1 Reply Latest reply on Mar 26, 2012 3:11 PM by jjcopela

    Vpro Authentication



      I am new to Vpro and have quite a few questions. The scenario that I have, is that I need to get Vpro up and running using Active Directory integration. We are also using 8021x network security and this is the part that is causing me some consternation. I am far from being an expert in any of this, so please prepare your selves for some questions that may be fundamentally misguided or downright stupid.


      When creating SCS profiles there are various passwords to consider but I am confused about them. For instance, if we take AD out of our thinking for a moment - am I correct in thinking that the MEBx password is the one that is used when performing a KVM session? So, if using VNC Plus, you have to enter the target AMT device admin id and password values? And this password has nothing to do with AD authentication, right? Or is the built in AMT device Admin account used? Or is this one and the same?


      Now, thinking about AD integration, the AMT device is added into AD when it is provisioned. When a support engineer wants to remote control a computer that has I ssume that:


      1. AD is used to check that the support agent has the rights to access the AMT AD object


      2. If the support engineer does have the rights to the AMT AD object to, say, remote control using KVM, then he must enter the MEBx ID and password into VNC Plus to take control of the AMT device.


      Ideally, we will be able to use authenticate these devices to be able to remote control out of band using 8021x methods - our network guy is working on that. However, just in case our 8021x implementation provide a stumbling block, we need to have another option for authentication. One idea is to have  alist of all AMT devices and passwords held on our Cisco ACS thereby allowing an 8021x exception rule to be put in place. Is this feasible? I also know that you can specify a digest user; could this be used to access all AMT devices? Or is this inherrently insecure and stupid?


      If it is feasible, then the next question is how do we set the passwords for the AMT devices? I thought that maybe we could use a Digest Master Password and somehow use this to authenticate all AMT devices and bypass 8201x. Is this possible? Or is there a better way? How do you guys do this? I'd like to avoid static passwords for all AMT devices if possible.


      Of course, ideally we would like to get 8021X working with our PEAP and MS-Chap implentation. If anyone does have any experience of Vpro and 8021X then I would really be interested to know about your success and the pitfalls that you encountered.




        • 1. Re: Vpro Authentication

          Hi DJN,

          Within the SCS Profile you are using, you can specify a user/password and grant that user access to a number of different realms for that AMT system.

          If you do choose to integrate with the Active Directory, you can specify an AD user or group and associate them to the same realms. So you really have a choice of how you want to authenticate to AMT, either Digest or Kerberos (or both). If your main goal is connecting with KVM, you simply need to create the appropriate user in the Profile and grant that user the appropriate permissions.As soon as you create that new user or add an existing Kerberos user via the Profile, you can use that user/password to access AMT (and KVM).

          As far as 802.1x configuration is concerned, you may want to review this guide here: http://communities.intel.com/docs/DOC-4321 it walks through the basic setup. There are also a number of posts here on the Expert Center that talk about the setup required.

          Hope this helps!