Background:
We've been running 802.1x on our HP-based network (5400zl and 5400R ZL2 series) for about a year now, and we are happy with the extra layer of security, and the fact that unauthenticated clients end up on a guest network with internet access only, which provides a service for external consultants and others, that for some reason can't or won’t use Wi-Fi.
Problem:
Ever since implementing 802.1x we've had problems dealing with Windows-deployments from SCCM. Specifically booting from PXE.
Workaround:
The workaround ended up being giving our supporters access to log into the switches and manually disable 802.1x on the corresponding port, until the deployment was over. We used AAA and MS NPS to control that was all they could do, but still it wasn’t a very pretty solution. Also, they often forgot to re-enable the ports when they were done, leaving security breaches all over the company.
Solution:
Since I learned that the HP switches supports REST API since K.16.02 (I think it is), I decided to try and give that a shot.
Fast forward to today and we are now using the following PowerShell-command (available from a module with a function I created) to disable 802.1x on a given port for 4 hours:
Remove-802.1x –ComputerName nameofpc
We’ve also included it in a task sequence in SCCM, so when deploying to one or more computer(s), it doesn’t have to be a manual script execution.
Tech notes:
I’ve created a function/module from Script 1, and use it that way, but that part is up to you. I won’t go into details about how to do that. Neither will I explain how we’ve done with the task sequence in SCCM, simply because our SCCM guy did that part, nor do I know anything about SCCM.
There are various variables in the scripts that need to be configured, so the scripts won’t work out-of-the-box for you. You are required to read them and adjust them to your environment.
Scripts:
I’ve attached the scripts for your convenience. Only requirement is an HP/Aruba switch with software version K.16.02 or newer. Also the computer on the given switch port, needs to be online, in order to retrieve mac address details.
All scripts are designed to stop at the first error. So nothing continues in case an error happens.
The scripts can also be used as a reference in achieving other tasks using the REST API I guess.
Script 1:
This script disables 802.1x on a specific switch and port.
Script 2:
This script must be placed on a server in your infrastructure. It’s called by Script 1 and creates a scheduled task, which will execute after 4 hours and then delete itself after 2 days. Also, if it fails, it will create a Service Request in our ServiceDesk (that last part won’t work unless you’re using ManageEngine ServiceDesk Plus, but I kept it there, as you might want to do something else, like send an email or whatever. I figure the critical part is not disabling 802.1x, but remembering and assuring that it gets re-enabled.
Script 3:
This is the script that the scheduled task will execute. It basically re-enables 802.1x on the switch port and, like the other script, creates a ServiceDesk ticket in case it fails.
Notes:
That’s it. Use at your own risk. I hope it will help someone in the same situation as us.
/Rasmus
