- Home ›
- Technology and Research ›
- Intel Technology Journal ›
- Intel® vPro™ Technology
Intel® vPro™ Technology
Section 4 of 10 
Next-Generation Streaming Clients Based on Intel® vPro™ Technology
Overview of the Intel® Embedded Trust Agent
As described earlier, in order for an end-client to gain network access in 802.1x networks, the client needs to provide its credentials first, and these credentials have to be validated before access is granted. This validation is typically done by the 802.1x supplicant stack running in the OS of the end-client. Furthermore, in the case of NAC networks, additional client posture (C-NAC) or health (M-NAP) information is required up front to ensure compliance with IT policy. An example of the additional posture or health information would be the name, version, and patch level of the OS running on the client. This additional information is provided via other software components running in the client OS. Therefore, in cases where the OS has crashed or the client has not been booted, the client will fail to have network access in 802.1x/NAC networks.
The Intel Embedded Trust Agent that is part of platforms with Intel vPro technology consists of the 802.1x supplicant as well as extensions for Cisco* NAC and Microsoft* NAP embedded in the chipset/ME firmware. It thus enables industry-first OOB or pre-OS manageability in 802.1x/NAC networks. The Intel Embedded Trust Agent is supported for both wired and wireless (Wi-Fi*) networks, and it supports both digital certificate-based and username/password-based authentication. The authentication methods (EAP methods) supported by the Intel Embedded Trust Agent inside Intel® Active Management Technology (Intel® AMT) firmware are summarized in Table 1.
Table 1: Intel® AMT EAP authentication methods| Intel AMT 802.1x/EAP Methods supported | Intel AMT Cisco* NAC extensions | Intel AMT Microsoft* NAP extensions |
|---|---|---|
| EAP-FAST [4] | X | |
| -EAP-GTC [7](inner) | X | |
| -MS-CHAPv2 [6](inner) | X | |
| -EAP-TLS [2](inner) | X | |
| PEAP [3] | X | |
| -MS-CHAPv2 [6](inner) | X | |
| EAP-TLS [2] | ||
| EAP-GTC [7] | ||
| EAP-TTLS [5] | ||
| -MS-CHAPv2 [6](inner) |
The Intel vPro technology Remote Configuration method described in [24] can be used to provision authentication credentials inside the Intel Embedded Trust Agent. No user intervention is required for provisioning it. The authentication credentials are stored inside the secure storage area (flash memory) [23] provided by the Intel ME. Table 2 summarizes the support for 802.1x, C-NAC, and M-NAP for different versions of AMT firmware released since 2007.
Table 2: A summary of the support for 802.1x, C-NAC, and M-NAP for different versions of Intel® AMT firmware released since 2007| Intel® AMT Version | 802.1x support | Cisco* NAC support | 802.1x-PXE support | Microsoft* NAP support |
|---|---|---|---|---|
| 2.5 | X | X | ||
| 2.6 | X | X | X | |
| 3.0 | X | X | ||
| 3.1 | X | X | ||
| 3.2 | X | X | X | |
| 4.0 | X | X | X | X |
| 5.0 | X | X | X | X |
Algorithm for Host OS—Intel® Management Engine (Intel® ME) 802.1x Synchronization
As described in the Intel AMT Specification [23], the Intel ME and host OS share Layer-2 (Ethernet) and Layer-3 (IP) addressing. Thus, in a typical wired 802.1x-enabled network, the state of the port (closed or open) will apply to both entities. For example, once the 802.1x authentication is successfully completed by the host OS, Intel ME will also be able to use the open port for communication. Furthermore, only a single entity should drive the 802.1x link authentication. The Intel ME policy is to allow the host OS to drive the authentication, as long as the OS is operational. The Intel ME limits its active authentication mode to only those states in which the host OS is nonoperational. The host OS is nonoperational either due to the system being in a low-power state, or due to the fact that the OS malfunctions. We have devised a synchronization algorithm that allows the Intel ME to detect those nonfunctional OS states and to limit its 802.1 x authentications to those states. Figure 2 illustrates the synchronization state machine implemented for the Intel Embedded Trust Agent by platforms enabled with Intel vPro technology.
Figure 2: Host OS—Intel® ME 802.1x synchronization state machine
Note that the default mode for the Intel ME, following an initial link-up event, is to allow the host OS to perform authentication. The Intel ME will proactively initiate 802.1x authentication requests (Active Mode) by using the Intel Embedded Trust Agent, only when an 802.1x authentication failure is detected for the host OS. The Intel ME has access to Ethernet packet filters (system defense filters) [23] in the chipset that it uses for exclusively performing 802.1x authentication during its Active mode.
We now examine how the Intel Embedded Trust Agent detects host OS 802.1x authentication failures. As described in the Intel AMT specification [23], the Intel ME has direct access to the platform LAN controller (LOM) and capabilities to record and track Ethernet packets sent or received by the host OS. Platforms enabled with Intel vPro technology use this fundamental capability to track 802.1x protocol messages and specifically to detect EAP success and failure messages sent by the authenticator. Moreover, the transmission of IP traffic (that is, DHCP requests/responses) serves as an indication to the Intel ME that the system is connected to a non-802.1x-enabled network.
Section 4 of 10
In this article
