Header Only - DO NOT REMOVE - Extreme Networks
Question

How can NAC accept PC that send a PXE request?

  • 3 September 2019
  • 6 replies
  • 284 views

Userlevel 4
I have a challenge. Our pc's authenticate with 802.1x to a vlan. This works fine. However when I have to reinstall a pc, the pc must connect to the PXE server after the boot.


How can I let the pc authenticate to NAC and solve this issue ?

6 replies

Userlevel 2
if you get a good capture of the PXE boot sequence, you might be able to write your own DHCP/bootp signature to distinguish your PXE boot process (not sure until I look at a capture of the process itself). This might not be the same for all vendor's machines (e.g. intel boards/chips may pxe differently than non-intel like MSI).

So without that you can use your unauthenticated VLAN for PXE booting, or create overrides for a MAC (this can be scripted and automated) to be put on a different PXE vlan.
or examine your process of reimaging machines.
Userlevel 4
Unfortunately, this does not work. During the boot, this information isn't available for EAC.
Userlevel 3
You will probably have to configure an "unauthenticated" VLAN and put the DHCP/TFTP server and all other required hosts in it.

See for example: https://www.extremenetworks.guru/exos-802-1x/
Userlevel 2
If you have coordinated work, you can put in a MAC override for the PC you are working on to put it into a separate VLAN (like a PXE VLAN and not a normal user VLAN) while you reimage it. Just remember to remove the MAC override when you have completed.
Userlevel 4
I noticed when I was testing that the Device family is Network Booloader and the device typ is PXE Client (ZEN).
Can we use those enty's?
Userlevel 2
Yes. you can create a new end system group based on device type and then create a new rule to allow it access to the network or whichever VLAN you like.

Reply