Prevent laptops from connecting to network

Posted on 2007-10-03
Last Modified: 2010-04-09
I have a Windows Server 2003 Standard Edition managed network with almost 85 clients comprising of desktops and laptops. I have a firewall - Netscreen 5GT that takes a DSL internet connection from a Cisco SOHO router. The netscreen box is acting as a DHCP server so any computer connecting to a free wall socket gets an automatic IP address and can browse internet.
These days my staffs are bringing their personal laptops and connect to our network to browse internet. Is there anyway to stop this. Any policiies or configuration that prevents them from receiving an auto IP address?
Help please....
Question by:kelpere
    LVL 23

    Expert Comment

    If you are using your router as DHCP server the only way to achieve your objective is to setup an access list on the router, only to accept connection from the approved MACs.
    LVL 30

    Accepted Solution

    Another possibility (though it's non-trivial) is to configure an internal PKI in your environment, and then use 802.1X on your routers and switches so that only machines that possess the appropriate PKI certificate are permitted to use wireless, access the Internet, etc.
    LVL 9

    Assisted Solution

    I would agree with Laura... The ormerodrutters solution is too complicated. The best way is to implement 802.1x authentications. Since you are using Windows 2003 Server you can install the Certificate Server and if you are using Active Directory you can deploy the user certificates to all clients which are on the domain with Group Policy.

    I had a scenario with wireless and wired network. The user was satisfied with the solution. All users auto-enrolled for the certificates, all computers auto-enrolled for the certificates as well.

    Author Comment

    The 802.1x method sounds good. Where can I find some more info on this - i mean how to start with this and how to deploy it.
    My laptop users are not logging in to the network. They login to their local machines. So do I have to apply group policies as user policies or computer policies?
    Thanks for your response.
    LVL 9

    Expert Comment


    Here is an Microsoft document for deployment of 802.1X

    Well if users are logging on their local computers there is no way that they will get the certificate on their machines since they are not joined in the domain.

    With Group Policy deploy computer and user certificates (create an auto-enroll) and implement 802.1x. Same thing is with wireless.

    You do not need secondary active directory or IAS server. This is only for redundancy. You can install everything on one server (Active Directory, Certificate Server, IAS server).

    LVL 5

    Expert Comment

    You should setup DHCP so that it only assigns ip addresses to machines with an allowed MAC address on the network.
    Use angry ip scanner to produce a list of MAC addresses on your network and have them the on the "allowed list".
    Not as secure as what the others are saying, but it won't assign ip addresses to machines that aren't allowed....
    LVL 30

    Expert Comment

    > "Not as secure as what the others are saying, but it won't assign ip addresses to machines that aren't allowed...."

    MAC addresses can be spoofed fairly easily, and assigning MAC reservations does -not- scale well if you're dealing with a large number of computers.  It's better than nothing, but 802.1X security is the more strategic option.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    As dyndns has reduced the capabilities of the free service, I looked around for other free providers of Dynamic DNS service. After testing several I decided to move my DNS hosting to Hurricane Electric as then domains that require dynamic hostnam…
    Managing 24/7 IT Operations is a hands-on job and indeed a difficult one. Over the years I have found some simple tips and techniques to increase the efficiency of the overall operations. The core concept has always been on continuous improvement; a…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now