Intel AMT uses the EndpointAccessControlAdminService to enable posture generation (See Endpoint Access Control (EAC)). In addition, methods from the SecurityAdministrationService are required to install the certificate and key used to sign the posture. See Certificate Management for use cases for adding keys and certificates.
Beginning in Intel AMT Release 9.0 NAC is no longer supported.
Add a Certificate and Key
To add the certificate and key required to sign a posture, use the following flows:
• Add a certificate . The method returns a handle that will be required later.
Set the Posture Signer
Associate a certificate with the posture signing mechanism Use the handle returned when the certificate was added.
Set the EAC Options
In Intel AMT Release 4.0 and later releases, the Set EAC Options process defines the format of the active mode posture and selects the hash algorithm used in creating the signature field. The EacVendors parameter in this command should be set to EAC_NAC.
Invoke Enable EAC. to enable the Intel AMT device to respond to GetPosture requests coming from the local interface.
Configure to Use 802.1x
When the host processor is in an Sx state – a sleep state or powered down – Intel AMT can still respond to posture requests in a networking environment based on NAC (See Active/Passive Mode). It requires an 802.1x profile that uses the EAP-FAST protocol. Perform the following steps:
4. Define an 802.1x profile that uses EAP-FAST and activate the profile. Use the handles returned in steps 1 and 2.
6. Set the posture signer certificate (either the one just added, or same certificate used for 802.1x).
7. Enable EAC.
Copyright © 2006-2022, Intel Corporation. All rights reserved.