Tech Support Guy banner
Status
Not open for further replies.

Restricting DHCP

914 views 8 replies 5 participants last post by  myrddinbach 
#1 ·
Howdy Y'all I gotta use your Brain for a sec....

Is there any way to prevent unauthorized users from plugging in to my network/domain? (ie with laptops) and getting an IP?
I know that they will be very limited in movement even with them getting an IP but still I want to try and prevent it from happening period.

This is a large organization so assigning by MAC for each and every PC is not feasable and limiting the DHCP scope to the exact number of clients we currently have is not an option either.

This is a windows 2000 domain with 90% win2k Pro clients.

Thanks!
 
#2 ·
The problem is that a person does not have to logon to the domain to get an IP address and use the network, so even if you could block using Windows 2000 it would not really help. You mention the number one method, using Mac addresses but it does require a lot of work. Another option is you could purchase routers or switches that offered port security. Or Cisco's URT (User Registration Tool), which can be tied to an Windows IDs.
 
#3 ·
How are they logging in as unauthorized users in the first place? Don't you use some kind of authentication for users to access your network? What's wrong with a username and password. Windows and DHCP will not normally give an IP addres unless they are authenticated by a login session.
 
#4 ·
I am actually looking into the URT recommendation right now.

They are not loggin in as unauth. users right now, I was just trying to my unauthorized Computer/Laptops from plugging into the network and getting an IP from the DHCP.

They can't login but they are able to see the number scheme 192.168.x.x etc

All computers get an IP at boot up on a DHCP w/ automatic DHCP clients, not when they login.
 
#5 ·
The URT uses layer 2 and 3 switching. What you do with the URT is setup your local LAN with no default routed connections. A user is prompted for a ID and password and it's validated. If authorized the user is the switched to a group they belong too. i.e. Accounting or Sales. The URT is pretty cool.
 
#9 ·
Use IAS authentication. Set your switches for PEAP and use IAS w/ PEAP and certificates. You can set it for computer authentication only - then if you plug in a rogue machine that is not part of a domain it will fail to authorize and you will get an apipa address and no connectivity.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top