Stop DHCP from giving out IP's to computers that do not have valid domain accounts.
-
sábado, 02 de febrero de 2008 2:53
At my company we have a DHCP server that happily gives out ip address to everyone.
"Everyone is the problem"
Since DHCP as far as I am aware does not have any inbuilt Auth capeabilities does anyone
have a solution where by IP addresses can be dynamically assigned based on valid user
credentials.
I know that MS has introduced NAP but I am trying to limit users from just jacking into the network
and getting a free IP address from the win 2008 server.
Could it be done with Radius ? instead.
Any insight or comments would be very welcome.
Thanks Paul.
Todas las respuestas
-
sábado, 02 de febrero de 2008 11:58
What you are asking is just plain impossible.
How on earth would you use any authentication if you do not provide an IP first?
No IP = no connection = no authentication possibility.
-
sábado, 02 de febrero de 2008 18:23
Correct, you cannot authenticate until you have an IP.
However, you can use NAP with DHCP "enforcement" and make domain membership one of the things you require. It won't stop someone from just stealing an IP address, but it will provide the best control you can get.
-
domingo, 03 de febrero de 2008 20:31Using dynamic vlans is another approach. This requires registering mac addresses.
-
lunes, 04 de febrero de 2008 15:27
Yes that would work but it brings alot of baggage to the table.
When a PC comes up on the network it does a broadcast "If its configured" for DHCP.
Within the broadcast packets is the pc name requesting a IP address from the DHCP
server.
I wonder if it would be possible to have the MS DHCP server modified to check for
valid machine names against AD based on the inital packets of info received by
the dhcp server.
So lets say the computer name was "Joe" and Joe hooks his pc up to the network.
DHCP Server checks machine name against AD. If a record for Joe exists it does
a ACK and gives out a valid IP. If the calling machine is not valid then "kaBoom"
NO ip is given out.
I read somewhere on a MS site some time ago that the API could be modified to handle this,
or the functionality does exist in the API but for the life of me I cant seem to find the reference.
Thanks Paul.
-
lunes, 04 de febrero de 2008 15:44
As I said before, you cannot do that with a DHCP Server, as your PC 'Joe' will need an IP to connect first anyway.
Your only option for what to do is as described above, complex maybe, but if you want it that way, you will need to do it that way.
I have no idea about how many 'legit' PC's you are talking, but if it is not too many, you may consider fixed IPs without a DHCP, or add all MAC addresses to the firewall or so.
Another thing you shouls actually be more worried about is, how is it possible that non-legit PC can just hookup to the network anyway? That does not sound like a very disciplined IT environment...
-
miércoles, 06 de febrero de 2008 8:33
Hi,
You may consider using 802.1X, IPSec or NAP to secure the network. The following documents should be helpful:
IEEE 802.1X for Wired Networks and Internet Protocol Security with Microsoft Windows
Step-by-Step Guide: Demonstrate IPsec NAP Enforcement in a Test Lab
Server and Domain Isolation Using IPsec and Group Policy
By the way, only controlling the IP lease on DHCP is not sufficient for securing a network. For example, some end users can assign static IPs to bypass it.
Hope this helps.
David Shen
Microsoft Online Community Support
-
jueves, 07 de febrero de 2008 19:23
Thanks David.
I think this document will be a big help.
Server and Domain Isolation Using IPsec and Group Policy
Looks like a winner for now.
Thanks Paul.
-
viernes, 25 de abril de 2008 20:13
What I have done at my work place is:
Whenever I see an unknown computer leasing IP, I note down the mac address of that computer.
I have some additional space in my scope for such computers to assign RESERVED IP.
So I assign this computer an IP associated with that MAC Address. Then, I confugre that reserved IP to use
FAKES (false):
003 Router
004 Time Server
005 Name Server
006 DNS Server
015 DNS Domain Name
At the end of the day, I stop the DHCP service, delete and clean all the dynamic address leases, and then restart the DHCP service. The only catch for people to get the network going after all this is: if they know the default gateway ip and dns ip, and hence they create their static ip assignment. If they take that route, they are in trouble, I have GHOST server app on my server. I sent down the client to their machine and then you know .......
I would really appreciate comments on this to help me improve upon what I do more in this regard.
Thanks
Adil
adil_a_bhatia@hotmail.com
-
viernes, 25 de abril de 2008 20:56
Jeee, what a lot of work!
If you spent time doing that, you would be better of the note the Mac Addresses of the 'allowed' PCs and block everything else, that saves you all that daily work.
.png)
