Managing Intel® vPro™ Technology clients in a wireless environment

     There is no doubt that wireless networks are widely used by many companies, and, for some, it’s the only media available (that is, there is no wired connection). Wireless-only work environments are becoming more frequent nowadays for many reason: 1) it’s the cheapest connection technology if compared with traditional wired networks that require switch ports, cables, etc.; 2) office lay-out reconfiguration is much easier without the cables; and 3) wireless networks can be more secure than similar wired networks at least for most enterprise implementations where the IEEE 802.1x protocol is the de facto standard for the wireless networks.

     There are several options to configure an 802.1x protected wireless network, however, the most common methods are called EAP-TLS (certificate-based) and EAP-PEAP (computer account based). Intel® vPro™ Technology based clients should be configured to work in an 802.1x environment in order to get out of band access to the corporate network and be remotely managed using Intel Active Management Technology (Intel AMT).

     Intel™ vPro™ Technology clients in 802.1x wireless networks require Microsoft* Active Directory integration and a RADIUS server (for example, Microsoft* IAS) that will bridge the authentication from the client to Active Directory through an 802.1x capable switch.


Figure 1 – Intel® SCS 802.1x profile configuration

     EAP-* protocol requires a cryptographic session to be established in order to send the credentials, and uses the certificate issued to RADIUS server to create a TLS session between client and the RADIUS server. The Intel® vPro™ Technology client receives the Trusted Root Certificates list during setup and configuration and records the certificate into Intel® ME flash memory.  Figure 1 shows the Intel Setup and Configuration Service (Intel SCS) wizard used to select the “Trusted Root Certificate” during setup and configuration stage.

     If EAP-TLS is selected, you must also pick the certificate authority that will be used to issue the 802.1x certificates and select the desired template. During the setup and configuration phase, the Intel Remote Configuration Service (Intel RCS) will act as proxy, requesting the certificate in name of Intel® vPro™ Technology client.

     In addition to the how-to configuration steps listed above, there are two points that you should consider when planning your Intel® vPro™ Technology configuration that can differ from your regular desktop configuration:

    • Certificates
    • Network Speed


     There are some limitations on certificate length as described in Table 1.


Table 1 – Intel® AMT PKI certificate length limitations

     The most common issue that I found in the field with certificates is when the root certificate authority uses certificates greater than 2048 bits (i.e. 4096 bits). When the key length is too long, instead of getting a failed provisioning status, the client is shown as “configured” but unable to authenticate against the RADIUS server. If you look into the Intel SCS log, you will see an ERROR shown in Figure 2.


Figure 02 – Intel® SCS log showing the certificate update error

     Unfortunately, there is not an easy workaround for this problem. You can take two different approaches here:

  • Reissue the root CA with a smaller certificate length.  In this case, the certificate authority will handle two CRLs, one for previous root CA that will be revoked (for our example, the certificate with the 4096 bit length), and one for new certificate. This is the recommended approach if you use PKI for SMIME of file encryption, because these usage models usually require CRL checking for longer periods.
  • Install a second root CA. This approach is intended to be used as part of a migration strategy: instead of administering two CRLs, you can reissue the client certificates using GPO and, after some period, you can just decommission the old CA. This method is not recommended if you use SMIME, file encryption, etc.

Network Speed

     Usually, for compatibility reason, you can configure wireless network to allow for speed negotiation, but there are also situations where you don’t want to allow speed negotiation. The main reason to limit speed negotiation is to reduce the wireless coverage range to limit it to a single room or auditorium. If, in this case, you configure the access point to accept only the G or N speed networks, you will have a problem with using Intel® vPro™ Technology, because the the maximum out-of-band speed for the Intel ME is 40 Mbps (which is too slow for the G or N network speeds).

What’s Next

     In a future post, I’ll discuss about how to manage Intel® vPro™ Technology in a public wireless environment, and behind a NAT using Fast Call for Help (aka. Client Initiated Remote Access or CIRA).

Best Regards!