DHCP to authorised machines only 1

[sunil5]

Hi all,

I did find a thread with a similiar posting- but no real answer was given.

The subject is probably self-explaintory(?)

I would like to know how to restrict DHCP leasing to only corporate workstations and not to any other 'rogue' machines. Currently it is possible for users to bring in their own laptops and obtain an IP lease and away they are on the internet.

I have heard that MAC addresses/Computer names can be used but I couldn't see such an option on our NT 4 Server machine.

By the way, we do have a proxy set up integrated in the firewall.

Any help on this would be much appreciated.

Thanks,

Sunil

 

[Walter349]

You could do it by registering the wrkstn MAC addresses, but this can be work intensive to maintain an accurate up-to-date database in a large environment

 

[sunil5]

Thanks for the reply.

Like you said this would be mamouth task- collecting all the MAC addresses etc.

I've just looked into our proxy server (SmoothWall integrated) and don't see any option for proxy authentication- which probably would have done the trick.

 

[Claudek]

Collecting MAC addresses is not really that hard. A simple network scan will give that to you easily - use GFI network scanner for example. The more intensive part will be reserving the addresses which is more of a labor/time thing.
If someone was really wanting to get an address, they could spoof a real MAC address but then again, it is difficult to stop all attacks if someone is really determined.



Claudius (What certifications??)

http://www.iteq.com.au

 

[sunil5]

Thanks for the reply Claudek.

Yeah sorry that is what I was trying to get at- like you pointed out, it's the reserving of addresses which is going to be labour intensive.

I always knew that outsiders could connect to the internet using their own devices but it was just when we had an external network engineer connect his laptop (with my permission in this case) that I actually saw how easy it was to do.

I'm pretty sure that Windows NT 4 Server does not have any built in features to accomplish this.

 

[Walter349]

There are some commercial programs available to do this for you

 

[sunil5]

Any titles that you know of Walter349?

 

[Walter349]

Try Metainfo @

http://www.metainfo.com

 

[sunil5]

Nice one Walter349

 

[dszacik]

Anyone aware of doing this without vendor-specific hardware? Can I add a web interface to maintain DHCP's MAC table under Linux?

 

[GOstlund]

You may consider this of value:

http://netreg.sf.net/

Now, on the off chance that someone will just assume that I'm posting spam or advertising, I'll just give you the brief overview:
--- (From the site itself) ---
NetReg is an automated system that requires an unknown DHCP client to register their hardware before gaining full network access. Through a simple web interface, the client is prompted for their user identification. Powerful scripts then retrieve the client's network fingerprint and store it along with the user's information in a database. The database provides administrators with real-time information for troubleshooting and auditing their networks. The entire system was developed utilizing unmodified, open-source servers and in-house developed CGI programs.
--- End ---
Why would this be of benefit? Simply because this OpenSource (read: Free, well-written, well-tested, easily customizable) software could allow you to administer all those machines easily, not to mention that you could even code it such that the end-user can get themselves setup, all they would need is a single-use code from you... How do I know it can all be this simple? I'm using it for that exact purpose already.

----------
HTH
Gavin Ostlund