Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 700
  • Last Modified:

Restrict LAN access if not logged on to domain

I have a WAN setup (vpn tunnels), windows 2003 standard server, all xp pro clients, all computers on active directory, 1 dhcp server (also functioning as dns) giving out IP's, c class.

I want to restrict access to any computer that is not part of the domain (logged in with a username and password - so joined to the domain).

How do I prevent the DHCP server from assigning non-domain computers an IP address?  what hardware and/or software do i need? How does the configuration look like?

If I have a visitor that needs to pluggin to the network, but I don't want to join his/her personal laptop to domain in order to gain access to Internet/email only - what is the workaround there?
  • 2
1 Solution
Domain login, computer name and such are on a completely different level than DHCP.  The only thing I can think of is setting up your DHCP server in such way that it will only deliver IP-addresses to known network-interfaces based on their MAC-addresses.

This is because how a DHCP broadcast works.  When a client comes online and searches for a DHCP-server, it only communicates it's MAC-address through ISO layer 2 and is replied a response from the DHCP-server with a suitable IP-address and other configuration.  If the DHCP-server would now not react to any unknown MAC-addresses, you would have your sort of safety.

However, this is not 100% secure.  If someone would set up a fixed IP address in the DHCP range, they would get LAN access too.

The only option you then have is to define your switches to only offer LAN access if the broadcasting network interface's MAC-address is known.  Similar to MAC-allow-lists in wireless switches, access points and routers, you would be able to allow a certain network interface to talk to other network interfaces and the router on the network.
whermans hit it right on.

The MAC list solution above can be good - depending on your goal: preventing hacking or preventing your users from plugging in unathorized devices. As with the wireless vulnerability, the hacker can define his own MAC address and pound the switch until he finds one that works. The casual user plugging in a $30 WAP or any other unauthorized device you don't want on the network would be thwarted.

Just my 2 cents
calpoly1Author Commented:
is there an easy way to identify systems (via MAC address) that are already on my domain?

That way I can add all systems and exclude everything else?  I have Cisco 2950 switches by the way.

Do I only setup the switch where my ISP router is connected to?
What DHCP are you using? I know with Microsoft's DHCP you can go to the Active Leases window of that scope and it displays the MAC addresses in the Unique ID column. Even cheap home DLink internet gateways will display a list of MAC addresses associated with the IP's they've given out via DHCP. I'm sure whatever you are using for DHCP will have some sort of display of the issued IPs with their respective MACs.

I'm not 100%, but I'm pretty sure you'd have to specify it on each switch. That's where the initial connection's access comes in. I'm not totally familiar with Cisco products, but maybe if you have CiscoWorks you can set that up globally (providing the 2950s support MAC filtering)?

I'm afraid that's about as much help as I'll be. I don't know any specifics of the product. I'm sure someone else can provide that part.

Hope I was at least of some help!

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now