We help IT Professionals succeed at work.

How to create DHCP subnet scope for non-Windows


My Network Admin requested me to find a solution for making a custom Microsoft DHCP subnet for non-windows, to explain more :

I need to create a scope with a specific subnet , when anything non-windows (IPhone , IPad .. etc) try to take an ip through wireless it takes an ip from a specific subnet  

I have windows server 2008 R2

Any Solution ?

Watch Question

Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

am not sure about it , because never anyone asked me to do that , i did my best's to find resources that can help you ... check this :


it's just we need the IPhone and IPad people to get their IP's from specific subnet so we can assign some polices and filters on them
kevinhsiehNetwork Engineer

This more depends on your wireless access point capabilities. You need something that can support multiple SSID if you also want to use wireless PCs. The computers would use one SSID, and the mobile devices a different SSID. Each SSID would need its own VLAN, and from there they would have their own subnet so you can do the filtering.  

If you are connecting these devices only wirelessly then there is a chance as kevinhsieh suggests:

1) Set up a wireless access point with DHCP turned on and with the desired range.  Only expect those particular users to connect via this access point.

2) Have all other users connect via some other device(s) with DHCP range different.

Still, watch out for getting addresses from other parts of the network via the #1 access point above.  To test it, turn off its DHCP.  That's because most access points will pass through DHCP requests and, in that case, addresses outside its range could be leased.
so I guess there's no solution, cause i have people using the same access points using their laptops and their IPhone and IPad , anyway i guess i will go to more security and enforce the users use only lan cables to access our network and wireless only for mobile and guest laptops

Thanks for the support
Or add an access point with a different SSID just for mobile devices?  
Still presents a discipline issue though as you have to trust that people will follow the "rules".

Each manufacturer has a block of unique MAC addresses.  I don't know that you can set up a generic MAC address filter.  But, if one could do that, you might be able to filter the Apple devices, etc.
kevinhsiehNetwork Engineer

If you can add a second SSID as I suggested, you can enforce 802.1x security on the SSID for the PCs and laptops. The WAP can require that the devices authenticate using the computer account's AD credentials, which prevents rogue devices from connecting to that SSID. That is a technical solution that doesn't allow for people to break "the rules".

Still waiting for further clarification from hussein-Alrajeh.
Me and hussein-Alrajeh are at the same company :) that's why i response as him :)

The problem is all access points at everywhere and all people connecting through it by laptop and mobile devices , and everyone just used to connect their laptop and mobile devices through wireless, rarely who use the wired network cable for the connect ... so we want to isolate the laptop users and device users and the problem that all located at the same place and using the same access points  
kevinhsiehNetwork Engineer

If you can create a second SSID, you can use group policy to have all of the laptops connect to the new SSID, and to use machine authentication to connect authenticate to RADIUS server using enterprise WPA2. The mobile devices won't be able to connect to the SSID, because they won't have machine accounts in AD, and nobody knows those passwords, so you can't easily get on by using a user account password. Once all of the laptops are using the new SSID, put restrictions on the clients using the original SSID. You can possibly do this without any of your users needing to do anything. You might need to put the original SSID on a separate VLAN if it isn't already so you can easily filter the subnet.


You didn't say what was wrong with the solution I provided you.  Knowing its limitations in your situation might help a lot!
e.g. you haven't said if you have "cooperative users" or "non-cooperative users".  Now, I know that it's nice to assume that they are "non-cooperative" but that isn't a hard requirement unless YOU say so.