Restrict LAN access if not logged on to domain

Posted on 2006-05-10
Last Modified: 2013-11-30
I have a WAN setup (vpn tunnels), windows 2003 standard server, all xp pro clients, all computers on active directory, 1 dhcp server (also functioning as dns) giving out IP's, c class.

I want to restrict access to any computer that is not part of the domain (logged in with a username and password - so joined to the domain).

How do I prevent the DHCP server from assigning non-domain computers an IP address?  what hardware and/or software do i need? How does the configuration look like?

If I have a visitor that needs to pluggin to the network, but I don't want to join his/her personal laptop to domain in order to gain access to Internet/email only - what is the workaround there?
Question by:calpoly1
    LVL 3

    Expert Comment

    Domain login, computer name and such are on a completely different level than DHCP.  The only thing I can think of is setting up your DHCP server in such way that it will only deliver IP-addresses to known network-interfaces based on their MAC-addresses.

    This is because how a DHCP broadcast works.  When a client comes online and searches for a DHCP-server, it only communicates it's MAC-address through ISO layer 2 and is replied a response from the DHCP-server with a suitable IP-address and other configuration.  If the DHCP-server would now not react to any unknown MAC-addresses, you would have your sort of safety.

    However, this is not 100% secure.  If someone would set up a fixed IP address in the DHCP range, they would get LAN access too.

    The only option you then have is to define your switches to only offer LAN access if the broadcasting network interface's MAC-address is known.  Similar to MAC-allow-lists in wireless switches, access points and routers, you would be able to allow a certain network interface to talk to other network interfaces and the router on the network.
    LVL 2

    Expert Comment

    whermans hit it right on.

    The MAC list solution above can be good - depending on your goal: preventing hacking or preventing your users from plugging in unathorized devices. As with the wireless vulnerability, the hacker can define his own MAC address and pound the switch until he finds one that works. The casual user plugging in a $30 WAP or any other unauthorized device you don't want on the network would be thwarted.

    Just my 2 cents

    Author Comment

    is there an easy way to identify systems (via MAC address) that are already on my domain?

    That way I can add all systems and exclude everything else?  I have Cisco 2950 switches by the way.

    Do I only setup the switch where my ISP router is connected to?
    LVL 2

    Accepted Solution

    What DHCP are you using? I know with Microsoft's DHCP you can go to the Active Leases window of that scope and it displays the MAC addresses in the Unique ID column. Even cheap home DLink internet gateways will display a list of MAC addresses associated with the IP's they've given out via DHCP. I'm sure whatever you are using for DHCP will have some sort of display of the issued IPs with their respective MACs.

    I'm not 100%, but I'm pretty sure you'd have to specify it on each switch. That's where the initial connection's access comes in. I'm not totally familiar with Cisco products, but maybe if you have CiscoWorks you can set that up globally (providing the 2950s support MAC filtering)?

    I'm afraid that's about as much help as I'll be. I don't know any specifics of the product. I'm sure someone else can provide that part.

    Hope I was at least of some help!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now