An Introduction to Intel® Active Management Technology (Intel® AMT) Wireless Connections

ID 标签 659016
已更新 1/9/2021
版本 Latest
公共

author-image

作者

Introduction

With the introduction of wireless-only platforms starting with Intel Active Management Technology (Intel® AMT) 10, it is even more important for an ISV to integrate support for wireless management of Intel® AMT devices.

The wireless feature of Intel AMT is just like any wireless connection; it is not an automatic initial connection process. However, there are several major differences between wired and wireless Intel AMT communication, including the following:

  • Wireless Intel AMT interfaces are disabled by default and must be enabled and configured with a wireless profile (friendly name, SSID, passwords, encryption, and authentication at a minimum) which is pushed to the client using one of several methods.
  • Where a wired interface is shared by the host OS and Intel AMT (two different IP addresses), the wireless interface must be DHCP assigned only one IP address and is controlled by the OS unless the host is deemed unavailable, in which case, the control is given to the Intel AMT firmware.

This article will address the Intel AMT wireless configuration and describe how to handle the various aspects that are important for a clean integration.

Intel® AMT Wireless Support Progression for Intel® AMT 2.5 through 11

  • Intel AMT 2.5 and 2.6: Wireless is supported only when the OS is in a powered-on state (S0).
  • Intel AMT 4.0: Wireless is supported in all sleep states (Sx) but depends on configuration settings (Note: Intel AMT 5.0 did not support wireless).
  • Intel AMT 6: Syncs Intel AMT and host OS wireless profiles.
  • Intel AMT 7.0: Wireless is supported and host-based configuration is available; however remote configuration is not available over wireless.
  • Intel AMT 9.5: First release to support wireless-only platforms. USB provisioning is not supported on these devices.

Understanding Intel® AMT Wireless Connection Requirements

The connection parameters for an Intel AMT wireless device closely resemble those required for the Host OS connection. The firmware requires information including SSID, the authentication method, encryption type, and passphrase at a minimum. In more advanced connections, 802.1x profile information is also required.

All these settings are wrapped into a Profile which is considered as either an Admin or User Profile and saved within the Intel AMT firmware. The Admin or IT profiles are added to the firmware using Intel AMT APIs; see a list of configuration methods below. User profiles cannot be added to the Intel® Management Engine BIOS Extension (Intel® MEBX) via an Intel AMT API, they are created using the Intel AMT WebUI, or with profile syncing using the Intel® PROSet wireless drivers.

The Intel AMT firmware holds a maximum of 16 total profiles, of which a maximum of 8 can be user profiles and 8 admin profiles. With the ninth user profile, the oldest user profile is overwritten. 

Key Differences between Wired and Wireless Intel AMT Support

  • Default state. The wireless management interface is initially disabled and must be enabled in addition to creating and deploying the wireless profile. In contrast, wired connections are on by default.
  • Network type. Only infrastructure network types are supported by Intel AMT, not ad hoc or peer-to-peer networks.
  • DHCP dependence. While wired Intel AMT connections support either DHCP or static IP assignment, wireless AMT connection requires DHCP, and it will share its IP with the host OS.
  • Microsoft Active Directory* integration. 802.1x wireless authentication requires Active Directory integration with the Intel® Setup and Configuration Software (Intel® SCS.)
  • OS control of packets. On the wireless connection, all traffic goes directly to the OS (which can then forward it to Intel AMT), unless the OS is off, failed, or in a sleep state. In those cases manageability traffic goes directly to Intel AMT, which means that when the host returns to S0 or the driver is restarted, Intel AMT must return control to the host, or the host will not have wireless connectivity. This affects remote connections to Intel AMT including IDE-R and KVM.  See Link Preference details below (added in 6.0 and automated in 8.1)
  • Wired-only Intel AMT features are not supported on wireless-only platforms; Auto-Synch of Static IP Addresses, Local Setup Directly to Admin Control Mode.

Configuration Methods

The basic configuration of wireless for Intel AMT is covered in the article: Intel® vPro™ Setup and Configuration Integration, but here is additional information specific to the wireless setup.

Wireless profiles can be placed in the Intel AMT firmware in several ways. However, any system that is wireless only (no RJ45 connector) cannot be provisioned by a USB key.

