NAC Authentication Problem with Client using INTEL AMT

  • 0
  • 1
  • Problem
  • Updated 3 weeks ago
Hy,
We run NAC since about 1 year, now some Client machines are replaced with new ones.
The new clients (HP RP9 G1) have Intel AMT Management when the operating System fails.
We got problems with Intel AMT in combination with NAC:
When the OS fails with a BSOD the Out of Band Management should work. But NAC doesn't recognize the other subsystem?
Netsight is Version 8.1.3
Switch is A4 Using 06.81.10.0001

Here is an example:

Port is phyisically up:
H614-A4-5(su)->show port status
          Alias        Oper    Admin   Speed
Port      (truncated)  Status  Status  (bps)     Duplex  Type
--------- ------------ ------- ------- --------- ------- ------------
fe.1.1    UPLINK       Up      Up      100.0M    full    BaseT RJ45/PoE
fe.1.35                Up      Up      100.0M    full    BaseT RJ45/PoE
 
no multiauth session
H614-A4-5(su)->show multiauth session
Multiple authentication session entries
__________________________________________
Port             | fe.1.3            Station address   | 94-C6-91-1A-D8-EC
Auth status      | success           Last attempt      | TUE JUL 17 02:11:01 2018
Agent type       | mac               Session applied   | true
Server type      | radius            VLAN-Tunnel-Attr  | none
Policy index     | 14                Policy name       | Foreign
Session timeout  | 0                 Session duration  | 22,15:23:15
Idle timeout     | 0                 Idle time         | 0,00:00:00
Termination time | Not Terminated    Terminate Action  | None
 
Port             | fe.1.4            Station address   | 00-1A-E8-45-D6-92
Auth status      | success           Last attempt      | TUE JUL 17 01:56:16 2018
Agent type       | mac               Session applied   | true
Server type      | radius            VLAN-Tunnel-Attr  | none
Policy index     | 2                 Policy name       | Trusted
Session timeout  | 0                 Session duration  | 22,15:38:00
Idle timeout     | 0                 Idle time         | 0,00:00:00
Termination time | Not Terminated    Terminate Action  | None
 
Port             | fe.1.6            Station address   | 94-DE-80-A6-FA-5E
Auth status      | success           Last attempt      | TUE JUL 17 01:55:44 2018
Agent type       | mac               Session applied   | true
Server type      | radius            VLAN-Tunnel-Attr  | none
Policy index     | 1                 Policy name       | Unmanaged
Session timeout  | 0                 Session duration  | 22,15:38:33
Idle timeout     | 0                 Idle time         | 0,00:00:00
Termination time | Not Terminated    Terminate Action  | None
 
Port             | fe.1.7            Station address   | 00-20-4A-9D-12-E7
Auth status      | success           Last attempt      | TUE JUL 17 01:58:07 2018
Agent type       | mac               Session applied   | true
Server type      | radius            VLAN-Tunnel-Attr  | none
Policy index     | 14                Policy name       | Foreign
Session timeout  | 0                 Session duration  | 22,15:36:09
Idle timeout     | 0                 Idle time         | 0,00:00:00
Termination time | Not Terminated    Terminate Action  | None
 
Port             | fe.1.8            Station address   | 00-50-B6-7A-39-17
Auth status      | success           Last attempt      | SAT SEP 01 18:40:27 2018
Agent type       | mac               Session applied   | true
Server type      | radius            VLAN-Tunnel-Attr  | none
Policy index     | 6                 Policy name       | Managed
Session timeout  | 0                 Session duration  | 25,15:56:37
Idle timeout     | 0                 Idle time         | 0,00:00:00
Termination time | Not Terminated    Terminate Action  | None
 
Port             | fe.1.34           Station address   | 00-1B-A9-89-6D-8B
Auth status      | success           Last attempt      | TUE JUL 17 01:55:31 2018
Agent type       | mac               Session applied   | true
Server type      | radius            VLAN-Tunnel-Attr  | none
Policy index     | 7                 Policy name       | Printer
Session timeout  | 0                 Session duration  | 22,15:38:46
Idle timeout     | 0                 Idle time         | 0,00:00:00
Termination time | Not Terminated    Terminate Action  | None
 
