[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 266
  • Last Modified:

Prevent laptops from connecting to network

I have a Windows Server 2003 Standard Edition managed network with almost 85 clients comprising of desktops and laptops. I have a firewall - Netscreen 5GT that takes a DSL internet connection from a Cisco SOHO router. The netscreen box is acting as a DHCP server so any computer connecting to a free wall socket gets an automatic IP address and can browse internet.
These days my staffs are bringing their personal laptops and connect to our network to browse internet. Is there anyway to stop this. Any policiies or configuration that prevents them from receiving an auto IP address?
Help please....
2 Solutions
If you are using your router as DHCP server the only way to achieve your objective is to setup an access list on the router, only to accept connection from the approved MACs.
Another possibility (though it's non-trivial) is to configure an internal PKI in your environment, and then use 802.1X on your routers and switches so that only machines that possess the appropriate PKI certificate are permitted to use wireless, access the Internet, etc.
I would agree with Laura... The ormerodrutters solution is too complicated. The best way is to implement 802.1x authentications. Since you are using Windows 2003 Server you can install the Certificate Server and if you are using Active Directory you can deploy the user certificates to all clients which are on the domain with Group Policy.

I had a scenario with wireless and wired network. The user was satisfied with the solution. All users auto-enrolled for the certificates, all computers auto-enrolled for the certificates as well.
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

kelpereAuthor Commented:
The 802.1x method sounds good. Where can I find some more info on this - i mean how to start with this and how to deploy it.
My laptop users are not logging in to the network. They login to their local machines. So do I have to apply group policies as user policies or computer policies?
Thanks for your response.

Here is an Microsoft document for deployment of 802.1X


Well if users are logging on their local computers there is no way that they will get the certificate on their machines since they are not joined in the domain.

With Group Policy deploy computer and user certificates (create an auto-enroll) and implement 802.1x. Same thing is with wireless.


You do not need secondary active directory or IAS server. This is only for redundancy. You can install everything on one server (Active Directory, Certificate Server, IAS server).

You should setup DHCP so that it only assigns ip addresses to machines with an allowed MAC address on the network.
Use angry ip scanner to produce a list of MAC addresses on your network and have them the on the "allowed list".
Not as secure as what the others are saying, but it won't assign ip addresses to machines that aren't allowed....
> "Not as secure as what the others are saying, but it won't assign ip addresses to machines that aren't allowed...."

MAC addresses can be spoofed fairly easily, and assigning MAC reservations does -not- scale well if you're dealing with a large number of computers.  It's better than nothing, but 802.1X security is the more strategic option.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now