Improve company productivity with a Business Account.Sign Up


Rerserving or Assigning  IP on Username instead of MAC address?

Posted on 2014-04-06
Medium Priority
Last Modified: 2014-05-06
Is it possible to reserve or assign an IP to a Usernames instead of MAC address  using Window 2008 Server or do I need a third party software to do this?  My Plan is when a user  logs in it would automatically grab a predefined IP.  Thanks in advance.
Question by:Victor_Torres
LVL 102

Expert Comment

ID: 39981956
Yes you can.  DHCP, Scope, Reservations and add the IP in there.

However it is a lot of work to keep up and changes as IP addresses change. I do not recommend it and I certainly would not institute Static IP's to do it (more work).

Accepted Solution

Delete earned 1000 total points
ID: 39981958
No it is not possible to do that through DHCP.  Your only option is by MAC address.  I am not aware of any third party tools that would do this either but there very well could be.  How would you handle a user being logged onto two computers at once?

A different option might be to use a script to statically assign specific IP's to logged on users and you could run it as a logon script.  However, the issue you would run into here potentially is having duplicate IP's on the network.
LVL 102

Expert Comment

ID: 39981960
I tie the MAC address to the IP address in my computer via DHCP Scope and I do that so I can use SMTP (normally disallowed at the client).  I assume something like this was what was meant.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

LVL 84

Expert Comment

by:Dave Baldwin
ID: 39982129
I don't believe it is possible at all.  The machine IP address, whether thru DHCP or fixed IP, is active thru the network interface on the remote machine.  If you do find a way, changing the IP address will disconnect everything that was previously connected to the network on that machine.  That will reset or clear any permissions that were based on that connection also.
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39982404
it is not possible because f the design or the way DHCP work. The IP assignment happens even before it recognizes a user name and at that level only MAC address is in the picture.
LVL 17

Expert Comment

ID: 39982875
DHCP can't do it, but 802.1X can.
AS far as I understand it, you would begin booting with a "temporary" IP address and then another IP address, mapped to user name, would be assigned AFTER login.

 Pre-Authentication Open Access

With Cisco IOS Release 12.2(33)SXI and later releases, any of the four host modes may be additionally configured to allow a device to gain network access before authentication. This pre-authentication open access is useful in an application such as the Pre-boot eXecution Environment (PXE), where a device must access the network to download a bootable image containing an authentication client.

Pre-authentication open access is enabled by entering the authentication open command after host mode configuration, and acts as an extension to the configured host mode. For example, if pre-authentication open access is enabled with single-host mode, then the port will allow only one MAC address. When pre-authentication open access is enabled, initial traffic on the port is restricted only by whatever other access restriction, independent of 802.1X, is configured on the port. If no access restriction other than 802.1X is configured on the port, then a client device will have full access on the configured VLAN.
Understanding 802.1X Authentication with DHCP Snooping

With Cisco IOS Release 12.2(33)SXH and later releases, when the Dynamic Host Configuration Protocol (DHCP) snooping option-82 with data insertion feature is enabled, the switch can insert a client's 802.1X authenticated user identity information into the DHCP discovery process, allowing the DHCP server to assign IP addresses from different IP address pools to different classes of end users. This feature allows you to secure the IP addresses given to the end users for accounting purposes and to allow services based on Layer 3 criteria.

After a successful 802.1X authentication between a supplicant and the RADIUS server, the switch puts the port in the forwarding state and stores the attributes that it receives from the RADIUS server. While performing DHCP snooping, the switch acts as a DHCP relay agent, receiving DHCP messages and regenerating those messages for transmission on another interface. When a client, after 802.1X authentication, sends a DHCP discovery message, the switch receives the packet. The switch adds to the packet a RADIUS attributes suboption section containing the stored RADIUS attributes of the client. The switch then submits the discovery broadcast again. The DHCP server receives the modified DHCP discovery packet and can, if configured to do so, use the authenticated user identity information when creating the IP address lease. The mapping of user-to-IP address can be on a one-to-one, one-to-many, or many-to-many basis. The one-to-many mapping allows the same user to authenticate through the 802.1X hosts on multiple ports.

The switch will automatically insert the authenticated user identity information when 802.1X authentication and DHCP snooping option-82 with data insertion features are enabled. To configure DHCP snooping option-82 with data insertion, see the "DHCP Snooping Option-82 Data Insertion" section.

For information about the data inserted in the RADIUS attributes suboption, see RFC 4014, "Remote Authentication Dial-In User Service (RADIUS) Attributes Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Information Option."
Understanding 802.1X Accounting

The IEEE 802.1X standard defines how users are authorized and authenticated for network access but does not keep track of network usage. IEEE 802.1X accounting is disabled by default. With Release 12.2(33)SXH and later releases, you can enable 802.1X accounting to monitor the following activities on 802.1X-enabled ports:

•User successfully authenticates.

•User logs off.

•Link-down occurs.

•Reauthentication successfully occurs.

•Reauthentication fails.

The switch does not log IEEE 802.1X accounting information. Instead, it sends this information to the RADIUS server, which must be configured to log accounting messages.

The information sent to the RADIUS server is represented in the form of 802.1X Accounting Attribute-Value (AV) pairs. These AV pairs provide data for different applications. (For example, a billing application might require information that is in the Acct-Input-Octets or the Acct-Output-Octets attributes of a RADIUS packet.)

AV pairs are automatically sent by a switch that is configured for 802.1X accounting. Three types of RADIUS accounting packets are sent by a switch:

•START-Sent when a new user session starts.

•INTERIM-Sent during an existing session for updates.

•STOP-Sent when a session terminates.

Table 60-1 lists the AV pairs and indicates when they are sent are sent by the switch.

Some useful links :

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question