Endpoint Access Control

Endpoint Access Control (EAC) is used to enforce security policies on all hosts on a network. Compliance systems such as Cisco’s NAC implement such policies. Intel AMT Release 2.5 complies with Cisco’s implementation by optionally issuing signed postures that report on the state of the platform as detected by the Intel AMT device. Intel AMT responds to posture requests either from the local interface or from the network interface.

Release 4.0 adds NAP SoH responses from the network interface.

note-icon Note:

Beginning in Intel AMT Release 9.0 NAC is no longer supported.

Requests from the Local Interface

The following are the initial conditions for Intel AMT interaction with a Cisco NAC server.

note-icon Note:

Beginning in Intel AMT Release 9.0 NAC is no longer supported.

The host is configured to use EAP-FAST as an authentication protocol under 802.1x. A Cisco Trusted Agent (CTA) is installed on the host, and the Intel-supplied posture plug-in dll is stored in a directory where the CTA can find it. The LMS (from Release 9.0) or the UNS (releases prior to 9.0) is configured to periodically request postures from Intel AMT and Intel AMT is configured to return a posture containing a report of the state of the Intel AMT device.

When the switch implementing the NAC protocol requests the CTA to return a posture, the CTA, via the posture plug-in, retrieves the last posture saved by the LMS. The CTA sends the posture to the Cisco server, which sends it to a posture validation server (PVS) to check that the posture is valid. The Intel AMT SDK contains a sample PVS. If the disposition of the PVS is positive, then platform network traffic will continue to flow through the switch, otherwise it may be limited or blocked.

A NAP agent is built in to Windows XP, Vista, and Windows 7. When the agent is installed and running, installing the LMS automatically registers it as a System Heath Agent (SHA) – a source for an SoH.

Requests from the Network

When the platform is in an Sx state (asleep or powered down) or host 802.1x connections are blocked, Intel AMT responds to posture or SoH requests directly. Posture requests and responses are in the framework of the EAP-FAST protocol selected when defining a wired 802.1x connection. The postures go directly to the Cisco server and from there to the PVS. SoH requests can be via a Cisco server (EAP-FAST) or a NAC Network Policy Server (NPS) using PEAP-TLV.

Copyright © 2006-2022, Intel Corporation. All rights reserved.