Port             | fe.1.36           Station address   | 00-C0-EE-29-1D-FE
Auth status      | success           Last attempt      | WED SEP 26 11:17:22 2018
Agent type       | mac               Session applied   | true
Server type      | radius            VLAN-Tunnel-Attr  | none
Policy index     | 7                 Policy name       | Printer
Session timeout  | 0                 Session duration  | 0,23:19:42
Idle timeout     | 0                 Idle time         | 0,00:00:00
Termination time | Not Terminated    Terminate Action  | None
 
Port             | fe.1.48           Station address   | 60-C7-98-63-BA-7C
Auth status      | success           Last attempt      | TUE AUG 28 14:27:34 2018
Agent type       | mac               Session applied   | true
Server type      | radius            VLAN-Tunnel-Attr  | none
Policy index     | 8                 Policy name       | ECTerm-VLAN2
Session timeout  | 0                 Session duration  | 29,20:09:30
Idle timeout     | 0                 Idle time         | 0,00:00:00
Termination time | Not Terminated    Terminate Action  | None
 disable the port does not help, still no Authentication:
 
H614-A4-5(su)->set port disable fe.1.35
H614-A4-5(su)->
H614-A4-5(su)->show port status
          Alias        Oper    Admin   Speed
Port      (truncated)  Status  Status  (bps)     Duplex  Type
--------- ------------ ------- ------- --------- ------- ------------
fe.1.1    UPLINK       Up      Up      100.0M    full    BaseT RJ45/PoE
fe.1.35                Down    Down    N/A       N/A     BaseT RJ45/PoE
H614-A4-5(su)->set port enable fe.1.35
H614-A4-5(su)->show port status
          Alias        Oper    Admin   Speed
Port      (truncated)  Status  Status  (bps)     Duplex  Type
--------- ------------ ------- ------- --------- ------- ------------
fe.1.1    UPLINK       Up      Up      100.0M    full    BaseT RJ45/PoE
fe.1.35                Up      Up      100.0M    full    BaseT RJ45/PoE
When i put that port MANUALLY in the right VLAN the connection is working:



the device/port are configured that way:



I have not opened a ticket at GTAC so far, does anybody have experience using out-of-band management tool like INTEL AMT with Extreme NAC?

Thanks
Photo of Anton Sax

Anton Sax

  • 1,242 Points 1k badge 2x thumb

Posted 3 weeks ago

  • 0
  • 1
Photo of mp2014

mp2014

  • 1,268 Points 1k badge 2x thumb
Hi,

are you trying to use the "contain to vlan" function via policy? In my expirience, this wont work  for quiet devices (like printers or pc in standby mode).
We use a hybrid mode with Filter ID & RFC3580 VLAN and different "idle-timeout" for quiet devices set via radius attributes. Its done via policy mapping in NAC, using a custom field with the idle timeout value (65535 seconds set for quiet devices).Default is 300sec.
Photo of Anton Sax

Anton Sax

  • 1,242 Points 1k badge 2x thumb
yes we use contain to vlan
when using filter id + rfc3580 is it possible to make policies?

is that functionality usable in the new oneview gui or only old java gui?
Photo of mp2014

mp2014

  • 1,268 Points 1k badge 2x thumb
i refer to the java gui - will have to check this in oneview.
NAC Switch setting is "RFC 3580 - VLAN ID & Policy & IDLE-Timeout".
Maybe just using that idle timeout does fit your needs as well. We primarly choose that RFC 3580 / Policy mapping combination to have less nac rules (many voice vlans, same policy).

Photo of Anton Sax

Anton Sax

  • 1,242 Points 1k badge 2x thumb
now I know what you mean

We use "Extreme Policy" here

When using "RFC3580 - VLAND ID" I think Policys are not possible
But there is an option "RFC3580 - VLAND ID & Extreme Policy"