Configure OSD with 802.1x authentication

Many organisations are making the move from unprotected networks to secure ones using technology such as 802.1x.  Unfortunately, SCCM does not currently natively support 802.1x authentication for either PXE boot or boot from USB so the following post additional configuration that was completed in order to successfully deploy a machine on situated on the protected network.

This deployment is a multi-stage configuration, comprising of:

  1. Configure the ISE
  2. Initial 802.1x configuration to allow the task sequence to be discovered
  3. A profile configuration on ISE to allow the new devices to connect
  4. Unattend file reconfiguration to allow Windows, once installed, to discover the network

Cisco ISE Configuration

The first stage is to create an access profile for the authentication. It is recommended to only allow access to the following areas, required to start the process and deploy the machine:

The requirements are:

  1. Internal certificate authority servers
  2. Domain Controllers
  3. System Centre Configuration Manager

Using the following task list, create an authorization policy:

  1. Log into ISE as an account with enough privileges to create profiles
  2. Navigate to Work Centres > Network Access > Policy Sets
  3. Click the > icon on the wired access policy set
  4. Expand Authorisation Policy
  5. Navigate to the line above where you want the policy to be applied
  6. Create a new policy, with the below settings
  1. For network access results in security groups, choose Create a New Security Group and when the Create New Security Group screen opens, perform the following steps:
    • Enter a name and description (optional) for the new security group.
    • Check the Propagate to ACI check box if you want to propagate this SGT to ACI. The SXP mappings that are related to this SGT will be propagated to ACI only if they belong to a VPN that is selected in the ACI Settings page.
    • This option is disabled by default.
    • Enter a Tag Value. Tag value can be set to be entered manually or autogenerate. You can also reserve a range for the SGT. You can configure it from the General TrustSec Settings page (Work Centers > TrustSec > Settings > General TrustSec Settings).
    • Click Submit. For more information, see Security Groups Configuration.
    • Ensure the security groups restrict access only to the servers that are required

Initial 802.1x Configuration

To perform the initial 802.1x based configuration within a PXE environment, a pre-start batch file was created to:

  1. Set Wired Autoconfig (dot3svc) service startup to Auto
  2. Start Wired Autoconfig
  3. Import Configuration Profile
  4. Import Certificates
  5. Force adapter authentication event

To facilitate this, the following needed to be created:

  1. LAN Configuration Profile
  2. Prepare Certificates
  3. Create the deployment script
  4. OSD Injection
  5. Create a boot image
  6. Configure a task sequence for 802.1x

The section below shows how this was achieved, to allow updates to be carried out should they be required:

LAN Configuration Profile

To complete this process, the following is required:

  1. Locate, and use, a clean machine that doesn’t have IEEE 802.1x Policies applied.
  2. In Windows, go to Network Connections pane in the Control Panel
  3. Right-click the adapter and select properties
  1. From there, click on the Authentication tab.
  2. Configure as below:
    • Main properties:
  • Main properties:
  • Click OK to return the main settings
  • Select Settings under choose a network authentication method  
  • Configure as above. Then select configure under select authentication methods
  • Configure as above.
  • Click OK on each window until the properties are closed.
  • Open an administrative command prompt, and run “netsh lan show interfaces”
  • This will return the following:

which highlights the 802.1x configuration is applied, but unable to connect (this machine is not on an 802.1x network)

  • Take note of the interface name that was configured. In the example above, it is “Ethernet”
  • Run “netsh lan export profile folder=.\ interface=”Ethernet”” where Ethernet is the name of the adapter recorded in the previous step.
  • This will export the profile:

Once completed, an XML will exist containing all the settings previously configured. Save this as “InterfaceProfile.xml”

The below shows the configurations for the example given above:

<?xml version="1.0"?>
<LANProfile xmlns="http://www.microsoft.com/networking/LAN/profile/v1">
	<MSM>
		<security>
			<OneXEnforced>false</OneXEnforced>
			<OneXEnabled>true</OneXEnabled>
			<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
				<authMode>machine</authMode>
				<EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><DifferentUsername>false</DifferentUsername><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig>
			</OneX>
		</security>
	</MSM>
</LANProfile>

