An Introduction to Intel® Active Management Technology Wireless Connections

Introduction to Intel® Active Management Technology Wireless

With the introduction of wireless-only platforms starting with Intel Active Management Technology (Intel® AMT) 10, it is even more important for an ISV to integrate support for wireless management of AMT devices.

The wireless feature of Intel AMT is just like any wireless connection; it is not an automatic initial connection process. However, there are several major differences between wired and wireless Intel AMT communication, including the following:

  • Wireless Intel AMT interfaces are disabled by default and must be enabled and configured with a wireless profile (friendly name, SSID, passwords, encryption, and authentication at a minimum) which is pushed to the client using one of several methods.
  • Where a wired interface is shared by the host OS and Intel AMT (two different IP addresses), the wireless interface must be DHCP assigned only one IP address and is controlled by the OS unless the host is deemed unavailable, in which case control is given to the Intel AMT firmware.

This article will address the Intel AMT wireless configuration and describe how to handle the various aspects that are important for a clean integration.

Intel AMT Wireless Support Progression for Intel AMT 2.5 through 11

  • Intel AMT 2.5 and 2.6: Wireless is supported only when the OS is in a powered-on state (S0).
  • Intel AMT 4.0: Wireless is supported in all sleep states (Sx) but depends on configuration settings (Note: Intel AMT 5.0 did not support wireless).
  • Intel AMT 6: Syncs Intel AMT and host OS wireless profiles.
  • Intel AMT 7.0: Wireless is supported and host-based configuration is available; however remote configuration is not available over wireless.
  • Intel AMT 9.5: First release to support wireless-only platforms. USB provisioning is not supported on these devices.

Understanding Intel AMT Wireless Connection Requirements

The connection parameters for an Intel AMT wireless device closely resemble those required for the Host OS connection. The firmware requires information including SSID, the authentication method, encryption type, and passphrase at a minimum. In more advanced connections, 802.1x profile information is also required.

All these settings are wrapped into a Profile which is considered as either an Admin or User Profile and saved within the Intel AMT firmware. The Admin or IT profiles are added to the firmware using Intel AMT APIs; see a list of configuration methods below. User profiles cannot be added to the MEBx via an Intel AMT API, they are created using the Intel AMT WebUI, or with profile syncing using the Intel® PROSet wireless drivers.

The Intel AMT firmware holds a maximum of 16 total profiles, of which a maximum of 8 can be user profiles. With the ninth user profile, the oldest user profile is overwritten. The combination of Admin and User profile are a maximum of 16 profiles.

Key Differences between Wired and Wireless Intel AMT Support

  • Default state. The wireless management interface is initially disabled and must be enabled in addition to creating and deploying the wireless profile. In contrast, wired connections are on by default.
  • Network type. Only infrastructure network types are supported by Intel AMT, not ad hoc or peer-to-peer networks.
  • DHCP dependence. While wired Intel AMT connections support either DHCP or static IP assignment, wireless AMT connection requires DHCP, and it will share its IP with the host OS.
  • Power state limitations. Wireless AMT is only available when the system is plugged into AC Power and in the s0 or s5 state.
  • Microsoft Active Directory* integration. 802.1x wireless authentication requires Active Directory integration with the Intel® Setup and Configuration Software (Intel® SCS.)
  • OS control of packets. On the wireless connection, all traffic goes directly to the OS (which can then forward it to Intel AMT), unless the OS is off, failed, or in a sleep state. In those cases manageability traffic goes directly to Intel AMT, which means that when the host returns to S0 or the driver is restarted, Intel AMT must return control to the host, or the host will not have wireless connectivity. This affects remote connections to Intel AMT including IDE-R and KVM.  See Link Preference details below (added in 6.0 and automated in 8.1)
  • Wired-only Intel AMT features are not supported on wireless only platforms; Heuristic Policies , Auto-Synch of IP Addresses , Local Setup Directly to Admin Control Mode , 802.1x Profile Configuration.

Configuration Methods

Basic configuration of wireless for Intel AMT is covered in the article: Intel® vPro™ Setup and Configuration Integration, but here is additional information specific to wireless setup.

Wireless profiles can be placed in the Intel AMT firmware several ways. However, any system that is wireless only (no RJ45 connector) cannot be provisioned by a USB key.

