Running Intel AMT with FW 220.127.116.111 in Enterprise (PKI) mode along with Symantec SNAC on Cisco switches.
We want to utilize the option to wake up powered off machines with AMT, but with our current config the machine is unauthenticated to radius and hence is not assigned a VLAN while powered off. Is there a way to hard-code a username/password in the AMT firmware so the machine is authenticated and assigned a VLAN while powered down?
An option would be to use the IOS port config "authentication event no-response action authorize vlan X" to assign the port to a specific VLAN when the machine is unauthenticated. Then the port would sit in that VLAN (even if gets powered on) until the port is set to re-authenticate, by default after 60 minutes.
This solution will also invalidate the complete SNAC solution as any unauthorized machine will be assigned VLAN X instead of the remediation VLAN.
Any thoughts on this? What's your experience on running AMT along with NAC?
This is our current port config (IOS 12.2(50)SE3)
switchport access vlan XXX
switchport mode access
switchport voice vlan YY
authentication control-direction in
authentication host-mode multi-domain
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 10
A recommendation from our testers:
1. Configure Intel AMT to use a power package that is on in S5. In this way, Intel AMT will be on when the host is off.
2. Configure Intel AMT to work with 802.1x and NAC. Then Intel AMT can maintain a connection and send postures when the host is off.
3. Use a hardcoded username and password.