Prepare Certificates

This will need to be redone under the following situations:

  1. Root Certificate is updated
  2. Intermediate certificates are updated
  3. Machine certificate expires

One a machine that is AUTHENTICATED to the 802.1x domain, run the following:

  1. Root CA certificate export:
 Open an administrative PowerShell session, and run:
Get-ChildItem -Path cert:LocalMachine\Root
To identify which ROOT certificate you need to export. Note the Thumbprint Once identified, run the following to export the root certificate to a CER file
$rootcert = (Get-ChildItem -Path Cert:LocalMachine\Root\6E9506C5517FF7B630EAC3CCDCE9C72CFDEF8620)
Export-Certificate -Cert $rootcert -FilePath .\root.cer
All together, this should look similar to the below:
       2. Intermediate CA certificate export: Open an administrative PowerShell session, and run
 Get-ChildItem -Path cert:LocalMachine\CA
to identify which intermediate certificate you need to export. Note the Thumbprint Once identified, run the following to export the certificate to a CER file:
$intcert = (Get-ChildItem -Path Cert:LocalMachine\Root\6E9506C5517FF7B630EAC3CCDCE9C72CFDEF8620)
Export-Certificate -Cert $ intcert -FilePath .\intermediate.cer
 All together, this should look similar to the below:
  3. Machine certificate Open an administrative PowerShell session, and run
Get-ChildItem -Path cert:LocalMachine\My
to identify which machine certificate you need to export. Note the Thumbprint Once identified, run the following to export the certificate to a CER file:
$mypwd = ConvertTo-SecureString -String "1234" -Force –AsPlainText
Export-PfxCertificate -Cert cert:LocalMachine\My\DCFC5EA138BCA5E5DDD2B22A4E86704CFA0E0EC8 -FilePath .\endpoint.pfx -ChainOption EndEntityCertOnly -NoProperties -Password $mypwd
All together, this should look similar to the below:

Create the deployment script

The following code details the batch file that was created for this purpose. This batch file works in associated with the previously created XML profile and certificates.


@Echo off

REM start the Wired AutoConfig service
Net Start dot3svc

REM Import Root certificate
echo Applying Certificates
certutil.exe -addstore Root "%~dp0root.cer"
certutil.exe -addstore CA "%~dp0intermediate.cer"

REM Import Computer Certificate
certutil.exe -ImportPFX -f -p "yourpassword" "%~dp0ComputerAuthCert.pfx"

REM Import Computer Auth Profile to all LAN interfaces
echo Configuring Interface Profiles
netsh lan add profile filename="%~dp0ComputerAuthProfile.xml" interface=*

REM Force all interfaces to reconnect
echo Reconnecting Interfaces
netsh lan reconnect interface=*

REM Discover the Interface names, then disable and re-enable them
echo Discovering, disabling then enabling interfaces
netsh lan show interfaces |findstr "Name" >c:\interfaces.txt

FOR /F "tokens=1,2 delims=:" %%G IN (c:\interfaces.txt) DO (
netsh interface set interface name="%%H" admin=DISABLED
netsh interface set interface name="%%H" admin=ENABLED
)

REM Pause the script for 30 seconds to allow the adapter to Auth
echo Wait 30 seconds...
ping localhost -n 30

REM Show the interface to see the status and show profiles to see which profile is applied.
netsh lan show interfaces
netsh lan show profiles

OSD Injection

Once this point is reached, the following files should be available:

  1. Configure802-1x.cmd (the above batch script)
  2. Endpoint.pfx (the machine certificate exported with private key)
  3. InterfaceProfile.xml (the 802.1x authentication profile for the network adapter)
  4. Intermediate.cer (the environments intermediate certificate)
  5. Root.cer (the environments root certificate)

The files will now be injected into the boot image using the OSDInjection.XML method.

