Restrict DHCP

[Harry]

Hi!

I want to restrict users from plugging on their laptops into network points
and get an IP from DHCP and access internet. I checked a couple of sites but
they r mentioning VLAN or 802.1x authentication - which I believe needs some
investment to implement.

Ofcourse I did not patch all the network outlets to the network, but people
at times plug in their laptops to a couple of 4 port switches in the office
at some places and are getting hooked.

Is there an easier way to restrict users ? Like some file with all the
allowed MAC address - so that when ever a alien laptop is plugged, the DHCP
server checks the file - if MAC address is in list issues IP otherwise
denies.

Thanks in advance
Regards
Harry

 

[Pegasus \(MVP\)]

Hi!

I want to restrict users from plugging on their laptops into network points
and get an IP from DHCP and access internet. I checked a couple of sites but
they r mentioning VLAN or 802.1x authentication - which I believe needs some
investment to implement.

Ofcourse I did not patch all the network outlets to the network, but people
at times plug in their laptops to a couple of 4 port switches in the office
at some places and are getting hooked.

Is there an easier way to restrict users ? Like some file with all the
allowed MAC address - so that when ever a alien laptop is plugged, the DHCP
server checks the file - if MAC address is in list issues IP otherwise
denies.

Thanks in advance
Regards
Harry

Some routers let you set up rules that permit/deny specific MAC
addresses access to the Internet.

 

[Harry]

Thank you,
But Can I make the DHCP " not to issue" at IP in the first place? So that
whoever plugs in an alien PC will not get an IP and cannot infect the
network with a virus he may have.
Many Thanks
Harry

 

[David Parkes]

Or you could just use ISA.

Thank you,
But Can I make the DHCP " not to issue" at IP in the first place? So that
whoever plugs in an alien PC will not get an IP and cannot infect the
network with a virus he may have.
Many Thanks
Harry

 

[Bruno Campanini]

Hi!

I want to restrict users from plugging on their laptops into network
points and get an IP from DHCP and access internet. I checked a couple of
sites but they r mentioning VLAN or 802.1x authentication - which I
believe needs some investment to implement.

Ofcourse I did not patch all the network outlets to the network, but
people at times plug in their laptops to a couple of 4 port switches in
the office at some places and are getting hooked.

Is there an easier way to restrict users ? Like some file with all the
allowed MAC address - so that when ever a alien laptop is plugged, the
DHCP server checks the file - if MAC address is in list issues IP
otherwise denies.

Thanks in advance
Regards
Harry

I've act this way.
Suppose the following situation:

Net Addr 192.168.1
Router 192.168.1.254
DC 192.168.1.10
10 Clients 192.168.1.11, 12, ... 20

Define:
DHCP Pool 192.168.1.1 192.168.1.254
DHCP Excl 192.168.1.1 192.168.1.10
192.168.1.21 192.168.1.254
DHCP Reserv 192.168.1.11 MAC Addr
192.168.1.12 ""
.......... ""
192.168.1.20 ""

At this point, in Event Viewer/System you'll se a DHCPServer Warning:
"Scope 192.168.1.0 is 100 per cent full with only 0 IP addresses remaining."

It seems to be working ok with me, but I'm very new to WinServer 2003;
possible some "side effects" not yet detected.

Bruno

 

[Richard G. Harper]

Microsoft's DHCP server does not include this capability without some form
of help, as you've already discovered.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Phillip Windell]

Thank you,
But Can I make the DHCP " not to issue" at IP in the first place?

No.

There is technology concerning this, but it is in an infancy stage,..very
$$$,..very complex,...and not fully standardized,...and in my opinion, not
very dependable.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.

 

[Phillip Windell]

Your subject "Restrict.....DHCP" is pretty much an oxymoron. DHCP is a
convienience tool, not a security tool,...if security is allowed to become
based on the client's IP#, then DHCP can no longer be used. So if DHCP is
used then IP#s can never be allowed to be the focus of the security. One
guy suggested ISA Server, that is a good choice because it lets the security
focus be on a variety of other objects instead of the IP#s.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[dilan.weerasinghe]

Hi!

I want to restrict users from plugging on their laptops into network points
and get an IP from DHCP and access internet. I checked a couple of sites but
they r mentioning VLAN or 802.1x authentication - which I believe needs some
investment to implement.

Ofcourse I did not patch all the network outlets to the network, but people
at times plug in their laptops to a couple of 4 port switches in the office
at some places and are getting hooked.

Is there an easier way to restrict users ? Like some file with all the
allowed MAC address - so that when ever a alien laptop is plugged, the DHCP
server checks the file - if MAC address is in list issues IP otherwise
denies.

Thanks in advance
Regards
Harry

Cisco Catalyst switches have a function called Port Security that
allows only pre-configured MAC addresses to access that port...

Thanks,
Dilan

 

[Guest]

How many IP Addresses? Why not use "Manual DHCP" a term I made up as a joke
at one time. Create your IP scope and options, then create DHCP reservations
for the devices you want to get addresses and only open the assignable range
for these addresses. This way there will be no available addresses for the
alien laptops and you can still benefit by a centrally managed IP scheme and
scope options. Downside is if you have a lot of devices, this is just not
practical.