  • Initial Intel AMT configuration
    • Profile type: Admin or Client, basic or advanced 802.1x
    • Tools available: Acuconfig, ACUWizard or Intel SCS
  • Intel AMT WebUI
    • Profile type: User, basic only.
    • Tool used: For web browser, use http://<IPorFQDNofDevice>:16992, or for TLS use https://<FQDNofDevice>:16993

Intel® AMT

  • Delta configuration
    • Profile type: Admin for reconfiguring specific settings only
    • Tools available: Acuconfig, ACU Wizard, or Intel SCS
  • Wi-Fi profile syncing  (Intel AMT 6.0 and later)
    • Profile type: User
    • Requires Intel® PROSet wireless drivers and the Intel® AMT Local Manageability Service (LMS)
    • Enables or disables synced OS and AMT wireless profiles (during configuration).
  • WS-Management
    • Profile type: Admin
    • Tools: Intel® vPro PowerShell module, WirelessConfiguration.exe, WS-Man custom using CIM_elements

Connection Types - Authentication/Encryption

Intel AMT supports several authentication and encryption types for wireless connections.

  • User profiles can be configured with WEP or no encryption.
  • Admin profiles must be TKIP or CCMP with WPA or higher security.
  • 802.1x profiles are not automatically synchronized by the Intel PROSet wireless driver

Table 1 shows the possible security settings for Intel AMT wireless profiles.

 Noneweptkipccmp
Open SystemXX  
Shared KeyXX  
Wi-Fi* Protected Access (WPA)
Pre-Shared Key (PSK)
  XX
wpa ieee 802.1X  XX
wpa2 psk  XX
wpa 2 ieee 802.1X  XX

Table 1:Security settings for Intel® Active Management Technology wireless profiles.

Settings to Ensure Connectivity during Remote Connection

Link Control and Preference

In a typical Intel AMT remote power management command, the Intel AMT system gets immediately rebooted. With a wireless KVM the session will get dropped as the WLAN because the control of the wireless interface does not get passed to the firmware. This lack of passing the control from the OS to the firmware can take up to two minutes for the Intel AMT wireless connection to be reestablished.

To prevent this connectivity loss, the preferred method is to programmatically perform the change of link control prior to making the power control request.

For additional Information see my blogs: KVM and Link Control and more general Link Preference and Control.

TCP Time Outs

During changes to link control and power transition, wireless connectivity will temporarily be down during these state changes. If that duration lasts too long, the sessions created using the redirection library will be terminated. This termination is due to exceeding the HB setting within the redirection library (see Table 2).

Time OutDefault ValuesSuggested Value
Hb (client heartbeat interval)5 seconds7.5 seconds
RX (client receive)2 x Hb3 x Hb

Table 2:TCP default and suggested changes.

Currently the default session time-out setting works most of the time. However we now recommend changing the HB interval and the client receive interval by adding parameters during calls to the redirection library. These time-out values need to affect both the IDER TCP and SOL TCP sessions. For additional Information, see the following; IMR_IDEROpenTCPSession or IMR_SOLOpenTCPSessionEx.

Wireless Link Policy

Another aspect is the wireless power policy of the firmware. This policy governs power control in different sleep states. The allowable values are: Disable, EnableS0, and EnableS0AndSxAC. These settings are usually set during configuration. However identifying if an Intel AMT client will be able to maintain connectivity after a reboot or power down will improve technician expectation of client behavior.

To query the Wi-Fi Link policy use the HLAPI.Wireless.WiFiLinkPolicy enumeration

To set the Wi-Fi Link policy use the HLAPI.Wireless. IWireless.SetWiFiLinkPolicy method of the Intel AMT HLAPI

Summary

Intel AMT wireless functionality may be called a feature, but this feature should be a cornerstone for any integration of Intel AMT functionality into a console application. Without this integration many devices will not be manageable due at the introduction of Intel AMT version 10).

A successfully basic integration is composed of several factors: Intel AMT wireless configuration, connection verification for wired or wireless, and wireless Link control operations.

Resource Lists

About the Author

Joe Oster has been working with Intel® vPro™ technology and Intel AMT technology since 2006. When not working, spending time working on his family’s farm or flying drones and RC aircraft.

For more complete information about compiler optimizations, see our Optimization Notice.

1 comment

Top

Add a Comment

Have a technical question? Visit our forums. Have site or software product issues? Contact support.