Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

DHCP restrictions with User Class

Posted on 2009-04-02
5
Medium Priority
?
254 Views
Last Modified: 2012-06-27
We do have similar question to restrict non-Domain Computers to lease IP address.

Although if we add a new User class we can restrict a machine not to have available options.
i.e. Router address, DNS and WINS etc. but still the machine can have the IP address. good thing is that machine cannot cross the router, hence narrowing down the vunlnerability impact.

what if the requirment is to restrict the IP address Lease for the Machine which is not authorized either by means of Domain, User or Vendor Class or any ohter way.

Focus is to restrict any un authorized Machine to connects to production Network.
0
Comment
Question by:Ovais60
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 24047934
Since the IP is issued before authentication can take place, then unless you impliment a 802.1x pre-authentication solution you have done just about everything you can do (its been made much simpler in Windows 2008).
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 1000 total points
ID: 24048482
Agree with KCTS - DHCP is a low level protocol which occurs without authentication.
You can, however, install a DLL which allows you to apply a MAC address filter in a text file. Set up a list of 'allowed' and/or 'denied' MAC addresses (which could be a pain depending on the size of your network)
See here: http://blogs.technet.com/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx
I have to say that while I am aware of this, I have never used it myself.
Maybe it is of interest to you....
0
 

Author Comment

by:Ovais60
ID: 24057181
Thanks for your comments and assistance.

MAC address base filter option i have already in queue, but we are stuck to gather MAC addresses for 5000 + clients.

have you check the Symantec Network Access Control -> DHCP enforcer.

Seems its also use the User Class for the isolation.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24067975
The Symantec DHCP enforcer runs on the DHCP server and requires that all hosts have the enforcer client service running on them before handing out valid IP addresses.
A host performing a DHCP discovery is given a 'quarantine' configuration so that the DHCP enforcer can authenticate it. Like you say, it uses a User class to provide the quarantine configuration. If the client is authenticated it is then given the correct IP config - if it fails, it remains with the quarantine config.
For this you would have to deploy the client out to all machines on your network. Have a look at this for a bit of reference  : ftp://ftp.symantec.com/public/japanese/products/symantec_network_access_control/51/manuals/SSEP_5_1_Integrated_Enforcer_for_Microsoft_DHCP_Servers.pdf
0
 

Author Closing Comment

by:Ovais60
ID: 31565702
to Authenticate & Authorise DHCP requests is to use DHCP server Call out DLL. it can help you out to keep your network free from un-authorise requests! Thanks.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question