You can find your OSDInjection.XML on your ConfigMgr primary server under [SCCM Install directory]\bin\x64\OSDInjection.XML. This file is a manifest that SCCM uses to inject specific files into your boot image. There are several sections in the XML, so be sure to make your entries in the correct location.

To configure this, the following actions are required:

  1. Create a new folder named Custom under [SCCM Install directory]\OSD
  2. Add the five files mentioned previously into this folder.
  3. Navigate to the OSDInjection.xml file
4. Edit the file, entering the details for the files mentioned above.
<File name="Configure802-1x.cmd">
	<LocaleNeeded>false</LocaleNeeded>
	<Source>Custom</Source>
	<Destination>Custom</Destination>
</File>
<File name="InterfaceProfile.xml">
	<LocaleNeeded>false</LocaleNeeded>
	<Source>Custom</Source>
	<Destination>Custom</Destination>
</File>
<File name="endpoint.pfx">
	<LocaleNeeded>false</LocaleNeeded>
	<Source>Custom\Certs</Source>
	<Destination>Custom</Destination>
</File>
<File name="intermediate.cer">
	<LocaleNeeded>false</LocaleNeeded>
	<Source>Custom\Certs</Source>
	<Destination>Custom</Destination>
</File>
<File name="root.cer">
	<LocaleNeeded>false</LocaleNeeded>
	<Source>Custom\Certs</Source>
	<Destination>Custom</Destination>
</File>

5. This detail needs entering in the required location under Injection Files -> Architecture (either x86, x64 or both) -> Filelist (source=”SCCM”)

Creating a deployment package for the required files

In order to use the created files during the Windows installation, the files are required to be added to a package for later use.

To do this, following the below tasks:

  1. In SCCM Configuration Manager, navigate to software library, packages and create a new package
  1. Give the package a name, in this instance it is named OSD-802-Authentication
  2. Enter the location of the files saved previously (where SCCM can access them), click Next
  1. Select Do note create a program, and click summary, then finish.

Creating the boot image

Once at this point, the boot image that will drive the deployment of machines can be created. To do this, perform the following in the SCCM Management Console:

  1. Navigate to software library, operating systems, boot images.
  2. Right click on “Boot Images” and select “Add Boot Image”
  1. Enter the path to your template WIM file
  1. Populate the general information
  1. Select Next, then Summary to complete
  1. Once complete, highlight the new Boot Image, right click and select properties
  2. Select Optional Components
  1. Add the following components:W
    • inPE-Dot3Svc
    • WinPE-DISMCommandlets
    • WinPE-NetFx
    • WinPE-PowerShell
  2. Click OK to close
  1. Click OK to save and close.
  2. The following message will appear, select Yes:
  1. Wait for it to complete.
  2. Right click the boot image, and select Properties again.
  3. Navigate to the customization tab
  4. Select the “Enable prestart command” selection box
  5. Enter the following details:
  1. Select OK to close
  2. Distribute the content, as required

Configure a task sequence for 802.1x

It is recommended, that, for testing, a new task sequence is configured to allow easy modification. To do this, the below steps are required to be completed using the SCCM Configuration Manager:

  1. Navigate to software library -> Operating Systems -> Task Sequences
  2. Select an appropriate task sequence, then right click, and select copy
  1. Once created, edit the properties
  2. Select Advanced, and change the boot device to the one created for 802.1x

Once this is complete, the environment is now in a position to test by deploying a USB ISO. To do this, the below steps are required to be completed using the SCCM Configuration Manager:

  1. Navigate to software library -> Operating Systems -> Task Sequences
  2. Highlight the authentication test task sequence, then select “Create Task Sequence Media”
  1. Select Bootable Media, click next
  1. Select Dynamic Media, click next
  1. Select CD/DVD set, then Browse, navigate to the location to save the ISO file
  1. Select “Enable unknown computer support” then select next
  1. Select the required Boot image, which was created earlier in this document
  1. Although not strictly required, add in the pre-start command as below, then click next
  1. Select Summary
  2. Wait for completion
  3. Write the ISO to USB as per normal process
Once the USB is written, power up a machine that is connected to the 802.1x authenticated network. The standard OSD screen will appear. Select Next to move to the task sequence selection screen and the batch script created earlier should run. Once it completes, the list of available task sequences will appear. To confirm the authentication has succeeded, if you have command prompt enabled within the boot image, press F8 then type in: netsh lan show interfaces

The state of the adapter should say “Connected. Authentication Succeeded”. This shows that 802.1x authentication has been enabled.

