09-15-2021 09:08 AM
Is there anyone who uses ISE MAC filtering who has successfully implemented BitLocker Network Unlock? If so, was there a trick to doing this? Our Network Unlock is not working, and I am wondering if ISE has anything to do with this since network unlock seems to require a DHCP connection at pre-boot, but ISE appears to not give it until after it boot to the login screen.
Solved! Go to Solution.
09-15-2021 06:49 PM
You will need to provide limited network access during the initial UEFI network boot up for the machines. One option is to use low impact mode wired deployment with Cisco Catalyst switches. At minimum it looks like you will need to provide access to DHCP, WDS and possibly DNS to allow the BitLocker Network Unlock enabled machines to boot up properly to the point it can authenticate to the network.
07-01-2022 03:07 AM
I assume this issue is resolved.
Environment where I have configured this to work does not Implement ISE so you may be able to see if any of the suggestion below may help in your specific environment.
In the deployment where I have had this working, I was using cisco Router DHCP server for the clients.
Few things to want to consider is as follow:
1) on the switch port that client machine connect to, you need to ensure that spanning-tree portfast is enabled so the port transmits immediately the client comes online.
2) You need to configure ip-helper address to WDS on the SVI interface of the client so the bootp request is forwarded to the WDS once the initial DHCP allocation is done.
09-15-2021 06:49 PM
You will need to provide limited network access during the initial UEFI network boot up for the machines. One option is to use low impact mode wired deployment with Cisco Catalyst switches. At minimum it looks like you will need to provide access to DHCP, WDS and possibly DNS to allow the BitLocker Network Unlock enabled machines to boot up properly to the point it can authenticate to the network.
07-01-2022 03:07 AM
I assume this issue is resolved.
Environment where I have configured this to work does not Implement ISE so you may be able to see if any of the suggestion below may help in your specific environment.
In the deployment where I have had this working, I was using cisco Router DHCP server for the clients.
Few things to want to consider is as follow:
1) on the switch port that client machine connect to, you need to ensure that spanning-tree portfast is enabled so the port transmits immediately the client comes online.
2) You need to configure ip-helper address to WDS on the SVI interface of the client so the bootp request is forwarded to the WDS once the initial DHCP allocation is done.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide