- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- LAN Routing
- >
- Solution for PXE booting on a 802.1x-enabled netwo...
-
- Forums
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
10-30-2018 04:58 AM
10-30-2018 04:58 AM
Solution for PXE booting on a 802.1x-enabled network on HP switches
Background:
We've been running 802.1x on our HP-based network (5400zl and 5400R ZL2 series) for about a year now, and we are happy with the extra layer of security, and the fact that unauthenticated clients end up on a guest network with internet access only, which provides a service for external consultants and others, that for some reason can't or won’t use Wi-Fi.
Problem:
Ever since implementing 802.1x we've had problems dealing with Windows-deployments from SCCM. Specifically booting from PXE.
Workaround:
The workaround ended up being giving our supporters access to log into the switches and manually disable 802.1x on the corresponding port, until the deployment was over. We used AAA and MS NPS to control that was all they could do, but still it wasn’t a very pretty solution. Also, they often forgot to re-enable the ports when they were done, leaving security breaches all over the company.
Solution:
Since I learned that the HP switches supports REST API since K.16.02 (I think it is), I decided to try and give that a shot.
Fast forward to today and we are now using the following PowerShell-command (available from a module with a function I created) to disable 802.1x on a given port for 4 hours:
Remove-802.1x –ComputerName nameofpc
We’ve also included it in a task sequence in SCCM, so when deploying to one or more computer(s), it doesn’t have to be a manual script execution.
Tech notes:
I’ve created a function/module from Script 1, and use it that way, but that part is up to you. I won’t go into details about how to do that. Neither will I explain how we’ve done with the task sequence in SCCM, simply because our SCCM guy did that part, nor do I know anything about SCCM.
There are various variables in the scripts that need to be configured, so the scripts won’t work out-of-the-box for you. You are required to read them and adjust them to your environment.
Scripts:
I’ve attached the scripts for your convenience. Only requirement is an HP/Aruba switch with software version K.16.02 or newer. Also the computer on the given switch port, needs to be online, in order to retrieve mac address details.
All scripts are designed to stop at the first error. So nothing continues in case an error happens.
The scripts can also be used as a reference in achieving other tasks using the REST API I guess.
Script 1:
This script disables 802.1x on a specific switch and port.
Script 2:
This script must be placed on a server in your infrastructure. It’s called by Script 1 and creates a scheduled task, which will execute after 4 hours and then delete itself after 2 days. Also, if it fails, it will create a Service Request in our ServiceDesk (that last part won’t work unless you’re using ManageEngine ServiceDesk Plus, but I kept it there, as you might want to do something else, like send an email or whatever. I figure the critical part is not disabling 802.1x, but remembering and assuring that it gets re-enabled.
Script 3:
This is the script that the scheduled task will execute. It basically re-enables 802.1x on the switch port and, like the other script, creates a ServiceDesk ticket in case it fails.
Notes:
That’s it. Use at your own risk. I hope it will help someone in the same situation as us.
/Rasmus
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
10-30-2018 05:04 AM - last edited on 10-30-2018 10:56 PM by Parvez_AL
10-30-2018 05:04 AM - last edited on 10-30-2018 10:56 PM by Parvez_AL
Re: Solution for PXE booting on a 802.1x-enabled network on HP switches
Apparently zip and ps1 files are not supported as upload files in the forum. I will paste the scripts instead.
Update: There's also a 25.000 word max, so I can't paste them either.
If anyone is interested send me your email though a private message by clicking here, and I will send them to you.
/Rasmus
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2021 Hewlett Packard Enterprise Development LP