Disallow specific Mac Addresses to get IP Address from DHCP Server

[Guest]

I know that we can specify which MAC addresses get an IP address, but since
we have a huge list of computers that require an IP address I think it would
be easier and a shorter, much shorter list, to specify computers that
shouldn't get an IP address. From a school point of view, we have around 300
computers that talk to the DHCP server running Windows 2000, and every once a
while we have a student or teacher that brings in his/her own computer and
tries to connect to the network. When they do, the DHCP logs this and gives
them an IP address. When I do a regular scan of the IP addresses released, I
will notice computer names that aren't ours, so I would like to write down
the MAC address of that computer and would like to tell the DHCP server to no
longer allow it to give an IP address to that MAC address. Can this be done?
We wold like to prevent the computer that is brought into our school that
doesn't belong here to not get a future IP address as we can't prevent them
until we get the MAC Address and we don't want to have to log all 300
computers that can. Is this possible?

Thank you.

Gary

 

[Bob I]

You could assign a "bogus" IP address to the "bad" MAC address which
would accomplish that effect.

 

[Guest]

Great idea. Never thought of that.

Thanks.

Gary

 

[3c273]

Probably not an effective strategy since mac addresses can be spoofed. And
once one student (or teacher) finds out......
Louis

 

[Guest]

I tried entering in a bogus IP address in the reservations section and it
doesn't allow me to. I have to put an address that matches the scope. If
the scope is for 10.7.16.0 and I try entering anything other than something
that starts with 10.7. then it says The specified DHCP client is not a
reserved client. Any suggestions?

 

[Guest]

What do you suggest?

Probably not an effective strategy since mac addresses can be spoofed. And
once one student (or teacher) finds out......
Louis

 

[3c273]

As far as I know, DHCP doesn't really provide security. Even if you map all
300 MACs to IP reservations and exclude the rest of the IPs, all anyone has
to do is use a static IP address in your network range. I suppose you could
reserve the rest of the IPs in your scope with bogus MACs but that would
require the other 300 reservations to be assigned and this would certainly
be a maintenance nightmare. Sorry I can't be more help, I was just looking
at the problem from a "How would I get around that?" standpoint. You might
google for "802.1x authentication" for a more robust solution.
Louis

 

[Bob I]

All I find are "scripting" solutions, which would probably not work out
for you either.

 

[Phillip Windell]

As far as I know, DHCP doesn't really provide security.

That is correct. DHCP is a convenience tool,...not a security tool. If you
have a high security situation, then you don't deploy DHCP, its pretty much
that simple. You can also create additional subnets where DHCP isn't
deployed while having other less secure subnets where it is deployed.
Building security is another vital part of security,...people should not
have wall jacks available to them that connect them to parts of the network
they aren't supposed to be on.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------