• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

DHCP Authentication

N

Nosaj

Senior member
Is it possible to restrict unauthorized workstations (i.e. laptops) from obtaining an IP address from the dhcp server? I am looking to block users who bring in laptops from home and hook up to a live drop and gain access to the network. We have 18 buildings, and it's kind of hard to know what is going on in all of them at once.

We are using Windows 2000 servers with a single active directory domain.

Thanks.
 
Nosaj,

DHCP doesn't have that option.

BUT - a you can use 802.1x authentication. Basically the switch will proxy your active directory requests. If you pass then you get an address and continue on your marry way. If not then no IP and the port doesn't allow you to talk.

I'll be implementing it here very soon using MS certificates.
 
I don't know if your equipment would support this, but some of the very inexpensive home routers have MAC address access lists. I suppose a creative person could spoof that.
 
Originally posted by: spidey07
Nosaj,

DHCP doesn't have that option.

BUT - a you can use 802.1x authentication. Basically the switch will proxy your active directory requests. If you pass then you get an address and continue on your marry way. If not then no IP and the port doesn't allow you to talk.

I'll be implementing it here very soon using MS certificates.
Click to expand...

Thanks, I'll check that out...

BTW, hello neighbor!

edit: spelling 😱
 
OH,

You're local. 🙂

I charge for consultating then. First importan question as a consultant.

What's your budget?😉
 
Originally posted by: spidey07
OH,

You're local. 🙂

I charge for consultating then. First importan question as a consultant.

What's your budget?😉
Click to expand...

Any 2 items off of Wendy's $.99 menu!
 
Originally posted by: spidey07
Nosaj,

DHCP doesn't have that option.

BUT - a you can use 802.1x authentication. Basically the switch will proxy your active directory requests. If you pass then you get an address and continue on your marry way. If not then no IP and the port doesn't allow you to talk.

I'll be implementing it here very soon using MS certificates.
Click to expand...


Very good guide to this here:

http://www.cs.umd.edu/~mvanopst/8021x/howto/server.html
 
Why not set up your DHCP server for only Manual Reservations? No different on the client end, but the server has a list of allowed IP addresses and a MAC address for each one.
In QIP it is called a Manual DHCP address. In Win2KDHCP it is a reservation. We use them for critical nodes that require firewall access and getting a different IP address would be a royal pain in the rear.

The client sends out a request for an address (with its MAC attached)
The server sees the MAC and looks through the database, if it does not find it, it gives out the next dynamic address (you would have to set up the server to have no dynamic addresses and all reserved addresses)
The server finds the MAC and gives out the appropriate address.

It is a rudimentary MAC filter

Users could set up statically and still gain access if you don't have other security in place.



 
You must log in or register to reply here.

TRENDING THREADS

Back
Top