iPXE 802.1x Integration

Tools and solutions for adding new machines to secure networks.

Overview

Customers that have highly secure internal networks, may choose to implement enhanced security protocols for machines on thet corporate network, like 802.1x or IPSec.

However, this presents challenges when trying to boot a machine using iPXE for re-imaging.

If your organization is attempting to allow re-imaging throughout the enterprise (at every user’s desk), not just in protected imaging labs, then this document can help you navigate the challenges.

The Challenge

The challenge is that iPXE cannot be protected or encapsulated with other security protocols. The network must allow access to:

  • DHCP – For an IP address.

  • BootP – to get the network boot protocol file (NBP)

  • HTTP(s) – to download the iPXE binary from the iPXE Server.

  • ConfigMgr (if applicable) – a CM Distribution Point

  • WinPE – Any additional servers the WinPE client will connect to.

  • FIle server for downloading the Install.wim

  • File access to any server to initiate network level security.

  • Optionally, access to the Domain Controller if a Domain Join is necessary.

If your network level security solution allows for connectivity using client-side certificates, it may be possible to incorporate the client side certificates into the WinPE image for imaging. Please consult your security software for instructions on how to do this.

Please work with your networking team to ensure that machines attempting to iPXE (and PXE) boot, have direct access to DHCP, and any BOOTP DHCP options. It is possible that during implementation, your network security team may BLOCK DHCP, BOOTP options to new computers, this will need to be un-blocked.

For 2Pint's iPXE server, we will need TCP access to several ports: 8050 and 8051. And Port 69/UDP for TFTP. It is recommended that the server be placed in a special Access Control Group for unprotected communication with any unauthenticated client.

Once communication to the iPXE servers has been initiated, in a Configuration Manager environment, it is also possible that we may connect to any Configuration Manager DP (Distribution Point) to download the boot.wim file. We may need to place all the DPs into the special Access Control Group for unprotected communication with any client.

If your security team requests the imaging team limit the number of unprotected servers to a minimum, one solution may be to place the iPXE servers behind a Load Balancing server, so only ONE IP address needs to be allowed for unprotected communications.

Finally, if your security team requests not to place Configuration Manager Distribution Points as an unprotected server, or if you enable Branch Cache, the client will not be able to download from peers unless we script a solution to allow the local client full access

2Pint Tech Used

2Pint iPXEAnywhere allows for the ability to run PowerShell scripts on the iPXE server during the iPXE boot process.

For example, if we have a network protected by 802.1x, what procedures are required for access?

  • Place the iPXE server in an Unauthenticated Security Group with access to the 8050, 8051, and 69 ports.

  • If you have multiple iPXE servers in a pool, you can use a Load Balancing Server to the iPXE Servers, and only add the LB server to the Unauthenticated Security Group.

  • This will allow us to run scripts on the iPXE server for every client that tries to connect.

  • Make an API call to your Authentication Server (eg RADUIS), or other authentication server to make a MAB (Mac Address Bypass) request for each client.

  • Once the MAB request has been successfully made, we may need to force an EAPOL–Start frame on the client to test for the new status on the Authentication Server. On iPXE, this can be done with a script that performs “ifclose” and “ifconf”.

Works with the following MS tech

DHCP, Configuration Manager, Branch Cache

Example

This code is intended to be called from within the 2Pint iPXEAnywhere iPXEBoot.ps1 script.

It will return a script blob (string) to be passed back and injected early in the iPXEBoot.ps1 script.

Please note that there is large section of code below to handle EAPol Authentication issues. This may not be necessary with future versions of iPXEAnywhere, due to code enhancements in iPXE for EAPol re-transmission during ifconf added in September of 2023.

