So, if a PC's MAC address is in the group, a dACL allowing PXE access(SCCM.) will be pushed to the switch port that the PC is connected to. I have created an Endpoint Identity group lets say PXE_Devices which is used in the authorization policy. However, my implementation is a bit different. My customer has over 10000 PCs across their network.
You still need to profile your way through the first two phases of a PXE boot reimage process but that is pretty straight forward (DHCP client identifier contains PXEClient for phase 1 and DHCP hostname contains minint for phase 2) If the customer has a large amount of in place reimaging needs they can use a program I wrote in their reimaging process that will automatically take the MAC address of the machine and put it into the temp bypass list via REST API calls.This allows the device onto the network for that day. If the customer has a small amount of in place reimaging needs we have the desktop team use the ISE temp bypass portal we setup to put the MAC address of the device they are reimaging.In this case we will only deploy ISE in monitor mode on those switches. Most of the reimaging should be happening in build rooms that have secure access controls and dedicated switches.Here is how I usually handle this with most of my customers: You can try to profile your way through the PXE boot/image process but that can be a challenge as there are multiple phases and each have their unique challenges. Sample config to start here:ĭescription ACCESS (Multi-Domain w/ Closed Mode)Īuthentication event fail action next-methodĪuthentication event server dead action authorizeĪuthentication event server dead action authorize voiceĪuthentication event server alive action reinitializeĪuthentication timer reauthenticate serverĪuthentication timer inactivity server dynamic As you test this I suggest gradually increasing the tx-period value while testing that the PXE booting still works. Currently we recommend 10 seconds for tx-period and leave everything to default for general operations, but you can start out by setting tx-period to 2 seconds, and max-reauth-req value to 1. If using closed mode, the EAP timeout and retries should be trimmed down to very low value to accommodate PXE boot.
0 kommentar(er)
