Defining End-Point Access Control
If the 802.1x profile’s protocol supports End-Point Access Control (EAC), you can use NAC/NAP authentication along with the RADIUS server to authenticate the Intel AMT device.
To define EAC:
- From the Network Configuration window, click Configure EAC. The Configure End-Point Access Control window opens.
- In the EAC vendor section, select one of these:
- NAC
- NAP or NAC-NAP Hybrid
- Both NAC and NAP
Note: |
---|
Intel AMT 9.0 and higher does not support NAC. This means that if you select the NAC option, EAC will not be configured on systems with Intel AMT 9.0 and higher configured using this profile. |
- From the Highest hash algorithm supported by the authentication server drop-down list, select one of these:
- SHA-1
- SHA-256 (only supported on Intel AMT 6.0 and higher)
- SHA-384 (only supported on Intel AMT 6.0 and higher)
- From the Select the method for creating the certificate drop-down list, select the source for the certificate that will be installed in the Intel AMT device:
- Request certificate from Microsoft CA – By default, the settings for this option are displayed. If you are using a Microsoft CA, continue from step 5.
- Use certificate from a file – For information about this method and the necessary file format, see Using Predefined Files Instead of a CA Request. If you select this option, define the file locations and continue from step 6.
- If the certificate will be requested from a Microsoft CA, do these steps:
- From the Certificate Authority drop-down list, select the Enterprise CA that Intel SCS will use to request a certificate for EAC posture signing.
- From the Certificate Template drop-down list, select the template that will be used to create the client certificate. The templates shown are templates where the Subject Name is supplied in the request. For information how to create a template, see Defining Enterprise CA Templates.
- Define the Common Names that will be included in the Subject Name of the generated certificate. For more information, see Defining Common Names in the Certificate.
Note: |
---|
- To use this option, Intel SCS must have access to the CA during configuration (see Required Permissions on the CA).
- If you are creating the profile on a computer that does not have access to the CA, the drop-down lists will not display the CA or the templates. If necessary, you can manually supply the CA name (in the format FQDN\CA Name) and the name of the template.
|
- Click OK. The Configure End-Point Access Control window closes.