Intel® vPro™ Technology

Next-Generation Streaming Clients Based on Intel® vPro™ Technology

Architecture for 802.1x-PXE Technology

As described earlier, PXE fails in 802.1x/NAC networks, because the 802.1x supplicant stack is not present inside legacy BIOS to perform authentication. In this section we describe how we use the Intel Embedded Trust Agent to provide a novel solution to this challenge.

By using the Intel Embedded Trust Agent capability to establish an 802.1x authentication channel without the client OS supplicant, enterprises can now configure Intel® vPro™ brand platforms to complete 802.1 x authentication upon system boot-up to allow PXE boot to take off from an already open 802.1x port. In a PXE boot environment, when these platforms are configured with the 802.1x-PXE-Enable option (via remote configuration [24]), the Intel Embedded Trust Agent/Intel AMT firmware implements the modified 802.1x synchronization state machine that is depicted in Figure 3.

Figure 3: Host OS—Intel® ME 802.1x synchronization state machine for PXE boot

Architecture for 802.1x-PXE Technology
In a PXE boot configuration (802.1x-PXE-Enable option set inside an Intel vPro brand platform), the Intel ME transitions to an active state immediately following system boot-up (boot-in-progress), or immediately following the initial link-up event (during boot-in-progress) as depicted in Figure 3. This is different from the situation depicted in Figure 2, in which the Intel ME only transitioned to the active 802.1x authentication state when the host OS 802.1x authentication failed. This modification to the state machine allows the Intel ME to actively manage the 802.1x authentication during the initial boot-up of the system, so as to allow PXE to use the open 802.1x port to download the OS from the remote server and boot the system. The Intel ME transitions to passive mode when the PXE boot is completed.

Note that, currently, the IT administrator must explicitly configure a system, enabled with Intel vPro technology, for either a PXE boot environment (802.1x-PXE-Enable option) or a non-PXE-boot environment (default behavior), as illustrated by the different initial states within Figures 2 and 3. Also note that although the Intel Embedded Trust Agent is supported for both wired and wireless (802.11) networks, the 802.1x-PXE technology is supported for wired (LAN) interfaces only. Later, we describe our future work that centers on extending this capability for wireless (WLAN) interfaces.

Several options are used by Intel ME to detect the completion of PXE boot (PXE_Boot_Complete flag event in Figure 3). These options are listed in Table 3.

Table 3: PXE boot-completion detection methods

1	Detect 802.1x/EAP packets from Host: PXE boot complete
2	Configurable PXE boot timeout -> 120 seconds (default value)
3	Detect Host OS-Intel ME communication driver (HECI) is up (using a watchdog message)

Protocol Flow for 802.1x-PXE
Figure 4 depicts the protocol flow for enabling PXE inside 802.1x/NAC networks. The protocol flow can be broken down into the following basic steps. (Note that each step can further consist of several protocol exchanges over the wire):

1. The 802.1x-enabled Ethernet switch sends an authentication request (EAP-Request) to the client platform, asking for its credentials.
2. The Intel Embedded Trust Agent sends an authentication response (EAP-Response) to the switch, providing its credentials.
3. The switch passes the authentication credentials onto the AAA (RADIUS) Server for verification and for an IT policy-compliance check.
4. Based on the credentials, the AAA server grants the client platform access to the network. It sends the results of the authentication to the switch that implements the access control.
5. When the client platform has network access, it receives a valid IP address, and the PXE boot agent (inside the BIOS) on the client downloads the OS from the PXE server on the corporate network.
6. Once the OS is streamed onto the client, it starts booting.

When the Intel ME detects that the host OS is up and running, it terminates its 802.1x authentication channel, allowing the OS to authenticate itself.

Figure 4: Intel® vPro™ 802.1x PXE boot protocol flow

Back to Top