Ovais60
asked on
DHCP restrictions with User Class
We do have similar question to restrict non-Domain Computers to lease IP address.
Although if we add a new User class we can restrict a machine not to have available options.
i.e. Router address, DNS and WINS etc. but still the machine can have the IP address. good thing is that machine cannot cross the router, hence narrowing down the vunlnerability impact.
what if the requirment is to restrict the IP address Lease for the Machine which is not authorized either by means of Domain, User or Vendor Class or any ohter way.
Focus is to restrict any un authorized Machine to connects to production Network.
Although if we add a new User class we can restrict a machine not to have available options.
i.e. Router address, DNS and WINS etc. but still the machine can have the IP address. good thing is that machine cannot cross the router, hence narrowing down the vunlnerability impact.
what if the requirment is to restrict the IP address Lease for the Machine which is not authorized either by means of Domain, User or Vendor Class or any ohter way.
Focus is to restrict any un authorized Machine to connects to production Network.
Brian Pierce
Since the IP is issued before authentication can take place, then unless you impliment a 802.1x pre-authentication solution you have done just about everything you can do (its been made much simpler in Windows 2008).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your comments and assistance.
MAC address base filter option i have already in queue, but we are stuck to gather MAC addresses for 5000 + clients.
have you check the Symantec Network Access Control -> DHCP enforcer.
Seems its also use the User Class for the isolation.
MAC address base filter option i have already in queue, but we are stuck to gather MAC addresses for 5000 + clients.
have you check the Symantec Network Access Control -> DHCP enforcer.
Seems its also use the User Class for the isolation.
The Symantec DHCP enforcer runs on the DHCP server and requires that all hosts have the enforcer client service running on them before handing out valid IP addresses.
A host performing a DHCP discovery is given a 'quarantine' configuration so that the DHCP enforcer can authenticate it. Like you say, it uses a User class to provide the quarantine configuration. If the client is authenticated it is then given the correct IP config - if it fails, it remains with the quarantine config.
For this you would have to deploy the client out to all machines on your network. Have a look at this for a bit of reference : ftp://ftp.symantec.com/public/japanese/products/symantec_network_access_control/51/manuals/SSEP_5_1_Integrated_Enforcer_for_Microsoft_DHCP_Servers.pdf
A host performing a DHCP discovery is given a 'quarantine' configuration so that the DHCP enforcer can authenticate it. Like you say, it uses a User class to provide the quarantine configuration. If the client is authenticated it is then given the correct IP config - if it fails, it remains with the quarantine config.
For this you would have to deploy the client out to all machines on your network. Have a look at this for a bit of reference : ftp://ftp.symantec.com/public/japanese/products/symantec_network_access_control/51/manuals/SSEP_5_1_Integrated_Enforcer_for_Microsoft_DHCP_Servers.pdf
ASKER
to Authenticate & Authorise DHCP requests is to use DHCP server Call out DLL. it can help you out to keep your network free from un-authorise requests! Thanks.