Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Rerserving or Assigning  IP on Username instead of MAC address?

Posted on 2014-04-06
Medium Priority
Last Modified: 2014-05-06
Is it possible to reserve or assign an IP to a Usernames instead of MAC address  using Window 2008 Server or do I need a third party software to do this?  My Plan is when a user  logs in it would automatically grab a predefined IP.  Thanks in advance.
Question by:Victor_Torres
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 98

Expert Comment

by:John Hurst
ID: 39981956
Yes you can.  DHCP, Scope, Reservations and add the IP in there.

However it is a lot of work to keep up and changes as IP addresses change. I do not recommend it and I certainly would not institute Static IP's to do it (more work).

Accepted Solution

Delete earned 1000 total points
ID: 39981958
No it is not possible to do that through DHCP.  Your only option is by MAC address.  I am not aware of any third party tools that would do this either but there very well could be.  How would you handle a user being logged onto two computers at once?

A different option might be to use a script to statically assign specific IP's to logged on users and you could run it as a logon script.  However, the issue you would run into here potentially is having duplicate IP's on the network.
LVL 98

Expert Comment

by:John Hurst
ID: 39981960
I tie the MAC address to the IP address in my computer via DHCP Scope and I do that so I can use SMTP (normally disallowed at the client).  I assume something like this was what was meant.
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

LVL 84

Expert Comment

by:Dave Baldwin
ID: 39982129
I don't believe it is possible at all.  The machine IP address, whether thru DHCP or fixed IP, is active thru the network interface on the remote machine.  If you do find a way, changing the IP address will disconnect everything that was previously connected to the network on that machine.  That will reset or clear any permissions that were based on that connection also.
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39982404
it is not possible because f the design or the way DHCP work. The IP assignment happens even before it recognizes a user name and at that level only MAC address is in the picture.
LVL 17

Expert Comment

ID: 39982875
DHCP can't do it, but 802.1X can.
AS far as I understand it, you would begin booting with a "temporary" IP address and then another IP address, mapped to user name, would be assigned AFTER login.

 Pre-Authentication Open Access

With Cisco IOS Release 12.2(33)SXI and later releases, any of the four host modes may be additionally configured to allow a device to gain network access before authentication. This pre-authentication open access is useful in an application such as the Pre-boot eXecution Environment (PXE), where a device must access the network to download a bootable image containing an authentication client.

Pre-authentication open access is enabled by entering the authentication open command after host mode configuration, and acts as an extension to the configured host mode. For example, if pre-authentication open access is enabled with single-host mode, then the port will allow only one MAC address. When pre-authentication open access is enabled, initial traffic on the port is restricted only by whatever other access restriction, independent of 802.1X, is configured on the port. If no access restriction other than 802.1X is configured on the port, then a client device will have full access on the configured VLAN.
Understanding 802.1X Authentication with DHCP Snooping

With Cisco IOS Release 12.2(33)SXH and later releases, when the Dynamic Host Configuration Protocol (DHCP) snooping option-82 with data insertion feature is enabled, the switch can insert a client's 802.1X authenticated user identity information into the DHCP discovery process, allowing the DHCP server to assign IP addresses from different IP address pools to different classes of end users. This feature allows you to secure the IP addresses given to the end users for accounting purposes and to allow services based on Layer 3 criteria.

After a successful 802.1X authentication between a supplicant and the RADIUS server, the switch puts the port in the forwarding state and stores the attributes that it receives from the RADIUS server. While performing DHCP snooping, the switch acts as a DHCP relay agent, receiving DHCP messages and regenerating those messages for transmission on another interface. When a client, after 802.1X authentication, sends a DHCP discovery message, the switch receives the packet. The switch adds to the packet a RADIUS attributes suboption section containing the stored RADIUS attributes of the client. The switch then submits the discovery broadcast again. The DHCP server receives the modified DHCP discovery packet and can, if configured to do so, use the authenticated user identity information when creating the IP address lease. The mapping of user-to-IP address can be on a one-to-one, one-to-many, or many-to-many basis. The one-to-many mapping allows the same user to authenticate through the 802.1X hosts on multiple ports.

The switch will automatically insert the authenticated user identity information when 802.1X authentication and DHCP snooping option-82 with data insertion features are enabled. To configure DHCP snooping option-82 with data insertion, see the "DHCP Snooping Option-82 Data Insertion" section.

For information about the data inserted in the RADIUS attributes suboption, see RFC 4014, "Remote Authentication Dial-In User Service (RADIUS) Attributes Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Information Option."
Understanding 802.1X Accounting

The IEEE 802.1X standard defines how users are authorized and authenticated for network access but does not keep track of network usage. IEEE 802.1X accounting is disabled by default. With Release 12.2(33)SXH and later releases, you can enable 802.1X accounting to monitor the following activities on 802.1X-enabled ports:

•User successfully authenticates.

•User logs off.

•Link-down occurs.

•Reauthentication successfully occurs.

•Reauthentication fails.

The switch does not log IEEE 802.1X accounting information. Instead, it sends this information to the RADIUS server, which must be configured to log accounting messages.

The information sent to the RADIUS server is represented in the form of 802.1X Accounting Attribute-Value (AV) pairs. These AV pairs provide data for different applications. (For example, a billing application might require information that is in the Acct-Input-Octets or the Acct-Output-Octets attributes of a RADIUS packet.)

AV pairs are automatically sent by a switch that is configured for 802.1X accounting. Three types of RADIUS accounting packets are sent by a switch:

•START-Sent when a new user session starts.

•INTERIM-Sent during an existing session for updates.

•STOP-Sent when a session terminates.

Table 60-1 lists the AV pairs and indicates when they are sent are sent by the switch.

Some useful links :

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question