802.1x and Bitlocker Network Unlock

Post Reply
ruemelin
Member
Posts: 14
Joined: 13 Oct 2021 05:44

802.1x and Bitlocker Network Unlock

Post by ruemelin »

Dear Forum!

I am trying to set up 802.1x on my 6860 switches.
Everything is working fine, apart from the Bitlocker Network Unlock. As this is working on the "non-802.1x"-Ports it needs to work afterwards as well.
The configuration as it is without the 802.1x for the Ports:

Code: Select all

unp profile "Clients" map service-type spb tag-value 0 isid 10100 bvlan 4001 multicast-mode headend vlan-xlation
unp port x/1/y port-type access
unp port x/1/y default-profile "Clients" classification trust-tag ap-mode dynamic-service spb
unp port x/1/y admin-state enable
unp port x/1/y l2-profile "unp-l2"
service l2profile "unp-l2" stp drop 802.1ab peer
The isid 10100 is routed by our 6900V72 Core-Switches, where we have the DHCP-Relay to the DHCP- and WDS-Server:

Code: Select all

ip dhcp relay interface "Clients" destination 172.25.1.1 #DHCP-Server
ip dhcp relay interface "Clients" admin-state enable
ip dhcp relay interface "Clients" destination 172.25.1.100 #WDS-Server
ip dhcp relay interface "Clients" admin-state enable
For the new 802.1x Setup we have on the Ports

Code: Select all

unp profile "PreAuth" map service-type spb tag-value 0 isid 11001 bvlan 4002 multicast-mode headend vlan-xlation
unp profile "Clients" map service-type spb tag-value 0 isid 10100 bvlan 4001 multicast-mode headend vlan-xlation
unp port x/1/y port-type access
unp port x/1/y default-profile "PreAuth" classification trust-tag ap-mode dynamic-service spb
unp port x/1/y admin-state enable
unp port x/1/y 802.1x-authentication
unp port x/1/y mac-authentication #For later IOT-devices that are not capable of 802.1x
unp port x/1/y l2-profile "unp-l2-1x"
service l2profile "unp-l2" 802.1x peer 802.1ab peer
aaa radius-server "Clearpass" host 172.25.1.20 hash-key "xxx" retransmit 3 timeout 2 auth-port 1812 acct-port 1813 vrf-name default
aaa device-authentication mac "Clearpass"
aaa device-authentication 802.1x "Clearpass"
aaa accounting mac "Clearpass"
aaa accounting 802.1x "Clearpass"
There the isid 11001 is connected per VLAN to a Sophos Firewall which has the same DHCP-Relays on the corresponding VLANs. The DHCP-Server does it job there, so this connection is working for sure.

Now when I check on the WDS logs I see the Unlock requests in the old and the new setup comming in and the answers leaving.
I see the packets going through the firewall with an tcpdump.
I tried to set up an port-mirror on an 802.1x-Port to capture the traffic there during boot with a second PC, but as soon as I activate the port-mirror the Unlock works just fine, so I got confused. As soon as I deactivate the port-mirror the Unlock just does not work anymore.
Any ideas how I could get everything to work as intended without the need of activating a port-mirror (which is not really an acceptable workaround in my mind)?

Every idea is much appreciated.

Best Regards
Top
silvio
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 2076
Joined: 01 Jul 2008 10:51
Location: Germany

Re: 802.1x and Bitlocker Network Unlock

Post by silvio »

interesting point with the mirror. So it seems that the issue is within the switch. You should open a ticket.
BR silvio
Top
Post Reply

Return to “OmniSwitch 6860 / 6860E”