Solved

Rerserving or Assigning  IP on Username instead of MAC address?

Posted on 2014-04-06
6
322 Views
Last Modified: 2014-05-06
Is it possible to reserve or assign an IP to a Usernames instead of MAC address  using Window 2008 Server or do I need a third party software to do this?  My Plan is when a user  logs in it would automatically grab a predefined IP.  Thanks in advance.
0
Comment
Question by:Victor_Torres
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 95

Expert Comment

by:John Hurst
ID: 39981956
Yes you can.  DHCP, Scope, Reservations and add the IP in there.

However it is a lot of work to keep up and changes as IP addresses change. I do not recommend it and I certainly would not institute Static IP's to do it (more work).
0
 
LVL 7

Accepted Solution

by:
Delete earned 250 total points
ID: 39981958
No it is not possible to do that through DHCP.  Your only option is by MAC address.  I am not aware of any third party tools that would do this either but there very well could be.  How would you handle a user being logged onto two computers at once?

A different option might be to use a script to statically assign specific IP's to logged on users and you could run it as a logon script.  However, the issue you would run into here potentially is having duplicate IP's on the network.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 39981960
I tie the MAC address to the IP address in my computer via DHCP Scope and I do that so I can use SMTP (normally disallowed at the client).  I assume something like this was what was meant.
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39982129
I don't believe it is possible at all.  The machine IP address, whether thru DHCP or fixed IP, is active thru the network interface on the remote machine.  If you do find a way, changing the IP address will disconnect everything that was previously connected to the network on that machine.  That will reset or clear any permissions that were based on that connection also.
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39982404
it is not possible because f the design or the way DHCP work. The IP assignment happens even before it recognizes a user name and at that level only MAC address is in the picture.
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 39982875
DHCP can't do it, but 802.1X can.
AS far as I understand it, you would begin booting with a "temporary" IP address and then another IP address, mapped to user name, would be assigned AFTER login.

 Pre-Authentication Open Access

With Cisco IOS Release 12.2(33)SXI and later releases, any of the four host modes may be additionally configured to allow a device to gain network access before authentication. This pre-authentication open access is useful in an application such as the Pre-boot eXecution Environment (PXE), where a device must access the network to download a bootable image containing an authentication client.

Pre-authentication open access is enabled by entering the authentication open command after host mode configuration, and acts as an extension to the configured host mode. For example, if pre-authentication open access is enabled with single-host mode, then the port will allow only one MAC address. When pre-authentication open access is enabled, initial traffic on the port is restricted only by whatever other access restriction, independent of 802.1X, is configured on the port. If no access restriction other than 802.1X is configured on the port, then a client device will have full access on the configured VLAN.
Understanding 802.1X Authentication with DHCP Snooping

With Cisco IOS Release 12.2(33)SXH and later releases, when the Dynamic Host Configuration Protocol (DHCP) snooping option-82 with data insertion feature is enabled, the switch can insert a client's 802.1X authenticated user identity information into the DHCP discovery process, allowing the DHCP server to assign IP addresses from different IP address pools to different classes of end users. This feature allows you to secure the IP addresses given to the end users for accounting purposes and to allow services based on Layer 3 criteria.

After a successful 802.1X authentication between a supplicant and the RADIUS server, the switch puts the port in the forwarding state and stores the attributes that it receives from the RADIUS server. While performing DHCP snooping, the switch acts as a DHCP relay agent, receiving DHCP messages and regenerating those messages for transmission on another interface. When a client, after 802.1X authentication, sends a DHCP discovery message, the switch receives the packet. The switch adds to the packet a RADIUS attributes suboption section containing the stored RADIUS attributes of the client. The switch then submits the discovery broadcast again. The DHCP server receives the modified DHCP discovery packet and can, if configured to do so, use the authenticated user identity information when creating the IP address lease. The mapping of user-to-IP address can be on a one-to-one, one-to-many, or many-to-many basis. The one-to-many mapping allows the same user to authenticate through the 802.1X hosts on multiple ports.

The switch will automatically insert the authenticated user identity information when 802.1X authentication and DHCP snooping option-82 with data insertion features are enabled. To configure DHCP snooping option-82 with data insertion, see the "DHCP Snooping Option-82 Data Insertion" section.

For information about the data inserted in the RADIUS attributes suboption, see RFC 4014, "Remote Authentication Dial-In User Service (RADIUS) Attributes Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Information Option."
Understanding 802.1X Accounting

The IEEE 802.1X standard defines how users are authorized and authenticated for network access but does not keep track of network usage. IEEE 802.1X accounting is disabled by default. With Release 12.2(33)SXH and later releases, you can enable 802.1X accounting to monitor the following activities on 802.1X-enabled ports:

•User successfully authenticates.

•User logs off.

•Link-down occurs.

•Reauthentication successfully occurs.

•Reauthentication fails.

The switch does not log IEEE 802.1X accounting information. Instead, it sends this information to the RADIUS server, which must be configured to log accounting messages.

The information sent to the RADIUS server is represented in the form of 802.1X Accounting Attribute-Value (AV) pairs. These AV pairs provide data for different applications. (For example, a billing application might require information that is in the Acct-Input-Octets or the Acct-Output-Octets attributes of a RADIUS packet.)

AV pairs are automatically sent by a switch that is configured for 802.1X accounting. Three types of RADIUS accounting packets are sent by a switch:

•START-Sent when a new user session starts.

•INTERIM-Sent during an existing session for updates.

•STOP-Sent when a session terminates.

Table 60-1 lists the AV pairs and indicates when they are sent are sent by the switch.

Some useful links :
http://en.wikipedia.org/wiki/IEEE_802.1X

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dot1x.html
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question