Restricting DHCP

[bigsnowy]

Howdy Y'all I gotta use your Brain for a sec....

Is there any way to prevent unauthorized users from plugging in to my network/domain? (ie with laptops) and getting an IP?
I know that they will be very limited in movement even with them getting an IP but still I want to try and prevent it from happening period.

This is a large organization so assigning by MAC for each and every PC is not feasable and limiting the DHCP scope to the exact number of clients we currently have is not an option either.

This is a windows 2000 domain with 90% win2k Pro clients.

Thanks!

 

[Dan O]

The problem is that a person does not have to logon to the domain to get an IP address and use the network, so even if you could block using Windows 2000 it would not really help. You mention the number one method, using Mac addresses but it does require a lot of work. Another option is you could purchase routers or switches that offered port security. Or Cisco's URT (User Registration Tool), which can be tied to an Windows IDs.

 

[Rockn]

How are they logging in as unauthorized users in the first place? Don't you use some kind of authentication for users to access your network? What's wrong with a username and password. Windows and DHCP will not normally give an IP addres unless they are authenticated by a login session.

 

[bigsnowy]

I am actually looking into the URT recommendation right now.

They are not loggin in as unauth. users right now, I was just trying to my unauthorized Computer/Laptops from plugging into the network and getting an IP from the DHCP.

They can't login but they are able to see the number scheme 192.168.x.x etc

All computers get an IP at boot up on a DHCP w/ automatic DHCP clients, not when they login.

 

[Dan O]

The URT uses layer 2 and 3 switching. What you do with the URT is setup your local LAN with no default routed connections. A user is prompted for a ID and password and it's validated. If authorized the user is the switched to a group they belong too. i.e. Accounting or Sales. The URT is pretty cool.

 

[p5mmx10g]

reconfig the dhcp server
use static. that will restic any unwanted connection to your network, other wise if a laptop using windows 98 will see your dhcp

 

[bigsnowy]

to much overhead to configure all 500 or so machines to a static ip.

 

[p5mmx10g]

i don't think there is anyway to stop this.

the computer can't tell who is authorized and who is not, unless you do something on it.

 

[myrddinbach]

Use IAS authentication. Set your switches for PEAP and use IAS w/ PEAP and certificates. You can set it for computer authentication only - then if you plug in a rogue machine that is not part of a domain it will fail to authorize and you will get an apipa address and no connectivity.