top of page

OUR PRECONDITIONS

  • The old network infrastructure, referred to as OldNet:
    Doesn’t support 802.1x.
    Two domains on different VLAN’s with a one way trust, referred to as Enterprise and Educational.
    The two domains have their own network infrastructure, different IP Helpers, DNS, DHCP and so on.

  • The new infrastructure, referred to as NewNet:
    802.1x is required using CISCO ISE and Layer 3 switches.
    Only one fallback net with its own IP range, common for both domains, which also supports WebAuth guest access.
    The two domains still have their own IP range, DHCP, DNS etc. but will use the same PXE-server since PXE boot is taking place on the fallback network.

  • Both the old and the new network infrastructure will be used to deploy Windows 10 x64 and Windows 7 x86.

  • MAB will not be used during OSD, the network team don’t want to spread a special OSD VLAN so clients will get an IP address according to its current location and only certificate-based authentication is allowed.

  • The task sequence needs to support both the new computer and refresh scenario as well as BIOS to UEFI conversion regardless of the currently installed operating system.
    The scripts used for managing 802.1x needs to support Windows 7 and its PowerShell version.

Search
Writer's picturesomeguy100
Oct 16, 20182 min read

Prestart, restart and reboots

Updated: Oct 16, 2018


So, why didn't I go with the fancy prestart command? Easiest question ever... The prestart command is great but, as I've said earlier, the environment will tell you what you can and can’t do. In our case, we needed reboots during the WinPE-phase in order to do the legacy to UEFI conversion and the prestart command is only executed, once, right before the TS is initiated.

One problem we had is that Cisco ISE was too slow to evalutate all the rules, much as the old ISA.

It took so long that the client even tried to start the sequence before it had an IP adress. The outcome of this is the same as when your boot image is missing network drivers, the client will restart before task sequence is initiated.

For this problem I adapted the script Niall Brady made. I kept the part writing the log and the part checking the HDD but all I wanted to wait for was for the client to get an IP, authenticated or not. So I did a function for that part and another one that determines how the 802.1x-script is started. The later function depends on the boot type of WinPE. (PXE, Boot media) The function also identifies if a preboot command exists and, if so, combines it with the command to start the 802.1x-script. Why start the 802.1x-script in different ways? When PXE booting, the client will download variables.dat from the server very early on. We're PXE-booting on the fallback net, which has one IP range and once we're authenticated the client will change its IP from what it had during the PXE phase. Doing this, too early, will cause the download of variables.dat to fail. My best guess of why is that the server identifies the client by its IP address.



















Have some cleaning up to do but here's the modified checkfornetwork.vbs


89 views0 comments

Comments

bottom of page