How to create DHCP subnet scope for non-Windows


My Network Admin requested me to find a solution for making a custom Microsoft DHCP subnet for non-windows, to explain more :

I need to create a scope with a specific subnet , when anything non-windows (IPhone , IPad .. etc) try to take an ip through wireless it takes an ip from a specific subnet  

I have windows server 2008 R2

Any Solution ?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
am not sure about it , because never anyone asked me to do that , i did my best's to find resources that can help you ... check this :
it's just we need the IPhone and IPad people to get their IP's from specific subnet so we can assign some polices and filters on them
This more depends on your wireless access point capabilities. You need something that can support multiple SSID if you also want to use wireless PCs. The computers would use one SSID, and the mobile devices a different SSID. Each SSID would need its own VLAN, and from there they would have their own subnet so you can do the filtering.  

Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Fred MarshallPrincipalCommented:
If you are connecting these devices only wirelessly then there is a chance as kevinhsieh suggests:

1) Set up a wireless access point with DHCP turned on and with the desired range.  Only expect those particular users to connect via this access point.

2) Have all other users connect via some other device(s) with DHCP range different.

Still, watch out for getting addresses from other parts of the network via the #1 access point above.  To test it, turn off its DHCP.  That's because most access points will pass through DHCP requests and, in that case, addresses outside its range could be leased.
so I guess there's no solution, cause i have people using the same access points using their laptops and their IPhone and IPad , anyway i guess i will go to more security and enforce the users use only lan cables to access our network and wireless only for mobile and guest laptops

Thanks for the support
Fred MarshallPrincipalCommented:
Or add an access point with a different SSID just for mobile devices?  
Still presents a discipline issue though as you have to trust that people will follow the "rules".

Each manufacturer has a block of unique MAC addresses.  I don't know that you can set up a generic MAC address filter.  But, if one could do that, you might be able to filter the Apple devices, etc.
If you can add a second SSID as I suggested, you can enforce 802.1x security on the SSID for the PCs and laptops. The WAP can require that the devices authenticate using the computer account's AD credentials, which prevents rogue devices from connecting to that SSID. That is a technical solution that doesn't allow for people to break "the rules".

Still waiting for further clarification from hussein-Alrajeh.
Me and hussein-Alrajeh are at the same company :) that's why i response as him :)

The problem is all access points at everywhere and all people connecting through it by laptop and mobile devices , and everyone just used to connect their laptop and mobile devices through wireless, rarely who use the wired network cable for the connect ... so we want to isolate the laptop users and device users and the problem that all located at the same place and using the same access points  
If you can create a second SSID, you can use group policy to have all of the laptops connect to the new SSID, and to use machine authentication to connect authenticate to RADIUS server using enterprise WPA2. The mobile devices won't be able to connect to the SSID, because they won't have machine accounts in AD, and nobody knows those passwords, so you can't easily get on by using a user account password. Once all of the laptops are using the new SSID, put restrictions on the clients using the original SSID. You can possibly do this without any of your users needing to do anything. You might need to put the original SSID on a separate VLAN if it isn't already so you can easily filter the subnet.
hussein-AlrajehAuthor Commented:
Fred MarshallPrincipalCommented:
You didn't say what was wrong with the solution I provided you.  Knowing its limitations in your situation might help a lot!
Fred MarshallPrincipalCommented:
e.g. you haven't said if you have "cooperative users" or "non-cooperative users".  Now, I know that it's nice to assume that they are "non-cooperative" but that isn't a hard requirement unless YOU say so.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.