802.1x Configuration
Wired 802.1x Configuration is a Preview Feature
Wired 802.1x Configuration feature is a Preview Feature. This means it has not been fully validated and cannot be guaranteed to work. There are still potential bugs and tweaks needed for a production-level feature standard. Interested in this feature and helping us test it? Reach out via GitHub.
IEEE 802.1X is an IEEE Standard for port-based network access control (PNAC). It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
It typically consists of three parts:
- Supplicant (Client-end User, AMT Device)
- Authenticator (Access Point or Switch)
- Authentication Server (RADIUS Server)
Prerequisites¶
The following are requirements to configure and connect an AMT device within an 802.1x environment. However, these are not required for the RPS profile creation steps below.
- Enterprise Assistant configured, running, and connected to an RPS server.
- Updated to latest AMT Firmware version
Note - System Name Length
The System Names of the AMT devices must be 15 characters or less. If the name is greater than 15 characters long, it will exceed the system name length allowed by Active Directory and Enterprise Assistant will fail to add the device.
Wired 802.1x Configuration¶
Only one wired IEEE8021x Config can be created (per tenant). The following steps walk through how to create the required configs and profiles.
To create a Wired IEEE802.1x Config:¶
-
Select the IEEE 802.1x tab from the left-hand menu.
-
In the top-right corner, click Add New.
-
Select the Wired option.
-
Specify a Profile Name of your choice.
-
Select an Authentication Protocol.
Four authentication protocols are supported for wired.
Auth Protocol API Value Description EAP-TLS 0 Indicates that the desired EAP type is the Transport Layer Security EAP type specified in RFC 2716. PEAPv1/EAP-GTC 3 Indicates that the desired EAP type is the Protected Extensible Authentication Protocol (PEAP) Version 1 EAP type specified in draft-josefsson-pppext-eap-tls-eap, with Generic Token Card (GTC) as the inner authentication method. EAP-FAST/GTC 5 Indicates that the desired EAP type is the Flexible Authentication Extensible Authentication Protocol EAP type specified in IETF RFC 4851, with Generic Token Card (GTC) as the inner authentication method. EAP-FAST/TLS 10 Indicates that the desired EAP type is the Flexible Authentication EAP type specified in IETF RFC 4851, with TLS as the inner authentication method. -
Optionally, change the PXE Timeout.
PXE Timeout is the number of seconds in which the Intel(R) AMT will hold an authenticated 802.1X session. During the defined period, Intel(R) AMT manages the 802.1X negotiation while a PXE boot takes place. After the timeout, control of the negotiation passes to the host.
-
Click Save.
Example Wired IEEE802.1x Config
To link to an AMT Profile:¶
-
Select the Profiles tab from the left-hand menu.
-
Choose an existing profile or create a new one.
-
Under Network Configuration, select the Enable Wired 802.1x Profile checkbox.
-
Click Save.
After creating the profile and configs, AMT can now be configured for wired 802.1x.
Example ACM Profile with IEEE802.1x
Wireless 802.1x Configuration¶
There can be a maximum of 8 wireless IEEE8021x Config created (per tenant). 8 profiles is the maximum AMT can accept. The following steps walk through how to create the required configs and profiles.
-
Select the IEEE 802.1x tab from the left-hand menu.
-
In the top-right corner, click Add New.
-
Select the Wireless option.
-
Specify a Profile Name of your choice.
-
Select an Authentication Protocol.
One authentication protocol is currently supported for wireless.
Auth Protocol API Value Description EAP-TLS 0 Indicates that the desired EAP type is the Transport Layer Security EAP type specified in RFC 2716. -
Click Save.
Example Wireless IEEE802.1x Config
To link to a Wireless Config:¶
-
Select the Wireless tab from the left-hand menu.
-
Choose an existing profile or create a new one.
-
Under Authentication Method, there should now be two new options. Select either WPA IEEE 802.1x or WPA2 IEEE 802.1x.
-
Click Save. The new wireless config can now be included in an AMT profile.
After creating the profile and configs, AMT can now be configured for wireless 802.1x.
Example Wireless Config with IEEE802.1x