Unattend File

So far, this process only enables the pre-installation environment to access the 802.1x network. Once Windows is deployed, and the machine rebooted, these settings no longer apply.

To ensure Windows also continues to operate on the network, an unattend.xml file is required to deploy the configuration during the “4 specialise” section.

To do this, the following tasks must be completed: 

  1. Download the Windows ADK from: https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install. This is version specific.
  2. Install “Windows Systems Image Manager” from the Windows ADK
  3. Run the WSIM
  4. Select File -> Create New Answer File
  5. The following warning will appear, select Yes:
  1. Navigate to your WIM file, and select open
  1. If this is a multi-version WIM, select the version required
  1. Generate a catalogue file if required
  2. Once this completes, right click on “components” in the answer file column
  3. Select “Insert Synchronous Command to Pass 4 specialise”
  1. Enter “cmd /c C:\Temp\Configure802-1x.cmd” into the window, select OK
  1. This will populate the answer file with the below:
  1. Save the answer file to “unattend.xml”
  2. Copy the unattend.xml file somewhere SCCM can access it from
Examining the XML file will show something similar to the below:
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="specialize">
        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <RunAsynchronous>
                <RunAsynchronousCommand wcm:action="add">
                    <Path>cmd /c C:\Temp\Configure802-1x.cmd</Path>
                    <Description>Import Computer Auth Profile</Description>
                    <Order>2</Order>
                </RunAsynchronousCommand>
            </RunAsynchronous>
        </component>
    </settings>
</unattend>

Deployment Package

SCCM task sequences allow the use of unattend.xml via task sequence if the file is delivered as a package.

To do this, the below tasks must be carried out.

  1. In SCCM Configuration Manager, navigate to software library, packages and create a new package
  1. Give the package a name, in this instance it is named OSD-802-AuthUnattend
  2. Enter the location of the files saved previously (where SCCM can access them), click Next
  1. Select Do note create a program, and click Summary, then finish.

Update the task sequence

Once the packages are created, the task sequence needs to be updated to include the unattend.xml file, as well as the files required to deploy 802.1x authentication (packaged previously in this document)

To do this, open SCCM Configuration Management and perform the following:

  1. Edit the test task sequence, and locate the task which applies the operating system image
  2. Select “use an unattended or sysprep answer file”
  3. Select browse and navigate to the OSD-802-AuthUnattend package
  1. Enter unattend.xml in file name.
  2. Click Apply
  3. Add a new step located to “Run Command Line” after the OS image has been applied, but before the reboot of the machine
  4. Select Package, and select browse
  5. Select the OSD-802-Authentication package created earlier in this document
  1. Under command line, enter
    xcopy.exe ".\*.*" c:\Temp\ /E /C /I /Q /H /R /Y /S
  2. Select OK to save and close
The second package will copy the files:
  1. Configure802-1x.cmd (the above batch script)
  2. endpoint.pfx (the machine certificate exported with private key)
  3. InterfaceProfile.xml (the 802.1x authentication profile for the network adapter)
  4. intermediate.cer (the environments intermediate certificate)
  5. root.cer (the environments root certificate)
to the C:\Temp location on the OS Disk boot drive (change the path if you do not use C:\). This way, when the unattend.xml stage runs “cmd /c C:\Temp\Configure802-1x.cmd” the files will have been pre-staged into the correct location, allowing the 802.1x authentication to complete successfully.

Once you get to this stage, everything should be in place to be able to run a task sequence over an 802.1x encrypted network. This doesn’t cover the tidy up process, but, time pending, I’ll create another post or extend this one to add it in.

Apart from that, good luck 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.