Bitlocker pins being prompted for when computer is on network

TempleOfFive
Comes here often

Bitlocker pins being prompted for when computer is on network

Hi all.  We are a 15 location company, offices all over the US.  Every one of our offices uses Cisco 2960 or 3750 switches.  We have Bitlocker enabled on all laptops and use MBAM to monitor/administer it.  Certain models of laptops (all dell's, just varying models) and dock combinations when connected to the Cisco switches, are allowed to bypass having to enter in their bitlocker PIN when connected to the network.  We just add a 2nd DHCP server that MBAM uses to the switch via an extra IP helper statement on the vlan the users connect to.  For example:

 

interface Vlan2
description Users-OC
ip address 10.10.100.1 255.255.255.0
ip helper-address 10.1.0.35  <-----
ip helper-address 10.10.0.3

 

We recently opened an office in Tacoma, and are planning to deploy Meraki switches next year.  So we started with this one.  A user that does not get prompted to enter his bitlocker PIN when he's in any other office, does get prompted when he's in Tacoma.  I've set both DHCP servers in the Meraki settings, and according to documentation i've seen, the switch will check both.  I'm just wondering if it's stopping after it gets an address from the first one?  It works fine on Cisco switches, but doesn't on the Meraki. 

 

image.png

 

We're seriously anticipating buying 25-30 switches next year and this could completely put a halt to that.  I really don't want it to cause I, so far, love working with the Meraki switches.  Hoping there is a workaround for this.  

 

Any thoughts would be appreciated!  Hope this makes sense and maybe someone else out there has tried to do this also and was successful.  

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

I would run a capture on DHCP traffic to confirm the behaviour.

 

I would have expected the DHCP packet to be relayed to all IP addresses without waiting for a response - but that is an expectation.

Thanks, i'll give that a try as soon as I can and let you know what the results are.

Finally was able to get a user to help me test this (it's a remote office).  I don't know how to specifically filter for just DHCP traffic, so I just did a generic "ether host mac address" filter and started it once he turned on his computer.  This is the only DHCP info I saw in the results.  Doesn't look like it ever went to the bitlocker dhcp server in our datacenter.  

 

20:55:38.529735 IP6 (hlim 1, next-header Options (0) payload length: 36) fe80::55db:f0e5:d537:2cd9 > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ff37:2cd9 to_ex, 0 source(s)]
20:55:39.029639 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::55db:f0e5:d537:2cd9 > ff02::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::55db:f0e5:d537:2cd9, Flags [override]
destination link-address option (2), length 8 (1): d8:d0:90:0e:b0:b6
20:55:39.825759 IP (tos 0x0, ttl 128, id 8493, offset 0, flags [none], proto UDP (17), length 353)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d8:d0:90:0e:b0:b6, length 325, xid 0xeabd277e, Flags [none]
Client-Ethernet-Address d8:d0:90:0e:b0:b6
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
Client-ID Option 61, length 7: ether d8:d0:90:0e:b0:b6
Requested-IP Option 50, length 4: 10.18.100.104
Hostname Option 12, length 10: "SE-1C7XHR2"
FQDN Option 81, length 26: "SE-1C7XHR2.fpainc.local"
Vendor-Class Option 60, length 8: "MSFT 5.0"
Parameter-Request Option 55, length 14:
Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
Router-Discovery, Static-Route, Vendor-Option, Netbios-Name-Server
Netbios-Node, Netbios-Scope, Option 119, Classless-Static-Route
Classless-Static-Route-Microsoft, Option 252
20:55:39.828216 IP (tos 0x0, ttl 128, id 24019, offset 0, flags [none], proto UDP (17), length 338)
10.18.100.1.67 > 10.18.100.104.68: BOOTP/DHCP, Reply, length 310, xid 0xeabd277e, Flags [none]
Your-IP 10.18.100.104
Gateway-IP 10.18.100.1
Client-Ethernet-Address d8:d0:90:0e:b0:b6
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
RN Option 58, length 4: 43200
RB Option 59, length 4: 75600
Lease-Time Option 51, length 4: 86400
Server-ID Option 54, length 4: 10.18.0.6
Subnet-Mask Option 1, length 4: 255.255.255.0
FQDN Option 81, length 3: 255/255 ""
Default-Gateway Option 3, length 4: 10.18.100.1
Domain-Name-Server Option 6, length 8: 10.11.0.95,10.1.0.95
Domain-Name Option 15, length 13: "fpainc.local^@"
20:55:39.829770 IP6 (flowlabel 0x4a0d6, hlim 1, next-header UDP (17) payload length: 112) fe80::55db:f0e5:d537:2cd9.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=943479 (elapsed-time 0) (client-ID hwaddr/time type 1 time 603224722 10653055d4c6) (IA_NA IAID:936956048 T1:0 T2:0) (Client-FQDN) (vendor-class) (option-request vendor-specific-info DNS-server DNS-search-list Client-FQDN))

redsector
Head in the Cloud

Is there a route to ip helper-address 10.1.0.35 because it´s on another IP range than the other addresses?

 

interface Vlan2
description Users-OC
ip address 10.10.100.1 255.255.255.0
ip helper-address 10.1.0.35 <-----
ip helper-address 10.10.0.3

We just have a default static route to go to the next hop (router) for all traffic. The router is aware of all of our other locations (10.1.x.x is our datacenter)
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels