• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 891
  • Last Modified:

Preventing Static IP's

I need to find a way to prevent laptops that are using our wireless network from assigning themselves a static IP.

Let me give you a little background on our network:

- We are a high school
- We are using multiple 3Com 4500G Switches
- Our wireless network is a 3Com Managed WX2200 w/ around 45 AP's
- School owned computers have Static IP's - Student laptops have reserved DHCP
- We have a NAC that sits infront of our DHCP server to enforce policies before a laptop or outside computer can gain access to the network.
- We are using a 10.x.x.x Class A IP scheme. No VLANs or routers.  

What we are finding is that students are becoming wise enough to figure out how to get around the NAC enforced policies by putting a static IP on their computer prior to making a wireless connection. Because the NAC sits in line with the DHCP server, if the NIC never requests a DHCP, it never gets challenged by the NAC.

I need to know if there is a way to keep users from being able to put a static IP on their computer and gain access to the network. Is there a way that I could use the switches, by where I provide it a list of MAC addresses that should be requesting DHCP and if they dont, block them???

Any and all solutions are welcomed :) Thanks in advance!
0
fgarufijr
Asked:
fgarufijr
  • 9
  • 9
  • 2
  • +3
1 Solution
 
ccpjcCommented:
are the laptops personal or school provided?

if school provided, enforce the GPO and take away their abilities to change the network settings
0
 
fgarufijrAuthor Commented:
They are student owned. They are also in their own personal workgroups and not part of our domain
0
 
ccpjcCommented:
I don't know what kind of firewall/router you're running but this is how i would accomplish something like this
Currently I'm running sonicwalls in my locations

I would add an access rule that, if any IP's that range from 10.x.x.x - 10.x.x.x (static) would have denied access to all, i would also assign those computers that have legitimate static ip's access to gain what they should be able to
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
rbeckerditeCommented:
I would create a vlan for the wireless..  Install a transparent proxy on that vlan so that you can button down the access. to everything that should discourage their desire to modify their IP settings.
0
 
fgarufijrAuthor Commented:
I appreciate the two other solutions, but I dont think they will work too well, given our current enviornment.

I'm not really worried about them having internet access. What I am worried about is all the P2P they are doing at home, dont have anti-virus and are completely infected, then they come here and infect our network. I dont want them gaining access if they dont have an up to date AntiVirus, all MS patches, etc. Our NAC does a very good job of this, but again, if the client isn't requesting a DHCP, the NAC cant enforce any policies.

An additional VLAN *might* be something I can do in the future for wireless access, but as of right now, its really not a possibility. Students need to be able to access their home directories on the student servers and other network resources. I know you can create rules in a proxy / router to allow these things, but its way too far into the school year right now to make any huge changes like this. That would need to be done over summer break, etc.
0
 
Morne LateganCommented:
Can you elaborate on how your NAC works. Do you have client software installed on the laptops? And do you use vlan's or ARP to enforce policies? Does the NAC challenge anything that sends a packet through it?

If it challenges anything that sends a packet through it, you might configure a replication port on the switch. That way traffic from the entire WAN will be replicated to it, not just the packets destined for the DHCP server and your nac can then quarentine it accordingly through vlan/ARP/...
0
 
winthropjCommented:
Yeah you need to setup a seperate VLAN. I have a seperate wireless network on a seperate vlan for machines that come into my buildings. I provide a couple of printers but they don't come onto the school network. The school network is not broadcast and uses machine auth and IAS(radius).

Is there any security on the wireless network, WEP, WPA.....?

Your equipment can definately support a setup like this.
0
 
fgarufijrAuthor Commented:
The NAC can only enforce policies for those clients requesting a DHCP. It sits in line and in front of the DHCP server. A request comes in for DHCP and the NAC immediately tests the machine. If it passes, the client is able to aquire a DHCP address. If it fails, the NAC quarantines it into a seperate subnet. The client then has the ability to make the corrections needed and be retested. If successful, NAC releases it from quarantine and it gets a DHCP.

We currently use WPA2-Enterprise with IAS and authenticate users through Active Directory.
0
 
rbeckerditeCommented:
Do they need to access resources on your school network? what services are you providing the clients? I think your only real option is to put these client in a vlan. If that won't work i would discuss with the administration disabling the wireless until you can implement one.  WIth no control of the clients your concerns are valid and they are basically allowing external parties (spyware, bots, etc.) access to whatever these clients have access to.  There are devices that interrogate a clients patch levels and firewall status but they usually require the computers be something you own.  without installing client software on the computers you are really stuck putting them in a different zone to secure your production network from them.  I completely sympathize with your positon but i think you MUST express the extreme risk that they are introducing to your network and other students by not restricting this.
0
 
fgarufijrAuthor Commented:
Yes... There are a bunch of resources they access on the school network which would  make putting them in a VLAN a difficult task. Not an impossible one, but definitely difficult.

