Domain auth before issuing IP address via DHCP

I'm trying to see if it's possible to lock down DHCP (running on a Windows 2003 Server R2) so that before a DHCP lease is issued, the computer has to be a member of the domain. I've seen a few posts on EE and on the interweb at large that mention 802.1x and a RADIUS server, but at the moment we don't have a RADIUS server running (only AD/ LDAP.)

I realize that without being a member of the domain and having the proper rights a rouge machine/ user couldn't access any network resources (easily, anyway), I'd still like to avoid and "visitors" to the company who just jack in from causing havoc via malware. (And yes, we do have a guest wifi AP setup on a DMZ, it's just sometimes people see a port and plug in.)
Any thoughts or answers are greatly appreciated on the issue.
Who is Participating?
ActiveDirectorymanConnect With a Mentor Commented:

Yea, there is

here you go :

Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows

Check out this article

Wireless networking in Windows Server 2003
biofishfreakAuthor Commented:
AD man, would this sort of setup translate to a wired network? The recent issue we've had is a consultant was asked to sign onto our DMZ wireless network, but instead they plugged into our ethernet network. This is what we are trying to avoid right now. It's kind of looking like MAC address filtering is the way to go.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Craig BeckConnect With a Mentor Commented:
You can make a RADIUS server using a Windows Server by installing IAS (2003) or NPS (2008).

However, Microsoft are a bit twitchy when it comes to supporting clients using 802.1X.
This would be the way to do it though, and I have deployed this in some big sites without any problems.

Of course, your switches will need to support 802.1X too.

It explains that in the article.  It is very straight-forward.
biofishfreakAuthor Commented:
Awesome, thanks you two. I'm going to wait to double check with my network guy on this when he gets back in on Monday. I'll update everyone then.
biofishfreakAuthor Commented:
Wow, I suck at responding fast. So after talking with my Network Admin, we've decided to use some network monitoring software to detect when a new system comes onto the network, alert us, and we roll out ASAP to fix things. I appreciate both of your help, and assigned points to the both of you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.