locked
wireless addresses RRS feed

  • Question

  • hello - I'm looking for a way to block non domain mobile wireless devices from getting a dhcp address, they are filling up our dhcp scopes.

    I found a way to do this by user account but then their domain laptops got blocked and had to be tethered. I know I can do this using filtering in DHCP but that relies on manaul config and monitoring.

    Any ideas?

    Friday, May 9, 2014 12:34 PM

Answers

  • Hi,

    We think you can use NAP enforcement for DHCP to block non domain mobile wireless devices from getting a DHCP address.

    DHCP enforcement is deployed with a DHCP Network Access Protection (NAP) enforcement server component, a DHCP enforcement client component, and Network Policy Server (NPS). Using DHCP enforcement, DHCP servers and NPS can enforce health policy when a computer attempts to lease or renew an IP version 4 (IPv4) address.

    To deploy DHCP servers with Network Policy Server (NPS) and Network Access Protection (NAP), follow the steps below:

    Notice: For your deployment, you may be skipping some of those – depending upon your requirements.

    1. Install the DHCP server role on the local or a remote computer.
    2. If DHCP is installed on a remote computer with NPS, configure NPS as a RADIUS proxy. Use the New Remote RADIUS Server Group Wizard to create a remote server group with one or more RADIUS servers to which RADIUS messages are forwarded. Configure RADIUS ports and shared secrets that are common to both the NPS proxy server and the RADIUS servers (to which requests are forwarded).
    3. In the DHCP MMC snap-in, enable NAP for individual scopes or for all scopes configured on the DHCP server.
    4. On the DHCP-NPS proxy server, use the New Connection Request Policy Wizard to create a connection request policy to forward connection requests and accounting information to the remote RADIUS server group.
    5. Configure the DHCP-NPS proxy servers as RADIUS clients on the local RADIUS server (to which requests are forwarded).
    6. If you want to perform authorization by group, create a user group in Active Directory® Domain Services (AD DS) that contains the users who are allowed to obtain an IP address from DHCP servers.
    7. On NAP-capable client computers, enable the Network Access Protection service and change the startup type to automatic.
    8. On NAP-capable client computers, enable the DHCP enforcement client.
    9. If you are using the Windows Security Health Validator (WSHV) in your NAP deployment, enable Security Center on NAP-capable clients using Group Policy.
    10. In NPS, if you are deploying remediation servers so that clients can automatically update their configuration in compliance with health policy, configure Remediation Server Groups.
    11. In NPS, configure the WSHV or install and configure other system health agents (SHAs) and system health validators (SHVs).
    12. In NPS, configure health policies, connection request policies, and network policies that enforce NAP for DHCP.
    13. Ensure that NPS network policy constraints allow computer health checks.

    For detailed information, view the link below:

    Checklist: Configure NAP Enforcement for DHCP

    http://technet.microsoft.com/en-us/library/cc772356(v=WS.10).aspx

    Hope this helps.

    TechNet Subscriber Support 
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.



    Steven Lee

    TechNet Community Support

    • Marked as answer by jamicon Monday, May 19, 2014 12:33 PM
    Monday, May 12, 2014 6:15 AM

All replies

  • Hi,

    We think you can use NAP enforcement for DHCP to block non domain mobile wireless devices from getting a DHCP address.

    DHCP enforcement is deployed with a DHCP Network Access Protection (NAP) enforcement server component, a DHCP enforcement client component, and Network Policy Server (NPS). Using DHCP enforcement, DHCP servers and NPS can enforce health policy when a computer attempts to lease or renew an IP version 4 (IPv4) address.

    To deploy DHCP servers with Network Policy Server (NPS) and Network Access Protection (NAP), follow the steps below:

    Notice: For your deployment, you may be skipping some of those – depending upon your requirements.

    1. Install the DHCP server role on the local or a remote computer.
    2. If DHCP is installed on a remote computer with NPS, configure NPS as a RADIUS proxy. Use the New Remote RADIUS Server Group Wizard to create a remote server group with one or more RADIUS servers to which RADIUS messages are forwarded. Configure RADIUS ports and shared secrets that are common to both the NPS proxy server and the RADIUS servers (to which requests are forwarded).
    3. In the DHCP MMC snap-in, enable NAP for individual scopes or for all scopes configured on the DHCP server.
    4. On the DHCP-NPS proxy server, use the New Connection Request Policy Wizard to create a connection request policy to forward connection requests and accounting information to the remote RADIUS server group.
    5. Configure the DHCP-NPS proxy servers as RADIUS clients on the local RADIUS server (to which requests are forwarded).
    6. If you want to perform authorization by group, create a user group in Active Directory® Domain Services (AD DS) that contains the users who are allowed to obtain an IP address from DHCP servers.
    7. On NAP-capable client computers, enable the Network Access Protection service and change the startup type to automatic.
    8. On NAP-capable client computers, enable the DHCP enforcement client.
    9. If you are using the Windows Security Health Validator (WSHV) in your NAP deployment, enable Security Center on NAP-capable clients using Group Policy.
    10. In NPS, if you are deploying remediation servers so that clients can automatically update their configuration in compliance with health policy, configure Remediation Server Groups.
    11. In NPS, configure the WSHV or install and configure other system health agents (SHAs) and system health validators (SHVs).
    12. In NPS, configure health policies, connection request policies, and network policies that enforce NAP for DHCP.
    13. Ensure that NPS network policy constraints allow computer health checks.

    For detailed information, view the link below:

    Checklist: Configure NAP Enforcement for DHCP

    http://technet.microsoft.com/en-us/library/cc772356(v=WS.10).aspx

    Hope this helps.

    TechNet Subscriber Support 
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.



    Steven Lee

    TechNet Community Support

    • Marked as answer by jamicon Monday, May 19, 2014 12:33 PM
    Monday, May 12, 2014 6:15 AM
  • Hi,

    I just want to confirm what is the current situation.

    Please feel free to let us know if you need further assistance.

    TechNet Subscriber Support 
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.



    Steven Lee

    TechNet Community Support

    Friday, May 16, 2014 1:37 AM