Intel AMT can be configured with a supplicant that supports seven types of EAP profiles. The user can select from any of the following profiles and configure 802.1x in conjunction with the profile.
• EAP-TLS
• EAP-TTLS
• EAP-PEAP-MSCHAP
• EAP-GTC
• EAP-FAST-MSCHAP
• EAP-FAST-GTC
• EAP-FAST-TLS
Profile configuration is dependent on the RADIUS server requirements and configuration.
Intel AMT does not check the strings included in AMT_8021XProfile or IPS_IEEE8021xSettings for Username, Password, Domain, and Roaming Identity for more than correct length. These parameters are used to authenticate with external equipment such as a RADIUS server, and must conform to the naming requirements of such devices or services. For example, user names must not have special characters embedded in them (“ / \ [ ] : ; | = , + * ? < >).
The RADIUS server settings may vary according to organizational requirements for 802.1x security. For example, the RADIUS Server may not require a client certificate to authenticate the user. This is the way a supplicant configured to use EAP-PEAP-MSCHAPv2 protocol can work when only a username and password are configured.
Another example is an organization that uses manual PAC provisioning to authenticate the clients. In this case, the supplicant must be configured to use the EAP-FAST protocol (ACS RADIUS is required to support this environment), and the supplicant must be manually provisioned with PAC (Protected Access Credentials that contain all data required for client authentication). The client will authenticate with the provided PAC. Usually for such a setup the RADIUS server is configured not to support automatic PAC provisioning.
|
See Also: |
|
• AMT_8021XProfile Field Descriptions |
|
Copyright © 2006-2022, Intel Corporation. All rights reserved. |