Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2407
Views
25
Helpful
2
Replies

ISE with BitLocker Network Unlock

Go to solution
jmorton1
Level 1
Level 1

‎09-15-2021 09:08 AM

Is there anyone who uses ISE MAC filtering who has successfully implemented BitLocker Network Unlock? If so, was there a trick to doing this? Our Network Unlock is not working, and I am wondering if ISE has anything to do with this since network unlock seems to require a DHCP connection at pre-boot, but ISE appears to not give it until after it boot to the login screen.

2 Accepted Solutions

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-15-2021 06:49 PM

You will need to provide limited network access during the initial UEFI network boot up for the machines. One option is to use low impact mode wired deployment with Cisco Catalyst switches. At minimum it looks like you will need to provide access to DHCP, WDS and possibly DNS to allow the BitLocker Network Unlock enabled machines to boot up properly to the point it can authenticate to the network.

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock

View solution in original post

Go to solution
samsunday
Level 1
Level 1

‎07-01-2022 03:07 AM

I assume this issue is resolved.

Environment where I have configured this to work does not Implement ISE so you may be able to see if any of the suggestion below may help in your specific environment. 

 

In the deployment where I have had this working, I was using cisco Router DHCP server for the clients.

 

Few things to want to consider is as follow:

 

1) on the switch port that client machine connect to, you need to ensure that spanning-tree portfast is enabled so the port transmits immediately the client comes online. 

2) You need to configure ip-helper address to WDS on the SVI interface of the client so the bootp request is forwarded to the WDS once the initial DHCP allocation is done. 

 

 

 

View solution in original post

2 Replies 2

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-15-2021 06:49 PM

You will need to provide limited network access during the initial UEFI network boot up for the machines. One option is to use low impact mode wired deployment with Cisco Catalyst switches. At minimum it looks like you will need to provide access to DHCP, WDS and possibly DNS to allow the BitLocker Network Unlock enabled machines to boot up properly to the point it can authenticate to the network.

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock

Go to solution
samsunday
Level 1
Level 1

‎07-01-2022 03:07 AM

I assume this issue is resolved.

Environment where I have configured this to work does not Implement ISE so you may be able to see if any of the suggestion below may help in your specific environment. 

 

In the deployment where I have had this working, I was using cisco Router DHCP server for the clients.

 

Few things to want to consider is as follow:

 

1) on the switch port that client machine connect to, you need to ensure that spanning-tree portfast is enabled so the port transmits immediately the client comes online. 

2) You need to configure ip-helper address to WDS on the SVI interface of the client so the bootp request is forwarded to the WDS once the initial DHCP allocation is done. 

 

 

 

Customers Also Viewed These Support Documents