You are not logged in.

Announcement

[2017.09.08] DeployStudio build v1.7.8 (checksum, release note).
[2016.08.26] DeployStudio build v1.6.19 (release note).
[2013.02.23] DeployStudio last universal build v1.5.17 (release note).

#1 2013-06-11 14:16:34

nick.lowe
Member
Registered: 2013-06-11

Perform 802.1X Authentication Before Imaging Starts

Is it possible to request a feature enhancement to allow clients to perform 802.1X authentication before imaging via a pre-supplied Configuration Profile before imaging starts? :)

A bit of background first:

We have a secured network edge and stipulate that devices must be authenticated via 802.1X before access to network resources, such as our servers, becomes available.

When a device connects to our network, if it fails to respond to EAPOL authentication requests that our switches send, it is placed in a quarantine subnet, via a dedicated VLAN via fall back MAC address authentication.

In this quarantined subnet, a device only has the ability to internally perform DHCP (NetBoot), make DNS lookups and use TFTP. (We achieve this by referencing an ACL set that we wish to be on the port via the Filter-ID AVP in the RADIUS Access-Accept.)

We also intercept all attempts to access external addresses via HTTP by performing NAT back to an internal Web server so that we can provide users with appropriate configuration tools and instructions for their system to connect.

For a device that needs to be imaged, the access given in the quarantine subnet is sufficient to boot from the network and, once it has done this, it is incumbent that the imaging system must then authenticate via 802.1X and re-DHCP to be able to be in an appropriate VLAN, and thus subnet, to start its imaging process,

We are very keen to be able to image our Macs properly in the secured environment that we have.
(Our workaround at the moment is to relax the network security as and when we need to image machines in particular areas.)

Any thoughts? :)

(By way of a 'competitive' comparison, Microsoft offer this functionality for WDS.)

Offline

#2 2013-06-19 09:33:15

MagerValp
Member
Registered: 2010-01-26

Re: Perform 802.1X Authentication Before Imaging Starts

This appeared yesterday and seems to suggest that it isn't possible: http://support.apple.com/kb/TS4591

A pity, we'd like to implement this too.

Offline

Board footer

Powered by FluxBB