Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3000
Views
15
Helpful
7
Replies

802.1x and BitLocker Network Unlock

Go to solution
thgusset
Level 1
Level 1

‎08-18-2022 06:04 AM

Hi

802.1x-based NAC for wired ports controls L2 access to switch ports. To gain access to the network, the device must authenticate itself (e.g. with a device certificate). Authentication is performed by the operating system (Windows 10). This means that Windows must be up for 802.1x operation.
On the other hand, BitLocker Network Unlock is a function to avoid users having to enter the PIN to unlock the TPM in order to obtain the decryption key. Network Unlock is run by UEFI before Windows boots and is based on DHCP.

Is there an option to allow DHCP traffic to pass on a switch port before 802.1x authentication has taken place?

Thanks
Thomas

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to thgusset

‎08-18-2022 03:25 PM - edited ‎08-20-2022 10:41 AM

You can config Low-impact mode, 
this give you pre-auth ACL which can you specify to allow DHCP packet before full auth access Client.

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-20-2022 10:34 AM

This is effectively a form of compliance/posture. 802.1X ideally allows no access until and endpoint or user is authenticated. You are asking for limited network access before authentication.

Yes, this can be done with a default VLAN and ACL applied on the switchport to limit traffic to DHCP and whatever server(s) you need for BitLocker to communicate with.

See the ISE Secure Wired Access Prescriptive Deployment Guide  > Pre-Authentication and Post-Authentication Access Control with Low Impact for how to do it.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-18-2022 08:44 AM

not sure never come across this - we have deployment with bitlocker (here is how it works)

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview

that only for boot up, not for networking, once bitlocker entered, system boots up and 802.1X will start process based on the profiles.

or am i misundestood your query ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
thgusset
Level 1
Level 1
In response to balaji.bandi

‎08-18-2022 02:18 PM

Hi BB

Network Unlock needs network access before Windows boots and therefore before 802.1x authentication can be done.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎08-18-2022 11:10 AM

so you need the client get ip from DHCP before auth with 802.1x?

0 Helpful

Go to solution
thgusset
Level 1
Level 1
In response to MHM Cisco World

‎08-18-2022 02:22 PM

client don't need IP address but it uses DHCP to exchange necessary data for unlock with a central server (accessible via an IP helper on the default gateway).
And yes, that's before 802.1x auth

Go to solution
MHM Cisco World
VIP
VIP
In response to thgusset

‎08-18-2022 03:25 PM - edited ‎08-20-2022 10:41 AM

You can config Low-impact mode, 
this give you pre-auth ACL which can you specify to allow DHCP packet before full auth access Client.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-20-2022 10:34 AM

This is effectively a form of compliance/posture. 802.1X ideally allows no access until and endpoint or user is authenticated. You are asking for limited network access before authentication.

Yes, this can be done with a default VLAN and ACL applied on the switchport to limit traffic to DHCP and whatever server(s) you need for BitLocker to communicate with.

See the ISE Secure Wired Access Prescriptive Deployment Guide  > Pre-Authentication and Post-Authentication Access Control with Low Impact for how to do it.

0 Helpful

Go to solution
thgusset
Level 1
Level 1

‎09-13-2022 02:28 AM

Thanks a lot for your help.
Low impact mode can be used.
After some tests we decided to implement a two step authentication.
first step makes MAB against a MAC address database of all known devices. If successful, port will be mapped to a preAuth VLAN. preAuth VLAN has limited access to services need at this stage (DHCP for Bitlocker Network unlock).

Second step starts when OS is up. This is 802.1x authentication with VLAN assignment based on OU in AD.

It works like expected.

0 Helpful
Customers Also Viewed These Support Documents