Basically, the way I see it is that the NAC is doing its job. There is just a hole that I need to plug to ensure they cant circumvent it.
0
 
rbeckerditeCommented:
So what about denying the innappropriate IP addresses in a remote access policy? This link talks about writing a parameter for a remote access policy that might work for you.  I think this might allow you to block out the fixed ip's you don't want them using

http://technet.microsoft.com/en-us/library/cc737419.aspx
0
 
rbeckerditeCommented:
Oh it says something under IP that the server must provide IP address i think this is exactly what you are asking for:
http://technet.microsoft.com/en-us/library/cc786581.aspx
0
 
fgarufijrAuthor Commented:
I'm a bit loss on this one... How would I accomplish this? We are using a Class A 10.x.x.x. With this being the case, a student can easily pick, at random, an IP address and gain access.

Example : The student could try the following until he gained access...

10.240.5.1
10.80.246.4
etc.

0
 
rbeckerditeCommented:
the Access rule would deny access if the ip address was not provided by the server.  How does that sound.. I can't test it but i think this is the implementation that would solve the problem they way you want.
0
 
fgarufijrAuthor Commented:
I definitely think your on to something here!

Here's what I dont know... "Server mus supply an IP address"... Does this mean the IAS server has to supply the IP through DHCP???

I have two IAS servers but my DHCP server is seperate from these two IAS servers.

I tried finding something on that in those write ups, but it doesn't define too much what "Server must supply an IP address" is...
0
 
rbeckerditeCommented:
Haha.. Yeah i saw that is well but the dhcp addresses are typically reserved by the RAS server and then given to the Client so "provided by the server".  That doesn't necessarily refer to the server actually being the dhcp server.    Here is the step by step to set it up:

To configure IP options
Do one of the following:

Open Routing and Remote Access and, if necessary, double-click Routing and Remote Access and the server name.

Open Internet Authentication Service and, if necessary, double-click Internet Authentication Service.

In the console tree, click Remote Access Policies.

In the details pane, double-click the remote access policy that you want to configure.

Click Edit Profile.

On the IP tab, specify any required settings.

P.S. I personally really dislike misuse of systems. That is why i am really trying to help.  The few ruining things for the many.... ..  When people complain about passwords, encryption, patches, firewalls just explain this situation.. and the many like it.
0
 
fgarufijrAuthor Commented:
This sounds great! :)  I REALLY appreciate your help! :)

When I go into the office tomorrow I will try this first thing... I'll then come back and assign the points to you :)

I'll post back and let you know how it goes :)
0
 
Rich RumbleSecurity SamuraiCommented:
802.1x is your answer. This is NAC 101... is this symantec nac? Are your users required to have SEP installed? (if this is symantec that is) What needs to happen, is the client software on the machines needs to pass the NAC checks, and the only way to force that is 802.1x.
http://www.informit.com/articles/article.aspx?p=653377&seqNum=4
http://en.wikipedia.org/wiki/802.1x
You can think of 802.1x as a white-list or access list. To pass traffic, the wifi access point will ask for 802.1x auth, if the users don't have it enabled (it is enabled by default on all wifi nic's) they won't ever be able to auth or pass traffic until they do enable and pass auth. To pass auth the WAP can rely on radius, AD, ldap etc... but in your case, your 802.1x config on your WAP's will point to your NAC and the nac will then run it's scan's, and pass/fail the users based on that, as well as a username/password if you wish. Need more info about your NAC solution and if your users have NAC clients installed. If you rely on "desolvable" clients, this then assumes that your users are 1 using windows, 2 admins of their laptops. If either of those are not true, disolvable clients don't work as far as I know.
-rich
0
 
rbeckerditeCommented:
Did the access rule help the situation?
0
 
fgarufijrAuthor Commented:
Hi rbeckerdite...

I'm pretty sure I did everything correctly and yet its still allowing me to connect to the network with a static IP. I just made the one change :

IAS Profile -> Edit Profile -> IP -> Server must supply an IP address

Yet if I put a static IP on my laptop, I still gain access to the network.

Am I doing something wrong?
0
 
rbeckerditeCommented:
I am wondering if the policy application is in the right order?
0
 
fgarufijrAuthor Commented:
What should I be looking for?
0
 
rbeckerditeCommented:
I would see if there is an approval rule that bypasses this criteria. Make sure the policeis apply in the right order.  It is tough testing this in a  production environment.  It might be a little deep for me site unseen to ocnfigure IAS policies.  Hmm.. maybe post a screenshot of the policy section or just read through it and check the flow of policies.  

Try this with "Users who do not have access can login"
http://technet.microsoft.com/en-us/library/cc786978.aspx
0
 
Rich RumbleSecurity SamuraiCommented:
You cannot accomplish what you want without enabling 802.1x on the switch...
Please read: http://www.microsoft.com/downloads/details.aspx?FamilyID=05951071-6b20-4cef-9939-47c397ffd3dd&displaylang=en

page 12:
Deploy your authenticating switches to provide network access for your wired network. Configure your authenticating switches to support 802.1X authentication and RADIUS. Configure the RADIUS settings on your authenticating switches with the following:
1.      The IP address or name of a primary RADIUS server, the shared secret, UDP ports for authentication and accounting, and failure detection settings.
2.      The IP address or name of a secondary RADIUS server, the shared secret, UDP ports for authentication and accounting, and failure detection settings.
-rich
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 9
  • 9
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now