Go Premium for a chance to win a PS4. Enter to Win


Rerserving or Assigning  IP on Username instead of MAC address?

Posted on 2014-04-06
Medium Priority
Last Modified: 2014-05-06
Is it possible to reserve or assign an IP to a Usernames instead of MAC address  using Window 2008 Server or do I need a third party software to do this?  My Plan is when a user  logs in it would automatically grab a predefined IP.  Thanks in advance.
Question by:Victor_Torres
LVL 99

Expert Comment

by:John Hurst
ID: 39981956
Yes you can.  DHCP, Scope, Reservations and add the IP in there.

However it is a lot of work to keep up and changes as IP addresses change. I do not recommend it and I certainly would not institute Static IP's to do it (more work).

Accepted Solution

Delete earned 1000 total points
ID: 39981958
No it is not possible to do that through DHCP.  Your only option is by MAC address.  I am not aware of any third party tools that would do this either but there very well could be.  How would you handle a user being logged onto two computers at once?

A different option might be to use a script to statically assign specific IP's to logged on users and you could run it as a logon script.  However, the issue you would run into here potentially is having duplicate IP's on the network.
LVL 99

Expert Comment

by:John Hurst
ID: 39981960
I tie the MAC address to the IP address in my computer via DHCP Scope and I do that so I can use SMTP (normally disallowed at the client).  I assume something like this was what was meant.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

LVL 84

Expert Comment

by:Dave Baldwin
ID: 39982129
I don't believe it is possible at all.  The machine IP address, whether thru DHCP or fixed IP, is active thru the network interface on the remote machine.  If you do find a way, changing the IP address will disconnect everything that was previously connected to the network on that machine.  That will reset or clear any permissions that were based on that connection also.
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39982404
it is not possible because f the design or the way DHCP work. The IP assignment happens even before it recognizes a user name and at that level only MAC address is in the picture.
LVL 17

Expert Comment

ID: 39982875
DHCP can't do it, but 802.1X can.
AS far as I understand it, you would begin booting with a "temporary" IP address and then another IP address, mapped to user name, would be assigned AFTER login.

 Pre-Authentication Open Access

With Cisco IOS Release 12.2(33)SXI and later releases, any of the four host modes may be additionally configured to allow a device to gain network access before authentication. This pre-authentication open access is useful in an application such as the Pre-boot eXecution Environment (PXE), where a device must access the network to download a bootable image containing an authentication client.

Pre-authentication open access is enabled by entering the authentication open command after host mode configuration, and acts as an extension to the configured host mode. For example, if pre-authentication open access is enabled with single-host mode, then the port will allow only one MAC address. When pre-authentication open access is enabled, initial traffic on the port is restricted only by whatever other access restriction, independent of 802.1X, is configured on the port. If no access restriction other than 802.1X is configured on the port, then a client device will have full access on the configured VLAN.
Understanding 802.1X Authentication with DHCP Snooping

With Cisco IOS Release 12.2(33)SXH and later releases, when the Dynamic Host Configuration Protocol (DHCP) snooping option-82 with data insertion feature is enabled, the switch can insert a client's 802.1X authenticated user identity information into the DHCP discovery process, allowing the DHCP server to assign IP addresses from different IP address pools to different classes of end users. This feature allows you to secure the IP addresses given to the end users for accounting purposes and to allow services based on Layer 3 criteria.

After a successful 802.1X authentication between a supplicant and the RADIUS server, the switch puts the port in the forwarding state and stores the attributes that it receives from the RADIUS server. While performing DHCP snooping, the switch acts as a DHCP relay agent, receiving DHCP messages and regenerating those messages for transmission on another interface. When a client, after 802.1X authentication, sends a DHCP discovery message, the switch receives the packet. The switch adds to the packet a RADIUS attributes suboption section containing the stored RADIUS attributes of the client. The switch then submits the discovery broadcast again. The DHCP server receives the modified DHCP discovery packet and can, if configured to do so, use the authenticated user identity information when creating the IP address lease. The mapping of user-to-IP address can be on a one-to-one, one-to-many, or many-to-many basis. The one-to-many mapping allows the same user to authenticate through the 802.1X hosts on multiple ports.

The switch will automatically insert the authenticated user identity information when 802.1X authentication and DHCP snooping option-82 with data insertion features are enabled. To configure DHCP snooping option-82 with data insertion, see the "DHCP Snooping Option-82 Data Insertion" section.

For information about the data inserted in the RADIUS attributes suboption, see RFC 4014, "Remote Authentication Dial-In User Service (RADIUS) Attributes Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Information Option."
Understanding 802.1X Accounting

The IEEE 802.1X standard defines how users are authorized and authenticated for network access but does not keep track of network usage. IEEE 802.1X accounting is disabled by default. With Release 12.2(33)SXH and later releases, you can enable 802.1X accounting to monitor the following activities on 802.1X-enabled ports:

•User successfully authenticates.

•User logs off.

•Link-down occurs.

•Reauthentication successfully occurs.

•Reauthentication fails.

The switch does not log IEEE 802.1X accounting information. Instead, it sends this information to the RADIUS server, which must be configured to log accounting messages.

The information sent to the RADIUS server is represented in the form of 802.1X Accounting Attribute-Value (AV) pairs. These AV pairs provide data for different applications. (For example, a billing application might require information that is in the Acct-Input-Octets or the Acct-Output-Octets attributes of a RADIUS packet.)

AV pairs are automatically sent by a switch that is configured for 802.1X accounting. Three types of RADIUS accounting packets are sent by a switch:

•START-Sent when a new user session starts.

•INTERIM-Sent during an existing session for updates.

•STOP-Sent when a session terminates.

Table 60-1 lists the AV pairs and indicates when they are sent are sent by the switch.

Some useful links :


Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question