My organization is about to implement 802.1X on our enterprise, but we currently use PXE-based OS deployment sequences in SCCM. I'm looking for a way to continue using PXE in an 802.1X environment. Our infrastructure uses Cisco network gear running at 12.2 (or newer). We are an all Windows network and all clients support 802.1X. All new workstations have Intel AMT available (but not factory configured).
In a worst case scenario, we'll use a guest vlan for OSD, but I'd rather have the OSD occur in an authenticated session. I've seen white papers that describe using AMT to act as a supplicant for PXE boot, but can't find any implementation details...
In the end, we decided the best way for us to use PXE with 802.1X, was to assign unauthenticated machines to a guest VLAN. At the router, the VLAN is ACL'd to only the DC (which also hosts DHCP), Enterprise CA, and PXE servers. We then added ip helper-address entries to the VLAN to both servers.
Once the machine is succesfully imaged on the guest VLAN, the operating system then takes over. Our task sequence has it automatically join the domain. Group Policy then directs the machine to obtain a client cert and participate in 802.1X authentication.
The advantage to this method is that we don't have to worry about MAC address bypass or manually disabling/reenabling 802.1X on a port.
MAC address bypass would be difficult for us to do, since it would require us to create user accounts in AD of the machine MAC address. Since the password is the MAC address as well, we would have to disable our password complexity policy, which is a non-starter.
In order for us to use AMT for the supplicant would require us to perform out-of-band provisioning, which puts us in a chicken-or-egg scenario.
Thank you to everyone who viewed/provided input on this question.
You could do MAC based auth if 802.1X auth fails and then allow those authorized MAC's to be in a PXE only environment via a special PXE only VLAN.