Description
This article describes the case when machines are unable to boot from the network using PXE when isolated.
Since FortiNAC acts as the DHCP server for devices in isolation, special modifications are required in the DHCP configuration to enable the machine to boot from the designated server.
Solution
Note the following before proceeding:
• Edits must be performed via CLI of the ControlApplication/Application Server.
• Edits may differ based on PXE boot needs.
• If Configuration Wizard is used after the below modifications have been made, they will need to be re-added.
• Contact Support if assistance is required.
- Log in to CLI as root.
- Before making modifications, make a backup copy of /bsc/siteConfiguration/dhcpd.conf.
- Modify /bsc/siteConfiguration/dhcpd.conf and add the following lines.
Global level configuration:
allow bootp;
allow booting;
Scope level configuration:
next-server <PXE Server IP address>;
filename "<absolute path to boot file> "
Note: Double backslashes (\\) are required for Windows boot servers.
Example when using Legacy BIOS:
authoritative;
log-facility local6;
ddns-update-style none;
allow bootp;
allow booting;
class "authenticated_clients"
{
match pick-first-value (option dhcp-client-identifier, hardware);
}
# Empty Scope Used to load DHCP on ETH1
#subnet XXX.XXX.XXX.0 netmask 255.255.252.0 {
#}
# Isolation Scope ISOL_Isolation_blackhole
subnet XXX.XXX.XXX.0 netmask 255.255.252.0 {
range XXX.XXX.XXX.10 XXX.XXX.XXX.200;
default-lease-time 28800;
max-lease-time 86400;
option domain-name "blackhole.local";
option domain-name-servers XXX.XXX.XXX.XXX;
option broadcast-address XXX.XXX.XXX.255;
option routers XXX.XXX.XXX.1;
###!!! You need to add following in every scope !!!###
next-server XXX.XXX.XXX.XXX;
filename "<path>\\<path>\\<filename>";
}
Example when using UEFI and Legacy BIOS with Microsoft Deployment Service server:
authoritative;
log-facility local6;
ddns-update-style none;
allow bootp;
allow booting;
option space PXE;
option PXE.mtftp-ip code 1 = ip-address;
option PXE.mtftp-cport code 2 = unsigned integer 16;
option PXE.mtftp-sport code 3 = unsigned integer 16;
option PXE.mtftp-tmout code 4 = unsigned integer 8;
option PXE.mtftp-delay code 5 = unsigned integer 8;
option arch code 93 = unsigned integer 16; # RFC4578
class "authenticated_clients"
{
match pick-first-value (option dhcp-client-identifier, hardware);
}
# Empty Scope Used to load DHCP on ETH1
#subnet XXX.XXX.XXX.0 netmask 255.255.252.0 {
#}
# Isolation Scope ISOL_Isolation_blackhole
subnet XXX.XXX.XXX.0 netmask 255.255.252.0 {
range XXX.XXX.XXX.10 XXX.XXX.XXX.200;
default-lease-time 28800;
max-lease-time 86400;
option domain-name "blackhole.local";
option domain-name-servers XXX.XXX.XXX.XXX;
option broadcast-address XXX.XXX.XXX.255;
option routers XXX.XXX.XXX.1;
###!!! You need to add following in every scope !!!###
class "pxeclients" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
next-server X.X.X.X; ### IP address of the MS Windows Deployment service server
if option arch = 00:07 {
# UEFI 64-bit system
filename "smsboot\\x64\\wdsmgfw.efi";
} else if option arch = 00:06 {
# UEFI 32-bit system
filename "smsboot\\x86\\wdsmgfw.efi";
} else {
# Legacy BIOS
filename "smsboot\\x64\\wdsnbp.com";
}
}
}
-
Save the configuration changes.
-
Restart the DHCP service to apply changes.
service dhcpd restart
Note: Since the proposed solution works by manually changing the DHCP config file '/bsc/siteConfiguration/dhcpd.conf', it will not be possible to be used on newer versions of FortiNAC-F that are running NAC-OS.
For new deployments that are still running on CentOS (not yet migrated), it is recommended to find an alternative way of registering this type of device and move them to an onboarding VLAN that can use a production DHCP server.
