none
DHCP - Filters and Block policies. RRS feed

  • Question

  • Hi all,

    Client has a basic setup...Domain Controller (2012 R2 Functional Level)...running NAP, DNS and DHCP. The DHCP has three scopes.

    1. 172.19.2.0/24 - Cabled LAN

    2. 172.19.25.0/24 - Corporate Wifi

    3. 172.19.7.0/24 - Guest Wifi

    I need to block smart phones and tablets on the Corporate Wifi only!

    I can enable Deny Filter and add the devices to the deny list but this is a global setting as far as I can tell so it also blocks them from the Guest Wifi.

    What about 'Policies' I see policies can be applied to a scope and or the entire DHCP.

    Anyone have any good articles or advice on how to use Vendor specific MAC filtering in a policy that I can apply to my Corporate Wifi scope?

    Perhaps NAP is the answer...but again I cannot see how I differentiate laptops from iphones in NAP?

    As always, thanks in advance.

    durrie.

    Friday, November 24, 2017 8:57 AM

All replies

  • Hi,

    >>I can enable Deny Filter and add the devices to the deny list but this is a global setting as far as I can tell so it also blocks them from the Guest Wifi.

    Could you enable DHCP Allow Filter ?

    If there are to much clients,you could use powershell command :Add-Dhcpserverv4filter

    More information about DHCP command,  please refer to the following article:

    https://blogs.technet.microsoft.com/teamdhcp/2012/11/10/dhcp-mac-address-filter-management-made-easy-with-dhcp-powershell/

    >>Anyone have any good articles or advice on how to use Vendor specific MAC filtering in a policy that I can apply to my Corporate Wifi scope?

    There is a related article for you:

    Vendor-Specific Attributes in NPS

    https://technet.microsoft.com/en-us/library/cc754417%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Best Regards,
    Frank



    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Monday, November 27, 2017 9:34 AM
  • Hi Frank,

    Thanks for the response, still stuck on this one, it seems the required functionality is not yet built into DHCP.

    1. Allow \ Deny filters are applied globally so do not work in this case as I want to deny access to one scope only.
    2. Policies it seems are also not really designed to work work with my intended option which is to 'Deny' access. Policies are designed to 'Allow' access with predefined DHCP options. While I could use this to assign 'bogus' IP settings this is not a real solution.

     

    Monday, November 27, 2017 2:01 PM
  • Hi,

    In general,it is no built-in function which provide Scope-level  filtering in DHCP.

    >>Policies it seems are also not really designed to work work with my intended option which is to 'Deny' access. Policies are designed to 'Allow' access with predefined DHCP options. While I could use this to assign 'bogus' IP settings this is not a real solution.

    Yes, it is a workaround.


    Scope-level Link layer filtering using DHCP Policies in Windows Server 2012


    https://blogs.technet.microsoft.com/teamdhcp/2012/09/15/scope-level-link-layer-filtering-using-dhcp-policies-in-windows-server-2012/

    Best Regards,

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 28, 2017 2:15 AM

  • Hi,
    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Frank

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 1, 2017 10:23 AM
  • Hi Frank,

    Apologies for the delayed response, indeed I did vote your last reply as helpful from what I have managed to read on the link thus far. I will need to pour over it in more detail and do some testing before deciding if a solution is able to be marked down here.

    Thanks again,

    durrie

    Tuesday, January 16, 2018 10:53 AM