somewhereinafrica
asked on
What are my DHCP options?
Can I make it so that only my domain users gets a DHCP address lease, and everyone else gets denied?
win server 2008 std, win 7, win xp, AD
win server 2008 std, win 7, win xp, AD
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So basically i have 2 options:
1 - static IP and turn of DHCP
2 - Have DHCP and have a free for all to anyone who connects to the network - as far as internet access goes
1 - static IP and turn of DHCP
2 - Have DHCP and have a free for all to anyone who connects to the network - as far as internet access goes
DHCP kicks in before you can establish whether the PC is part of your domain, so you would have to filter based on MAC address, and have a list of allowed mac addresses.
ASKER
@mattvmotas
I have 2 cisco switches (SLM 2048), they should support it. What is the impact of enabling this feature?
I have 2 cisco switches (SLM 2048), they should support it. What is the impact of enabling this feature?
http://www.packetfence.org/en/home.html - not used it but it may be of use to you. But you will need a capable network switch(es).
ASKER
OK, that seems a bit too much for my small problem. Is there anyway that I can disable access to anything except the internet connection (which is through a stand alone router box) for non-authorized users?
Nope - DHCP is a broadcast system.
If you know which ports on your switches are authorised, you could look at putting all the other network ports onto a different VLAN that only has internet access.
If you know which ports on your switches are authorised, you could look at putting all the other network ports onto a different VLAN that only has internet access.
Stick to the comment made by 1peterx.
When you limit the access via MAC address, you must have the MAC's added to the "Allowed" list before they can connect. Of course if someone knows the network info, they could set static settings...
You may want to look into a proxy.
When you limit the access via MAC address, you must have the MAC's added to the "Allowed" list before they can connect. Of course if someone knows the network info, they could set static settings...
You may want to look into a proxy.
I agree with jakethecatuk for this one. Setup a second VLAN on a couple of ports for visitors and do not let them plug into the rest.
I have never actually setup the 802.1x, but I do not believe the impact is very noticeable.
I have never actually setup the 802.1x, but I do not believe the impact is very noticeable.
ASKER
@DK_Guru
Proxy.... such as?
Proxy.... such as?
This will lock out PCs where the user is not authenticated with AD.