Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Prevent DHCP Lease unless Authenticated

Status
Not open for further replies.

Nes007

Technical User
Feb 10, 2005
4
US
I would like to know if there is a way to prevent folks from getting a DHCP released IP. If someone were to connect a PC to the domain they would get an IP, but would not be able to be on the domain unless it was added to Active Directory. I want to take it a step further and prevent folks from obtaining an IP unless it is in AD.
Even though they have an IP and can't enjoy the domain resources they are still able to surf. I want to prevent that from happening.

 
how the AD would know if the PC is "good" or "bad" without IP assigned?

The AD uses IP to communicate and it's a requred for AD to run.

You probably should be able to play with reservations and MAC filters, but I think it's road to a management nihjtmare
 
Unless you have a lot of nodes, maybe turn off DHCP and use static addressing.

pc.gif

Jomama
 
avilov - What you say is true, but there is a way. By adding the computer name to AD. You would need the neccesary rights to able to add a machine to your network. Then you would have DHCP verify that the name is there and then you get an IP. That would be the goal. MAC filtering is great, but when you are dealing with over 10K systems across the country it would be a nightmare especially in the begginging.

Jomama46 - Static Addressing would be crazy in the case. As I told avilov there are over 10K systems that would need static addresses and a managing system to be able to implement this. Too much potential to create another nightmare.

I found this out. has the technology for this issue called SAFE DHCP. It seems to have a good reputable partner list that implement this.

I am still doing research on this, but it has potential.
 
Another option maybe to look at implementing 802.1x, this prevents a port from becoming active unless the device is authenticated.
 
TripleT - Can you elaborate a little on how to implement 802.1x? Do you mean having to implement wireless or wireless security technology on ethernet?
 
Basically, although 802.1x has originated from Wireles it can be used on ethernet.

I believe, but stand to be corrected, that in order to get it to work on Cisco, you have to have Wireless support but do not need to use Wireless Access Points.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top