calpoly1
asked on
Restrict LAN access if not logged on to domain
I have a WAN setup (vpn tunnels), windows 2003 standard server, all xp pro clients, all computers on active directory, 1 dhcp server (also functioning as dns) giving out IP's, c class.
I want to restrict access to any computer that is not part of the domain (logged in with a username and password - so joined to the domain).
How do I prevent the DHCP server from assigning non-domain computers an IP address? what hardware and/or software do i need? How does the configuration look like?
If I have a visitor that needs to pluggin to the network, but I don't want to join his/her personal laptop to domain in order to gain access to Internet/email only - what is the workaround there?
I want to restrict access to any computer that is not part of the domain (logged in with a username and password - so joined to the domain).
How do I prevent the DHCP server from assigning non-domain computers an IP address? what hardware and/or software do i need? How does the configuration look like?
If I have a visitor that needs to pluggin to the network, but I don't want to join his/her personal laptop to domain in order to gain access to Internet/email only - what is the workaround there?
whermans hit it right on.
The MAC list solution above can be good - depending on your goal: preventing hacking or preventing your users from plugging in unathorized devices. As with the wireless vulnerability, the hacker can define his own MAC address and pound the switch until he finds one that works. The casual user plugging in a $30 WAP or any other unauthorized device you don't want on the network would be thwarted.
Just my 2 cents
The MAC list solution above can be good - depending on your goal: preventing hacking or preventing your users from plugging in unathorized devices. As with the wireless vulnerability, the hacker can define his own MAC address and pound the switch until he finds one that works. The casual user plugging in a $30 WAP or any other unauthorized device you don't want on the network would be thwarted.
Just my 2 cents
ASKER
is there an easy way to identify systems (via MAC address) that are already on my domain?
That way I can add all systems and exclude everything else? I have Cisco 2950 switches by the way.
Do I only setup the switch where my ISP router is connected to?
That way I can add all systems and exclude everything else? I have Cisco 2950 switches by the way.
Do I only setup the switch where my ISP router is connected to?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is because how a DHCP broadcast works. When a client comes online and searches for a DHCP-server, it only communicates it's MAC-address through ISO layer 2 and is replied a response from the DHCP-server with a suitable IP-address and other configuration. If the DHCP-server would now not react to any unknown MAC-addresses, you would have your sort of safety.
However, this is not 100% secure. If someone would set up a fixed IP address in the DHCP range, they would get LAN access too.
The only option you then have is to define your switches to only offer LAN access if the broadcasting network interface's MAC-address is known. Similar to MAC-allow-lists in wireless switches, access points and routers, you would be able to allow a certain network interface to talk to other network interfaces and the router on the network.