1 Reply Latest reply on Jan 24, 2011 10:40 AM by

    AMT on SNAC/NAC

    morbo80

      Running Intel AMT with FW 5.0.2.1121 in Enterprise (PKI) mode along with Symantec SNAC on Cisco switches.
      We want to utilize the option to wake up powered off machines with AMT, but with our current config the machine is unauthenticated to radius and hence is not assigned a VLAN while powered off. Is there a way to hard-code a username/password in the AMT firmware so the machine is authenticated and assigned a VLAN while powered down?

       

      An option would be to use the IOS port config "authentication event no-response action authorize vlan X" to assign the port to a specific VLAN when the machine is unauthenticated. Then the port would sit in that VLAN (even if gets powered on) until the port is set to re-authenticate, by default after 60 minutes.

      This solution will also invalidate the complete SNAC solution as any unauthorized machine will be assigned VLAN X instead of the remediation VLAN.

       

      Any thoughts on this? What's your experience on running AMT along with NAC?

       

      Cheers

      Rolf

       

      This is our current port config (IOS 12.2(50)SE3)

      interface FastEthernet0/1
      switchport access vlan XXX
      switchport mode access
      switchport voice vlan YY
      authentication control-direction in
      authentication host-mode multi-domain
      authentication port-control auto
      mab
      dot1x pae authenticator
      dot1x timeout tx-period 10
      spanning-tree portfast
      !

        • 1. Re: AMT on SNAC/NAC

          A recommendation from our testers:

          1. Configure Intel AMT to use a power package that is on in S5. In this way, Intel AMT will be on when the host is off.
          2. Configure Intel AMT to work with 802.1x and NAC. Then Intel AMT can maintain a connection and send postures when the host is off.
          3. Use a hardcoded username and password.