Created on 01-27-2020 01:00 PM Edited on 02-08-2024 05:48 AM By Jean-Philippe_P
Description
Solution
Note the following before proceeding:
• Edits must be performed via CLI of the ControlApplication/Application Server.
• Edits may differ based on PXE boot needs.
• If Configuration Wizard is used after the below modifications have been made, they will need to be re-added.
• Contact Support if assistance is required.
Scope level configuration:
next-server <PXE Server IP address>;
filename "<absolute path to boot file> "
Note: Double backslashes (\\) are required for Windows boot servers.
Example when using Legacy BIOS:
authoritative;
log-facility local6;
ddns-update-style none;
allow bootp;
allow booting;
class "authenticated_clients"
{
match pick-first-value (option dhcp-client-identifier, hardware);
}
# Empty Scope Used to load DHCP on ETH1
#subnet XXX.XXX.XXX.0 netmask 255.255.252.0 {
#}
# Isolation Scope ISOL_Isolation_blackhole
subnet XXX.XXX.XXX.0 netmask 255.255.252.0 {
range XXX.XXX.XXX.10 XXX.XXX.XXX.200;
default-lease-time 28800;
max-lease-time 86400;
option domain-name "blackhole.local";
option domain-name-servers XXX.XXX.XXX.XXX;
option broadcast-address XXX.XXX.XXX.255;
option routers XXX.XXX.XXX.1;
###!!! You need to add following in every scope !!!###
next-server XXX.XXX.XXX.XXX;
filename "<path>\\<path>\\<filename>";
}
Example when using UEFI and Legacy BIOS with Microsoft Deployment Service server:
authoritative;
log-facility local6;
ddns-update-style none;
allow bootp;
allow booting;
option space PXE;
option PXE.mtftp-ip code 1 = ip-address;
option PXE.mtftp-cport code 2 = unsigned integer 16;
option PXE.mtftp-sport code 3 = unsigned integer 16;
option PXE.mtftp-tmout code 4 = unsigned integer 8;
option PXE.mtftp-delay code 5 = unsigned integer 8;
option arch code 93 = unsigned integer 16; # RFC4578
class "authenticated_clients"
{
match pick-first-value (option dhcp-client-identifier, hardware);
}
# Empty Scope Used to load DHCP on ETH1
#subnet XXX.XXX.XXX.0 netmask 255.255.252.0 {
#}
# Isolation Scope ISOL_Isolation_blackhole
subnet XXX.XXX.XXX.0 netmask 255.255.252.0 {
range XXX.XXX.XXX.10 XXX.XXX.XXX.200;
default-lease-time 28800;
max-lease-time 86400;
option domain-name "blackhole.local";
option domain-name-servers XXX.XXX.XXX.XXX;
option broadcast-address XXX.XXX.XXX.255;
option routers XXX.XXX.XXX.1;
###!!! You need to add following in every scope !!!###
class "pxeclients" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
next-server X.X.X.X; ### IP address of the MS Windows Deployment service server
if option arch = 00:07 {
# UEFI 64-bit system
filename "smsboot\\x64\\wdsmgfw.efi";
} else if option arch = 00:06 {
# UEFI 32-bit system
filename "smsboot\\x86\\wdsmgfw.efi";
} else {
# Legacy BIOS
filename "smsboot\\x64\\wdsnbp.com";
}
}
}
Save the configuration changes.
Restart the DHCP service to apply changes.
service dhcpd restart
Note: Since the proposed solution works by manually changing the DHCP config file '/bsc/siteConfiguration/dhcpd.conf', it will not be possible to be used on newer versions of FortiNAC-F that are running NAC-OS.
For new deployments that are still running on CentOS (not yet migrated), it is recommended to find an alternative way of registering this type of device and move them to an onboarding VLAN that can use a production DHCP server.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.