Solved

Rerserving or Assigning  IP on Username instead of MAC address?

Posted on 2014-04-06
6
314 Views
Last Modified: 2014-05-06
Is it possible to reserve or assign an IP to a Usernames instead of MAC address  using Window 2008 Server or do I need a third party software to do this?  My Plan is when a user  logs in it would automatically grab a predefined IP.  Thanks in advance.
0
Comment
Question by:Victor_Torres
6 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 39981956
Yes you can.  DHCP, Scope, Reservations and add the IP in there.

However it is a lot of work to keep up and changes as IP addresses change. I do not recommend it and I certainly would not institute Static IP's to do it (more work).
0
 
LVL 7

Accepted Solution

by:
Delete earned 250 total points
ID: 39981958
No it is not possible to do that through DHCP.  Your only option is by MAC address.  I am not aware of any third party tools that would do this either but there very well could be.  How would you handle a user being logged onto two computers at once?

A different option might be to use a script to statically assign specific IP's to logged on users and you could run it as a logon script.  However, the issue you would run into here potentially is having duplicate IP's on the network.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39981960
I tie the MAC address to the IP address in my computer via DHCP Scope and I do that so I can use SMTP (normally disallowed at the client).  I assume something like this was what was meant.
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39982129
I don't believe it is possible at all.  The machine IP address, whether thru DHCP or fixed IP, is active thru the network interface on the remote machine.  If you do find a way, changing the IP address will disconnect everything that was previously connected to the network on that machine.  That will reset or clear any permissions that were based on that connection also.
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39982404
it is not possible because f the design or the way DHCP work. The IP assignment happens even before it recognizes a user name and at that level only MAC address is in the picture.
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 39982875
DHCP can't do it, but 802.1X can.
AS far as I understand it, you would begin booting with a "temporary" IP address and then another IP address, mapped to user name, would be assigned AFTER login.

 Pre-Authentication Open Access

With Cisco IOS Release 12.2(33)SXI and later releases, any of the four host modes may be additionally configured to allow a device to gain network access before authentication. This pre-authentication open access is useful in an application such as the Pre-boot eXecution Environment (PXE), where a device must access the network to download a bootable image containing an authentication client.

Pre-authentication open access is enabled by entering the authentication open command after host mode configuration, and acts as an extension to the configured host mode. For example, if pre-authentication open access is enabled with single-host mode, then the port will allow only one MAC address. When pre-authentication open access is enabled, initial traffic on the port is restricted only by whatever other access restriction, independent of 802.1X, is configured on the port. If no access restriction other than 802.1X is configured on the port, then a client device will have full access on the configured VLAN.
Understanding 802.1X Authentication with DHCP Snooping

With Cisco IOS Release 12.2(33)SXH and later releases, when the Dynamic Host Configuration Protocol (DHCP) snooping option-82 with data insertion feature is enabled, the switch can insert a client's 802.1X authenticated user identity information into the DHCP discovery process, allowing the DHCP server to assign IP addresses from different IP address pools to different classes of end users. This feature allows you to secure the IP addresses given to the end users for accounting purposes and to allow services based on Layer 3 criteria.

After a successful 802.1X authentication between a supplicant and the RADIUS server, the switch puts the port in the forwarding state and stores the attributes that it receives from the RADIUS server. While performing DHCP snooping, the switch acts as a DHCP relay agent, receiving DHCP messages and regenerating those messages for transmission on another interface. When a client, after 802.1X authentication, sends a DHCP discovery message, the switch receives the packet. The switch adds to the packet a RADIUS attributes suboption section containing the stored RADIUS attributes of the client. The switch then submits the discovery broadcast again. The DHCP server receives the modified DHCP discovery packet and can, if configured to do so, use the authenticated user identity information when creating the IP address lease. The mapping of user-to-IP address can be on a one-to-one, one-to-many, or many-to-many basis. The one-to-many mapping allows the same user to authenticate through the 802.1X hosts on multiple ports.

The switch will automatically insert the authenticated user identity information when 802.1X authentication and DHCP snooping option-82 with data insertion features are enabled. To configure DHCP snooping option-82 with data insertion, see the "DHCP Snooping Option-82 Data Insertion" section.

For information about the data inserted in the RADIUS attributes suboption, see RFC 4014, "Remote Authentication Dial-In User Service (RADIUS) Attributes Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Information Option."
Understanding 802.1X Accounting

The IEEE 802.1X standard defines how users are authorized and authenticated for network access but does not keep track of network usage. IEEE 802.1X accounting is disabled by default. With Release 12.2(33)SXH and later releases, you can enable 802.1X accounting to monitor the following activities on 802.1X-enabled ports:

•User successfully authenticates.

•User logs off.

•Link-down occurs.

•Reauthentication successfully occurs.

•Reauthentication fails.

The switch does not log IEEE 802.1X accounting information. Instead, it sends this information to the RADIUS server, which must be configured to log accounting messages.

The information sent to the RADIUS server is represented in the form of 802.1X Accounting Attribute-Value (AV) pairs. These AV pairs provide data for different applications. (For example, a billing application might require information that is in the Acct-Input-Octets or the Acct-Output-Octets attributes of a RADIUS packet.)

AV pairs are automatically sent by a switch that is configured for 802.1X accounting. Three types of RADIUS accounting packets are sent by a switch:

•START-Sent when a new user session starts.

•INTERIM-Sent during an existing session for updates.

•STOP-Sent when a session terminates.

Table 60-1 lists the AV pairs and indicates when they are sent are sent by the switch.

Some useful links :
http://en.wikipedia.org/wiki/IEEE_802.1X

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dot1x.html
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now