How to assign SCEP certificates via DHCP on IGEL OS?


Hi Guys! One question:

We configured SCEP for our clients and assign a DHCP name by booting. In UMS the setting for dynamic DNS registration is set by DHCP name.

But when the client boots it overrides our set DHCP name with the suffix “ITC+MACADDRESS”.

Because of this reason, SCEP certificates are rolled out for the wrong name as we want them to.

Is there a workaround for that? That our in DHCP set name isn’t be overridden?

Thanks a lot!


Hi, which Igel OS Version? How are your setting set here?


Hi , we use 11.04.130, the newest

which settings you mean?

(see screenshots inside the IGEL Community on Slack, join below)


The first isn’t selected at our settings… thought this is only for UMS internal?


I would switch that one to:

And reboot the device after that!


Sadly didn’t help 🙁


What is the output of cat /etc/hostname ?

or dnsdomainname?


output of /etc/hostname the output is the ITCMACADDRESS string… not this, we configured in DHCP


And that?


Hi Sebastian, which line is interesting for you? because of data privacy…


I would check if your output corresponds to mine, or, if it differs your naming line.


root@ITC00E0C5259FF7:/wfs# more dhclient-ab2ddda5-95ae-4856-b905-830316cdd627-eth0.lease

lease {

interface “eth0”;

fixed-address XXX.XXX.XXX.100;

option subnet-mask 255.255.255.0;

option dhcp-lease-time 691200;

option routers XXX.XXX.XXX.1;

option dhcp-message-type 5;

option dhcp-server-identifier XXX.XXX.XXX.52;

option domain-name-servers XXX.XXX.XXX.51,26.1.148.52;

option dhcp-renewal-time 345600;

option dhcp-rebinding-time 604800;

option domain-name “XXXXXXXXX”;

option fqdn.encoded false;

option fqdn.no-client-update true;

option fqdn.server-update true;

option fqdn.rcode1 255;

option fqdn.rcode2 0;

renew 1 2020/09/28 17:03:46;

rebind 5 2020/10/02 10:54:39;

expire 6 2020/10/03 10:54:39;

}

lease {

interface “eth0”;

fixed-address XXX.XXX.XXX.100;

option subnet-mask 255.255.255.0;

option routers XXX.XXX.XXX.1;

option dhcp-lease-time 691200;

option dhcp-message-type 5;

option domain-name-servers XXX.XXX.XXX.51,XXX.XXX.XXX.52;

option dhcp-server-identifier XXX.XXX.XXX.52;

option dhcp-renewal-time 345600;

option dhcp-rebinding-time 604800;

option domain-name “XXXXXXXXXXXXX”;

option fqdn.encoded false;

option fqdn.no-client-update true;

option fqdn.server-update true;

option fqdn.rcode1 255;

option fqdn.rcode2 0;

renew 5 2020/10/02 04:37:20;

rebind 1 2020/10/05 07:18:24;

expire 2 2020/10/06 07:18:24;

}

like this?

has the automatic registration (without mac address) setting something to do with it?

even if I deactivate the automatic registration (so no contact so UMS before) and scan devices then, the ITCMACADRESS name is set. and before I set DHCP name and deleted the lease… don’t understand this


Just in case, ITCMACADDRESS (or UnitID sometimes) is the standard name that Igel uses when the device boots up, and hast no specific hostname set.

So, what would the journalctl give back after bootup:

journalctl | grep -Ei ‘dhcp’


Thanks sebastien for your answer. I think we’ll go another way. We can change name of the client in UMS and then it updates DNS name automatically by next reboot.

the only “problem” we need to solve now is, that the client still got its ‘old’ certificate, based on CN=”ITCxxxxxxxx” and not like our 802.1x provider checks “IGELxxxx”.

I’ll go on checking this, or do you got some input how to solve this? how can the scep cert for the wrong name be renewed automatically or lets say, clever for the rollout?

thanks for your help til now!

can we maybe renew them by UMS?


You could clean the SCEP folder one time by doing something like these:

rm -rf /wfs/scep-certificates/cert0

as a final network command. And deploy it to all devices, reboot one time, remove the profile and then it‘s cleared up. But that‘s quite radical, and needs to be tested😇

As an alternative you might put a mix of scep commands like here: kb.igel.com/igelos-11.04/en/diagnostics-32869929.html kb.igel.com/igelos-11.04/en/diagnostics-32869929.html

and kill it softly😁


Thanks! This is possible, definatly. But for our rollout team they have to get it as easy as possible haha… 😄

Our plan is now as following:

1. automatically device register via igelrmserver, client seen as ITCxxxxxx – no profile!

2. renaming client to our specific name IGELxxxxx, moving to directory to apply profile, perform upgrade FW etc.

3. dynamic DNS registration by profile with the right name. SCEP cert will be enrolled by correct CN.

4. DHCP refreshes as well to hostname.

5. Done!

this fits great…

much thanks for your input though! it was my first experience here and this community really helpful! will come back again 😉 Thanks!

Continue reading and comment on the thread ‘How to assign SCEP certificates via DHCP on IGEL OS?’.  Not a member? Join Here!

Learn more, search the IGEL Knowledge Base



Ask a question or comment on the above messasge thread?

Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.

Submit a question, or Join Today!


Popular Message Threads


Categories & Tags: