SDK Resources > Posture Validation (NAC) > Configuring Intel AMT to Generate Postures

Configuring Intel AMT to Generate Postures

Intel AMT uses the EndpointAccessControlAdminService to enable posture generation (See Endpoint Access Control (EAC)). In addition, methods from the SecurityAdministrationService are required to install the certificate and key used to sign the posture. See Certificate Management for use cases for adding keys and certificates.

note-icon Note:

Beginning in Intel AMT Release 9.0 NAC is no longer supported.

Add a Certificate and Key

To add the certificate and key required to sign a posture, use the following flows:

   Add a certificate . The method returns a handle that will be required later.

   Add a key pair

Set the Posture Signer

Associate a certificate with the posture signing mechanism Use the handle returned when the certificate was added.

Set the EAC Options

In Intel AMT Release 4.0 and later releases, the Set EAC Options process defines the format of the active mode posture and selects the hash algorithm used in creating the signature field. The EacVendors parameter in this command should be set to EAC_NAC.

Enable EAC

Invoke Enable EAC. to enable the Intel AMT device to respond to GetPosture requests coming from the local interface.

Configure to Use 802.1x

When the host processor is in an Sx state – a sleep state or powered down – Intel AMT can still respond to posture requests in a networking environment based on NAC (See Active/Passive Mode). It requires an 802.1x profile that uses the EAP-FAST protocol. Perform the following steps:

1.  Add a certificate to use as the 802.1x client certificate.

2.  Add a key pair corresponding to this certificate.

3.  Add the trusted root certificate for the ACS platform.

4.  Define an 802.1x profile that uses EAP-FAST and activate the profile. Use the handles returned in steps 1 and 2.

5.  If a different certificate will be used for signing profiles, add the certificate and keys.

6.  Set the posture signer certificate (either the one just added, or same certificate used for 802.1x).

7.  Enable EAC.

Copyright © 2006-2022, Intel Corporation. All rights reserved.