  • Initial Intel AMT configuration
    • Profile type: Admin or Client, basic or advanced 802.1x
    • Tools available: Acuconfig, ACUWizard or Intel SCS
  • Intel AMT WebUI
    • Profile type: User, basic only.
    • Tool used: For web browser, use http://<IPorFQDNofDevice>:16992, or for TLS use https://<FQDNofDevice>:16993

Intel® AMT

  • Delta configuration
    • Profile type: Admin for reconfiguring specific settings only
    • Tools available: Acuconfig, ACU Wizard, or Intel SCS
  • Wi-Fi profile syncing  (Intel AMT 6.0 and later)
    • Profile type: User
    • Requires Intel® PROSet wireless drivers and the Intel® AMT Local Manageability Service (LMS)
    • Enables or disables synced OS and AMT wireless profiles (during configuration).
  • WS-Management
    • Profile type: Admin
    • Tools: Intel® vPro PowerShell module, WirelessConfiguration.exe, WS-Man custom using CIM_elements

Connection Types - Authentication/Encryption

Intel AMT supports several authentications and encryption types for wireless connections.

  • User profiles can be configured with WEP or no encryption.
  • Admin profiles must be TKIP or CCMP with WPA or higher security.
  • 802.1x profiles are not automatically synchronized by the Intel PROSet wireless driver

Table 1 shows the possible security settings for Intel AMT wireless profiles.

Table 1. Security settings for Intel® Active Management Technology wireless profiles

  None WEP TKIP CCMP
Open System X X    
Shared Key X X    
Wi-Fi* Protected Access (WPA)
Pre-Shared Key (PSK)
    X X
WPA IEEE 802.1X     X X
WPA2 PSK     X X
WPA2 IEEE 802.1X     X X

Settings to Ensure Connectivity during Remote Connection

Link Control and Preference

In a typical Intel AMT remote power management command, the Intel AMT system gets immediately rebooted. With a wireless KVM, the session will get dropped as the WLAN because the control of the wireless interface does not get passed to the firmware. This lack of passing the control from the OS to the firmware can take up to two minutes for the Intel AMT wireless connection to be re-established.

To prevent this connectivity loss, the preferred method is to programmatically perform the change of link control prior to making the power control request.

For additional information see my blogs: KVM and Link Control and more general Link Preference and Control.

TCP Time Outs

During changes to link control and power transition, wireless connectivity will temporarily be down during these state changes. If that duration lasts too long, the sessions created using the redirection library will be terminated. This termination is due to exceeding the HB setting within the redirection library (see Table 2).

Table 2. TCP default and suggested changes.

Time Out Default Values Suggested Value
Hb (client heartbeat interval) 5 seconds 7.5 seconds
RX (client receive) 2 x Hb 3 x Hb

Currently, the default session time-out setting works most of the time. However, we now recommend changing the Hb interval and the client receives the new interval by adding parameters during calls to the redirection library. These time-out values affect both the IDER TCP and SOL TCP sessions. For additional information, see: IMR_IDEROpenTCPSession or IMR_SOLOpenTCPSessionEx.

Wireless Link Policy

Another aspect is the wireless power policy of the firmware. This policy governs power control in different sleep states. The allowable values are Disable, EnableS0, and EnableS0AndSxAC. These settings are usually set during configuration. However, identifying if an Intel AMT client will be able to maintain connectivity after a reboot or power down will improve technician expectations of client behavior.

To query the Wi-Fi Link policy use the HLAPI.Wireless.WiFiLinkPolicy enumeration

To set the Wi-Fi Link policy use the HLAPI.Wireless. IWireless.SetWiFiLinkPolicy method of the Intel AMT HLAPI

Summary

Intel AMT wireless functionality may be called a feature, but this feature should be a cornerstone for any integration of Intel AMT functionality into a console application. Without this integration many devices will not be manageable due at the introduction of Intel AMT version 10).

A successfully basic integration is composed of several factors: Intel AMT wireless configuration, connection verification for wired or wireless, and wireless Link control operations.

Resource Lists

  • Wireless Networking in Intel® AMT
  • Wireless Profile Synchronization
  • Technical Considerations for Intel® AMT in a Wireless Environment
  • KVM User Experience Over Wireless (The case for Link Preference)
  • Intel® PROSet/Wireless Software - Downloads
  • AMT Implementation and Reference Guide – Wireless Manageability
  • AMT Implementation and Reference Guide – IMR_IDEROpenTCPSession
  • AMT Implementation and Reference Guide – IMR_SOLOpenTCPSessionEx

About the Author

Joe Oster has been working with Intel® vPro™ technology and Intel AMT technology since 2006. When not working, spending time working on his family’s farm and flying drones.