides an example how the profile would be configured. Once the 802.1x profile is created, the Provision Profiles or Wireless Profiles can be updated with an existing 802.1x profile.
Once the 802.1x properties have been set, click ok
Adding the 802.1x profile to the Provision or Wireless Profiles
Once the 802.1x profile has been created, it must be associated to Provision Profile. To update the Provision Profile, select or create the desired profile. Once opened, select the Network tab. Under the Wired Security section is an option to select an 802.1x profile. The image below shows an example. Once the provision profile has been changed and updated, the settings are pushed out to the clients via a reprovision process. A reprovision process can either be scheduled via the Maintenance options or executed directly within the Intel® AMT systems shown in the Altiris Out-of-Band provisioning interface.
Similar to adding the wired security 802.1x option, if Intel® AMT over wireless profiles have been configured, an option exists to add in an 802.1x profile. This is accomplished by creating or modifying a Wireless Profile found under Auxiliary Profiles. Under the Authentication section of the wireless profile, an option is provided to add in an 802.1x profile. The image below provides an example.
Configuring Cisco NAC in the Provision Profile
The present Altiris Out-of-Band Management provision profile does not include an option for configuring Cisco NAC. However, since the underlying Intel® SCS provisioning service does support this option as noted previously, the work around is to install the SCS console to gain access to the option. The SCS console is included in the full Intel® SCS download available at http://softwarecommunity.intel.com/articles/eng/1025.htm.
Once the ZIP file is downloaded, extract out AMTConsole.exe which is approximately 2.65MB in size. Run the executable to install the console. Once installed, start the Intel® SCS console and a window similar to the one below will be shown:
The Service Name desired is the same as the Service Location shown in the Altiris provisioning console (e.g. Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Service Location). Once entered, the console will appear.
Upon accessing the console, navigate to Intel® AMT Setup Console > Configuration Service Settings > Profiles. Select and edit the desired profile. An option for NAC will appear that is not shown in the Altiris provisioning console.
The example above shows the Configure NAC Properties disabled. In preparing this article, the lab environment used did not have Cisco NAC, the Posture Validation Server, and related certificates used in such an environment. Within the Intel® AMT SCS Installation and User Manual available at http://softwarecommunity.intel.com/UserFiles/en-us/Intel_AMT_SCS_Installation_and_User_Manual.pdf - there is a brief section in the latter pages which has been reproduced below for convenience to describe what is needed.
Retrieving a Certificate for Use by a Posture Validation Server
The Cisco NAC scheme uses a Posture Validation Server (PVS) to check each posture type for validity. A PVS can check the fields in the posture and the signature in the posture. The signature is a hash of fields in the posture encrypted using the private key of a PKI public-private key pair. The PVS validates the signature by calculating a hash over the same fields, decrypting the signature using the public key, and comparing the results.
The key pair used by Intel AMT is in the certificate specified on the NAC tab of the profile used to set up the Intel AMT device. The PVS needs this certificate to perform signature validation. The SCS API includes a function to recover the certificate for a selected Intel AMT device.
The Intel AMT SDK includes a sample PVS that expects the certificates to be in DER format, with a name set to the serial number of the certificate. The following procedure retrieves a certificate from the SCS database, converts the certificate to DER format, and renames it with the certificate serial number. This is a manual procedure. IT organizations or ISVs supporting this functionality should provide scripts to accomplish the same thing on an enterprise scale.
Extract the certificate by executing the SCS API SOAP function GetAMTCertificate. The function accepts either the FQDN or the UUID to identify a unique Intel AMT device. See the SCS API document for details of the function.
Save the returned certificate as a .cer file. This file is in Base-64 format.
Double-click on the certificate file. Select the Details tab and Copy to File...
In the Certificate Export Wizard, Select DER encoded binary as the file format. \
Name the file temporarily and complete the wizard. The resulting file is still a .cer file, but its contents will be in the DER format.
Double-click again on the certificate, select the Details tab, select the serial number and copy it.
Rename the newly exported certificate by pasting the serial number over the temporary name.
Remove the blanks in the name so that it is a continuous hexadecimal number.
Move the renamed certificate to the CERT folder in the directory containing the PVS sample executable
Endpoint access control and RADIUS\802.1x deployments within an environment require validation and authentication from systems requesting access to the network. Within an operating system, the necessary agents and configuration are in place to allow access. Similar settings are required within the Intel® vPro firmware to ensure out-of-band access if the operating system or in-band agent configurations are not in place. This settings are defined within the provision profile based on the environmental specific network settings used.