Export (0) Print
Expand All

How to Configure AMT-Based Computers for 802.1X Authenticated Wired and Wireless Networks

Updated: October 1, 2009

Applies To: System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP2

If you want to manage provisioned AMT-based computers out of band when these computers are connected to an authenticated wired network or a wireless network, you must configure Configuration Manager to support these environments. Use the following procedure to configure settings for 802.1X authenticated wired connections and 802.1X wireless connections.

noteNote
The information in this topic applies only to Configuration Manager 2007 SP2.

The settings that you specify for client authentication and other security-related settings must match the configuration of your RADIUS server. For information about supported configurations on RADIUS servers, see Prerequisites for Out of Band Management. Additionally, when the AMT-based computer host is configured for wireless networking (either natively in the operating system or by using another solution), ensure that the settings you specify in the out of band management wireless profile for the Network name (SSID), Security type, and Encryption method match the configuration of your host wireless configuration.

If you will use a client certificate for 802.1X authentication, this procedure includes selecting a customized certificate template from an enterprise certification authority (CA). If you have not already configured this certificate template, see the following topics for more information:

AMT-based computers must be provisioned by Configuration Manager before they can support out of band management on 802.1X authenticated wired connections and 802.1X wireless connections. The following configuration procedure is required in addition to configuring AMT provisioning. If the AMT-based computer is already provisioned by Configuration Manager and you want to add support for 802.1X authenticated wired connections and 802.1X wireless connections, you must update the AMT settings for this configuration to take effect. For information about how to update the AMT settings, see How to Update AMT Settings in Provisioned Computers Using Out of Band Management.

When the AMT-based computer is updated for out of band management on 802.1X authenticated wired connections and 802.1X wireless connections, one of the following network connections must be in operation:

  • The computer is connected to an Ethernet port on which 802.1X authentication is not required.

  • The computer is connected to an 802.1X authenticated network through the operating system.

noteNote
If you use out of band management on wireless networks, you must ensure that DNS has a host record for the AMT-based computer, which contains the wireless IP address. AMT cannot register a host record in DNS, so you must ensure that either DHCP or the operating system on the host computer updates DNS so that the AMT-based computer’s wireless IP address can be resolved to its fully qualified domain name. Alternatively, you can manually create these records in DNS as needed.

To configure AMT-based computers for authenticated wired and wireless connections

  1. In the Configuration Manager console, navigate to System CenterConfiguration Manager / Site Database / Site Management / <site code> – <site name> / Site Settings / Component Configuration.

  2. Right-click Out of Band Management, click Properties, and then click the 802.1X and Wireless tab.

    noteNote
    If you do not need to configure 802.1X authentication for wired networks, go to step 9.

  3. To configure 802.1X authentication for wired networks, select Enable 802.1X authentication for wired network access, and then click Set.

  4. In the 802.1X Wired Network Access Control dialog box, click Select for the Trusted root certificate.

  5. In the Trusted Root Certificate for RADIUS Authentication dialog box, specify the trusted root certificate by using one of the following methods, and then click OK:

    • To specify the trusted root certificate by selecting an enterprise CA from the forest, ensure that From certification authority (CA) is selected, and select the CA from the drop-down list.

    • To specify the trusted root certificate by selecting a DER encoded binary X.509 (.cer) or base-64 encoded X.509 (.cer) file that contains the exported trusted root certificate, click From file, click Browse, select the .cer file, and then click Open.

  6. Use the drop-down box to select the client authentication method to use.

  7. If you selected the client authentication method of EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2, click Use client certificate if you also want to use a client certificate for authentication.

  8. If Use client certificate is selected, click Select, specify the Issuing CA to use for the client certificate and the RADIUS client certificate template, and then click OK.

    noteNote
    If you do not need to configure wireless settings, go to step 23.

  9. To create and configure a wireless profile, click the New icon New Icon.

  10. In the Wireless Profile dialog box, type a display name for the Profile name.

  11. Type the name of the wireless network in the Network name (SSID).

  12. Specify the security type from the Security type drop-down box.

  13. Specify the encryption method from the Encryption method drop-down box.

  14. Click Select to specify the trusted root certificate for the RADIUS server.

  15. In the Trusted Root Certificate for RADIUS Authentication dialog box, specify the trusted root certificate by using one of the following methods, and then click OK:

    • To specify the trusted root certificate by selecting an enterprise CA from the forest, ensure that From certification authority (CA) is selected, and select the CA from the drop-down list.

    • To specify the trusted root certificate by selecting a DER encoded binary X.509 (.cer) or base-64 encoded X.509 (.cer) file that contains the exported trusted root certificate, click From file, click Browse, select the.cer file, and then click Open.

  16. Use the drop-down box to select the client authentication method to use.

  17. If you selected the client authentication method of EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2, click Use client certificate if you also want to use a client certificate for authentication.

  18. If Use client certificate is selected, click Select, specify the Issuing CA to use for the client certificate and the RADIUS client certificate template, and then click OK.

  19. To create additional wireless profiles, repeat steps 10 through 18.

  20. To change the order of the wireless profiles, select a wireless profile, and then click the Move Item Down icon Move Down Icon or Move Item Up icon Move Up Icon. The AMT-based computers will try each wireless profile in turn until a connection is successfully made, and they continue to use this profile for the duration of the connection.

  21. If you need to change the settings of a wireless profile, select the wireless profile and then click the Properties icon Properties Icon.

  22. If you need to delete a wireless profile, select the wireless profile and then click the Delete icon Delete Icon. Click Yes to confirm.

  23. Applicable to both 802.1X wired authenticated connections and wireless connections, and for AMT-based computers that are provisioned in-band only, configure one of the following for the Security group for RADIUS authentication, and then click OK:

    • To manually add AMT-based computers to a security group that will be used on the RADIUS server to grant network access, keep the default of Do not automatically add AMT-based computers to security group (more secure). With this setting, and for computers that are provisioned out of band, you must manually add the AMT-based computers into any security group that is used by the RADIUS server.

    • To automatically add in-band provisioned AMT-based computers to a specified security group that will be used on the RADIUS server to grant network access, click Automatically add AMT-based computers to security group (less secure), click Browse, specify the security group in the Select Group dialog box, and then click OK. AMT-based computers that are provisioned out of band will not be added automatically.

      noteNote
      To automatically add AMT-based computers, the site server computer account requires Read and Write permissions to the specified group.

To verify whether AMT-based computers are configured for authenticated wired and wireless connections

  1. On the out of band service point, locate and open the file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log.

  2. Search for one of the following text strings, where <wireless_profile> is the specified name of the wireless profile:

    • To confirm that the authenticated wired settings were successfully configured, search for Begin to set Wired 8021x Profile... and then Set Wired 8021x Profile Success....

    • To confirm that the wireless profile settings were successfully configured, search for Set wireless profile: <wireless_profile> and then Successfully add wireless profile <wireless_profile>.

    • To identify a failure in configuring a wireless profile because a specified configuration element failed (for example, a client certificate was specified but could not be issued), search for Set wireless profile: <wireless_profile>, the reason for the failure (for example, No client Certificate), and then The wireless profile: <wireless_profile> is invaid. Skip adding....

    • To identify a failure in updating wireless profiles because the AMT-based computer is currently on a wireless connection, search for The wireless connection is active, skip setting wifi profiles.

  3. Close the log file and take corrective action if the settings were not successfully applied.

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft