Specify MAC Addresses that are/aren't allowed to get an IP

How can I Specify MAC Addresses that are allowed to get an IP in DHCP running in Windows Server 2003?  Alternatively, how can I restrict a MAC Address from getting an IP?
LVL 1
Declan_BasileITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Glen KnightCommented:
There are a few options.
You could add a reservation for each device you want to get an IP address.

You could specify a class ID for each device you want to get an IP address and then instruct DHCP to only give a certain scope to that Class of device.

Or you could use Network Access Protection (NAP) to restrict DHCP that way as per:
http://www.microsoft.com/downloads/details.aspx?FamilyID=ac38e5bb-18ce-40cb-8e59-188f7a198897&displaylang=en

this does require Windows 2008 though
0
Declan_BasileITAuthor Commented:
How can I specify a Class Id for each device, and how do I instruct DHCP to only give a certain scope to that Class of device?
0
Glen KnightCommented:
The way to do it would be to use a login script to set the class ID and then renew the IP address.
There is a couple of technet articles that will help you with setting the Class ID and specifying a scope for a specific class ID

http://technet.microsoft.com/en-us/library/cc783756(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc776439(WS.10).aspx
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

172pilotSteveCommented:
I think the class IDs are only going to help you specify OPTIONS, not the IP addresses themselves... That's OK though, because that should be enough control to prevent anyone from doing anything on the network if you dont want them to..

First, let me remind you that DHCP is NOT a security tool - It's a tool for convenience and automation of configuration, therefore all of this is useless as a security measure against someone who knows what they're doing and has manual control of their IP address and mac address.. To get into REAL security, you'll have to look at NAC (Network Access Control) such as 802.1x, using machine certificates to allow or prevent access at all... Using NAC, (which will require additional infrastructure, and NAC-aware switches) you would be able to basically only maintain a link on a computer which was in a particular AD group. But, that's a bigger deal than what we're talking about here...

If all you want to do is to make sure the temporary secretary isn't surfing Facebook all day, or that the sales-guy who brings his laptop to the office can't get to the Internet, then DHCP is fine...

SO..

Definitely check out the articles that demazter gave - Especially the first one is good.  But, rather than a "login script", if you're using Active Directory, I'd make a GPO that affects the computers that SHOULD use the network, and create a "Startup Script" which will run in the context of the computer account each time the computer boots.  In that script, put in a command like:
ipconfig /setclassid * ApprovedMachine
Also, make a HIGHER level (maybe domain-level) GPO that has a startup script with:
ipconfig /setclassid * UnApprovedMachine
Because the higher GPO will run on ALL domain machines, and the lower, more specific GPO will run on your "approved" machines, the "ApprovedMachine" class ID will only be present in those machines which qualified for that GPO..  You can control that through group membership through permissions, or just through which OUs get the GPO connected.
 
Now that the GPO has put the classID on the desired machines, go to your DHCP scopes and take out your DNS servers from the defined options under server or scope options.  If you only have one network (one subnet / vlan) you could also remove the default gateway.  Then, go to CLASS options and add your DHCP options back as CLASS options instead of server or scope options.  That way, only those approved machines will get their DNS or default gateway settings...  They'll still be on the network, and they'll have an address, but they wont be able to get to the Internet..
 
To prevent them from getting DHCP addresses at all, ignore everything I wrote above, and instead, use reservations to reserve an address for each "approved" NIC card, and then use DHCP exclusions to not allow the other addresses to be issued.  This is more management intensive, and you'll have to edit the MAC addresses in the reservation any time the PC or NIC changes.  Also, different NICs in each machine (wireless vs. wired, for example) will each need their own reservation, which wastes addresses.  This may or may not matter to you...
 
-Steve

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Declan_BasileITAuthor Commented:
Steve - We don't have Active Directory set up yet.  We're going to setup Active Directory after we finish setting up the DHCP server and setting all of our clients to obtain an address.  Right now almost all the computers have static addresses.
  Our immediate need is to decide what routers to buy for use in the new building we are moving into in 2 weeks.  *** We want anyone to be able to obtain an IP to get internet access but don't want anyone to be able to access data on our servers unless their computer has a MAC address in a secured list of allowed addresses. *** We need to know if we need to buy switches with MAC filtering to accomplish this, if we can accomplish this with Active Directory, or if we need both switches with MAC filtering and Active Directory.  
   What defines a computer object in Active Directory?  A MAC address?  A computer name?  If it's a MAC address, what would prevent someone from "spoofing" their MAC address to make it look like one of the addresses in the list of allowed addresses?  Does creating a "Startup Script" that runs in the context of the computer account prevent anyone from typing "ipconfig /setclassid * ApprovedMachine" at a command prompt of any computer in order to obtain an ip?  What's included in a Machine Certificate?  How secure is it?  Would it serve our purpose to get a router with MAC filtering, and set only a specified list of MAC addresses to access ports that the servers are plugged into and let all MAC addresses access the port that the router is plugged into so anyone can use the internet?

0
172pilotSteveCommented:
No..  Generally, MAC addresses are not used for security like this..

If you do want ANYONE to be able to get on the network to get to the Internet, then you just need to use usernames/passwords in the Active Directory to secure the file shares.  That's WAY more secure than a MAC which can be faked, and it doesn't have the inconvenience of having to manage a MAC address table.

If you are adament that you need to use a MAC address or something like that, then you're going to have to use 802.1x NAC or something similar, which will let you choose a VLAN for each machine based on it's machine account in the AD or other database.  This is MUCH more complicated to setup, but is definitely secure.  In my opinion, much overkill unless you've got a serious reason...  I've worked in some pretty secure places,  and none of them used NAC on their networks.
0
Declan_BasileITAuthor Commented:
Thank you both for the information.  You set me in the right direction and I read up more on the things you've mentioned.  I ended up using "MacFilterCalloutInstaller.zip" which lets you to specify a list of MAC addresses that can either get or not get IP's.  So we have "block secretary from using facebook all day"security for now and will work on "block people who know what they are doing" security after we implement Active Directory.  Thanks again.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DHCP

From novice to tech pro — start learning today.