Securing Network with MAC address

[Matthew Storman]

Server1 is running DHCP, DNS, AD.
Server2 a workgroup.

The following is specific to Server1 and Server2:

How can I lease IP addresses based upon specific MAC
addresses. I know how to restrict an IP address to a
certain MAC address, however this is not what I want to
do.

Is this possible? This will prevent unauthorized
computers from being leased an IP address from the DHCP
server, especially for Server2.

Thanks,

Matthew

 

[Marc Reynolds [MSFT]]

DHCP doesn't have any security of this type. The best you could do with DHCP
is to create a reservation for every "authorized" client and then exclude
any unreserved IP address left in your scope.

A more expensive solution that is closer to what you are looking for is
setting up your network for 802.1x authentication which requires hardware
(switches) that support 802.1x.


--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steven L Umbach]

You could create a dhcp scope that only has reservations for the computers in the
domain, though that may not be practical for a network larger that a few dozen
computers. That may still not stop someone from using static ip configuration to gain
access to your network. If you can separate the workgroup with a router, they would
not be able to get dhcp leases unless router forwards broadcasts. Otherwise you will
need to look into mac filtering switches, 802.1x authenticating switches, or possibly
ipsec policies in the domain to prevent access to domain resources since kerberos
machine authentication would be needed to access domain machines. --- Steve