• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1035
  • Last Modified:

DHCP lease/Authentication

Win 2008 r2  Active Directory is working as DHCP Role

As the PC connect to LAN it get the IP Settings automatically and Ready to work.

We want some sort of control over it, is there any way to Authenticate, approve the IP of a connected PCs.

Please advise

 
0
sportsboy
Asked:
sportsboy
  • 4
  • 2
  • 2
  • +2
4 Solutions
 
Svet PaperovIT ManagerCommented:
You need to set a DHCP Class ID to all computers that you want to allow to receive DHCP addresses from the server and create a DHCP scope that requires that Class ID.

Here is some information:
http://technet.microsoft.com/en-us/library/dd183656%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/dd759232.aspx
http://www.codedigest.com/Articles/Directory%20Service/67_Securing_your_network_using_Microsoft_Windows_DHCP.aspx
0
 
Svet PaperovIT ManagerCommented:
However, the DHCP Class ID is not a secure isolation method because an attacker can learn and set the same Class ID to his/her computer and receive a DHCP address.

A fully secure solution is Domain isolation. It implies using IPsec-secured communication between the clients and servers. For more information see: http://technet.microsoft.com/en-us/network/bb545651
 
0
 
Leon FesterCommented:
You can use DHCP reservations to assign a specific IP address to a workstation having the MAC address specified in the DHCP reservation.

Here's how to add a reservation:
http://technet.microsoft.com/en-us/library/cc780408%28WS.10%29.aspx

Here are some limitations on reservations.
http://support.microsoft.com/kb/196066
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
xylogCommented:
If you are looking to authenticate you can use ipsec or 802.1x to prevent unauthorized computers from getting on your network. Wired Networking with 802.1X Authentication -> http://technet.microsoft.com/en-us/network/bb545365
0
 
sportsboyAuthor Commented:
thanks experts,

if i remove the word AUTHANTICATE/AUTHANTICATION out of my post and just say i want no PC to get connected to my LAN with out Admin permission, what u will suggest?

there is no option in wind 2008's DHCP ROLE to fulfill this simple requirement
0
 
Svet PaperovIT ManagerCommented:
The answer is still Authentication.

Or, DHCP reservation, or static IP addresses.

The basic idea of DHCP is to provide a requester with a valid IP address. Without an IP address no communication can occur and no authentication or isolation can be performed.

Finally, DHCP is the worst method of isolation. One can simply put a static IP address to his/her PC and will get access to the network.  
0
 
xylogCommented:
You can setup reservations for each new computer on your network and exclude the whole scope. This will in effect make it so no one can get a lease without having a reservation that must be created by an admin.
0
 
Svet PaperovIT ManagerCommented:
... but the user still can put a static IP and beat the system. Even worse, duplicate an existing IP.
0
 
ChiefITCommented:
There are a lot of things you can do:

1) TACACS server, (It's a AAA server, which means Authentication, Authorization, Access)
2) Radius server
3) MAC filtering, (meaning only computers you touch get their MAC address authorized on a switch ports to communicate to the router)
4) fixed IPs all the way

DHCP reservations will require you change the scope or not allow any IP within the address pool to grant an IP unless reserved. It would be more of a pain than going strictly fixed IPs.

Your best bet is a TACACS server.

IF you plan on implimenting wireless into your LAN, I HIGHLY recommend a TACACS server or RADIUS server. This way unauthorized people will NOT get an IP and access into your LAN.

The main difference between TACACS and RADIUS is with TACACS you can designate the three A's to ohter servers. So, an AD server can Authenticate, while access is granted by a different server or even an access point. With RADIUS, authentication/authorization/access are all on one server.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now