DHCP Authentication

[Nosaj]

Is it possible to restrict unauthorized workstations (i.e. laptops) from obtaining an IP address from the dhcp server? I am looking to block users who bring in laptops from home and hook up to a live drop and gain access to the network. We have 18 buildings, and it's kind of hard to know what is going on in all of them at once.

We are using Windows 2000 servers with a single active directory domain.

Thanks.

 

[spidey07]

Nosaj,

DHCP doesn't have that option.

BUT - a you can use 802.1x authentication. Basically the switch will proxy your active directory requests. If you pass then you get an address and continue on your marry way. If not then no IP and the port doesn't allow you to talk.

I'll be implementing it here very soon using MS certificates.

 

[skyking]

I don't know if your equipment would support this, but some of the very inexpensive home routers have MAC address access lists. I suppose a creative person could spoof that.

 

[Nosaj]

Originally posted by: spidey07
Nosaj,

DHCP doesn't have that option.

BUT - a you can use 802.1x authentication. Basically the switch will proxy your active directory requests. If you pass then you get an address and continue on your marry way. If not then no IP and the port doesn't allow you to talk.

I'll be implementing it here very soon using MS certificates.

Thanks, I'll check that out...

BTW, hello neighbor!

edit: spelling

 

[spidey07]

OH,

You're local.

I charge for consultating then. First importan question as a consultant.

What's your budget?

 

[Nosaj]

Originally posted by: spidey07
OH,

You're local.

I charge for consultating then. First importan question as a consultant.

What's your budget?

Any 2 items off of Wendy's $.99 menu!

 

[Agamar]

You could also use something like Netreg It makes each user authenticate themselves before they can get to the internet.

 

[Nosaj]

Originally posted by: Agamar
You could also use something like Netreg It makes each user authenticate themselves before they can get to the internet.

Great!!!

 

[randal]

Originally posted by: spidey07
Nosaj,

DHCP doesn't have that option.

BUT - a you can use 802.1x authentication. Basically the switch will proxy your active directory requests. If you pass then you get an address and continue on your marry way. If not then no IP and the port doesn't allow you to talk.

I'll be implementing it here very soon using MS certificates.

Very good guide to this here:

http://www.cs.umd.edu/~mvanopst/8021x/howto/server.html

 

[SgtBuddy]

Why not set up your DHCP server for only Manual Reservations? No different on the client end, but the server has a list of allowed IP addresses and a MAC address for each one.
In QIP it is called a Manual DHCP address. In Win2KDHCP it is a reservation. We use them for critical nodes that require firewall access and getting a different IP address would be a royal pain in the rear.

The client sends out a request for an address (with its MAC attached)
The server sees the MAC and looks through the database, if it does not find it, it gives out the next dynamic address (you would have to set up the server to have no dynamic addresses and all reserved addresses)
The server finds the MAC and gives out the appropriate address.

It is a rudimentary MAC filter

Users could set up statically and still gain access if you don't have other security in place.

 

[Nosaj]

With 3000 machines and 36 dhcp servers, reservations is impossible with our current staffing.