# Custom handler for 802.1x exceptions 
function revoke-MyNetworkSecurity { 
    [cmdletbinding()] 
    param( $RequestStatusInfo, $DeployNetwork ) 

    "start MAB Process $( $RequestStatusInfo.DeployMac.ToString() )" | write-verbose 

    if($arrayOfNon802x1Subnets.Contains($DeployNetwork.NetworkId.ToString()) ) { 
        write-verbose "Device is not on an 802.1x network exit. $($DeployNetwork.NetworkId.ToString())" 
        return "" 
    } 

    $body = @{ 
        user = 'corp\8021xaccount' 
        password = 'P@ssw0rd' 
        mac = $RequestStatusInfo.DeployMac.ToString() -replace ':','-' 
    } | ConvertTo-Json -Compress  

    $ErrorOut = $null 
    $restOut = '' 
    try {  
        $result = Invoke-WebRequest "https://internal8021xapi:443/8021x_mab.pl?POSTDATA=$([uri]::EscapeDataString($Body))" -verbose -UseBasicParsing 
        write-verbose "Result back from https://internal8021xapi" 
        $result | out-string | write-verbose 

        if ( ( $result.StatusCode -ne 200 ) -or ( $result.RawContentLength -ne 1 ) ) {  
            $ErrorOut = $result.content | write-2PintConsole  
        } 
        else { 
            $restOut = $result.Content 
        } 
    } 
    catch { 
        write-warning "Failed to make Web Request to https://internal8021xapi" 
        $ErrorOut = $_ | write-2PintConsole  
    } 

    #Now output to Console: 
    if ( $ErrorOut ) { 

         @" 

echo #################################################### 
echo #################################################### 
echo 
echo Failure to get MAB 802.1x exception: 
echo 
$( $ErrorOut -join [environment]::newline ) 
echo 
echo #################################################### 
echo #################################################### 
prompt --key q Press 'q' to quit && exit || echo continue 

"@  | Write-Output 
    } 
    else {  
    
        @" 

set currentnic `${netX/ifname} 

echo %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
echo Start MAB Exception process [`${currentnic}] ... 
ifstat `${currentnic} 
echo %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

#ping -c 1 sccmipx2.corp.contoso.com && goto mabdone || echo Unable to ping sccmipx2 
#ping -c 1 sccmipx1.corp.contoso.com && goto mabdone || echo Unable to ping sccmipx1 

echo Unable to reach SCCMIPX[1|2] Begin Mab Process  `${currentnic} 

ifclose `${currentnic} 

echo sleep 10 and restart NIC `${currentnic} 
sleep 10 

:mabretry 
ifconf `${currentnic} || goto mabbadnic 
iflinkwait --timeout 1000 `${currentnic} || goto mabbadnic 

#ping -c 1 sccmipx2.corp.contoso.com && goto mabdone || echo Unable to ping sccmipx2 
#ping -c 1 sccmipx1.corp.contoso.com && goto mabdone || echo Unable to ping sccmipx1 

ping -c 1 ipxe.corp.contoso.com && goto mabnobypass || goto mabbadnic 

:mabbadnic 
echo %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
echo %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
echo 
echo Unable to reach ipxe.corp.contoso.com. NIC in a bad state. 
echo  
echo If this is the first time seeing this error, press ENTER for reset. 
echo If the problem persists, shutdown the machine and retry. 
echo If the problem STILL persists, take a picture of this screen and escalate. 
echo 
echo %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
echo %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
ifstat `${currentnic} 
prompt --timeout 30000 press return to retry reset 
ifclose `${currentnic} 
goto mabretry 

:mabnobypass 
echo %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
echo %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
echo 
echo Unable to reach 802.1x protected machine(s). 
echo  
echo If this is the first time seeing this error, press ENTER for reset. 
echo If the problem persists, try disconnecting the network cable and retry. 
echo If the problem persists, shutdown the machine and retry. 
echo If the problem STILL persists, take a picture of this screen and escalate. 
echo 
echo %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
echo %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
ifstat `${currentnic} 
prompt --timeout 30000 press return to retry reset 
# ifclose `${currentnic} 
set completeurl `${pxeurl}2PXE/boot##params=paramdata 
echo Boot... `${pxeurl}2PXE/boot##params=paramdata 
chain --autofree --replace `${pxeurl}2PXE/boot##params=paramdata || goto mabretry 

:mabdone 
echo %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
echo Finish Network Reset for 802.1x `${currentnic} 
echo MAB DONE! 
echo %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

prompt --timeout 30000 press return to FINISH 

"@ | write-output 

    } 

} 

Last updated