Re: Re: DHCP Authorization in active directory.

Infrastructure products to assist:

Cisco ACS
Cisco WLSE (Wireless)

** A Cisco Agent hooks into AD, then, when a client asks for an IP address
the Cisco device simply asks for the AD credentials. If they match they get
an IP, if they don't, no access.

VLANs are also a way of helping limit unauthorized users to a degree.

"MoscowHippy" wrote:

> "ping2" wrote:
> > Hi Lara, thanks for the info. I had a feeling that your answer
> > would be no.
> >
> > It would be real nice if dhcp did auth against AD this would
> > put an
> > end to free internet access to rouge laptops. As I see it then
> > there
> > is no point in authorizing dhcp in active directory. I think
> > ms intent
> > was to try stop rouge dhcp servers from assigning bad ip's
> > with this
> > method.
> >
> > The problem with dhcp is that whatever dhcp server responds to
> > a
> > clients request first normally assigns the ip to the client.
> > If you
> > really want to hose a internal network just hook up a lowcost
> > netgear
> > router and hand out dhcp assignments on your subnet,,,
> >
> > I got about 200 client pc's on the network. In the above test
> > the
> > netgear typically bet MS Dhcp server in assinging ip's to the
> > client.
> > Needless to say they were the wrong ips.
> >
> > Thanks for your insight.
> >
> > JJ
> >
> >
> >
> >
> >
> > On 10 Jan 2005 14:51:44 -0500, lforbes
> > <UseLinkToEmail@xxxxxxxxxxxxxxxxx> wrote:
> >
> > >Hi,
> > >
> > > > Here is what I am trying to accomplish. Person hooks
> > up their
> > > > laptop to company network. Laptop broadcasts for a
> > dhcp assignment
> > > > dhcp server responds. Dhcp server checks active
> > directory for a
> > > > valid user... None exists. Dhcp declines assigning
> > the ip.
> > >
> > >I also posed this question a month back and the answer is no.
> > DHCP
> > >doesn’t authenticate to AD and therefore anyone with a laptop
> > can get
> > >an IP. DHCP is not domain specific.
> > >
> > >The only way I have got around this somewhat is to install an
> > ISA
> > >server. The only reason my users plug their laptops in is to
> > get
> > >internet service. The ISA requires AD authentication so
> > therefore no
> > >internet service.
> > >
> > >I also scan my DHCP on a daily basis. All my Network Names
> > are easily
> > >identified and start with the same letter R for Room # eg.
> > R123-123
> > >
> > >If I see an unidentified machines, I get the mac address and
> > then
> > >assign an ip like 192.0.0.0 which isn’t a correct IP.
> > >
> > >Cheers,
> > >
> > >Lara
>
> I have also been looking for this, or a similar capability. While I
> think that polling the active directory is a good idea, we have quite
> a few wireless pda’s that are not in active directory nor should be.
>
> I would rather have / build a table of authorized MAC addresses that
> all DHCP servers could verify against before handing out an IP
> address.
>
> request for address
> server receives
> verify valid mac address
> if in table - yes, otherwise 0.0.0.0 and flag an admin staffer
>
> Granted, a dhcp scope reservation is exactly the solution, it defeats
> the purpose of dhcp with my mobile (l)users. I would rather have one
> table that all my servers point to with all authorized mac’s so I
> don’t have to worry about what site, what subnet, etc.
>
> No valid MAC, No valid IP address
>
> Or if a script that watched the various scopes watching for change,
> verifying each new address against the above prebuild table and
> revoking licenses as they come up.
>
> For what it’s worth...
>
> --
> Posted using the http://www.WindowsForumz.com/ interface, at author's request
> Articles individually checked for conformance to usenet standards
> Topic URL: http://www.WindowsForumz.com/Active-Directory-DHCP-Authorization-ftopict248227.html
> Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=762163
>
.

Relevant Pages

  • Re: dhclient in 6.0
    ... Not really, no, except when DHCP options appear to turn off IPv4LL, or ... I think it's pretty obvious you have a rogue client ... if there was a prior lease matching the ... Ironically, ISC DHCP was built from this mindset, from what I read. ...
    (freebsd-stable)
  • Re: DHCP server assigning ip addresses, does it is pinging it before?
    ... a client computer that is configured as a DHCP client sends out a broadcast packet called DHCPDISCOVER. ... This Discover packet contains the client's computer name and Media Access Control address so the DHCP servers can respond to it. ... Basically, the Discover packet says, "I'm looking for a DHCP server who can lease an IP address." ...
    (microsoft.public.windows.server.networking)
  • Re: Local Lan DNS Problems
    ... > I've only added the two entries below to the ipcop hosts file as I ... > understand, correct me if wrong, that as theothers use DHCP then they ... Dnsmasq cannot assume that the two requests are from the ... without a client ID.) ...
    (comp.os.linux.networking)
  • Re: ActiveSync 4.2 not working on WM5.0 device over USB Serial Function driver
    ... If you have manually set an IP address on the PC and so turned off the DHCP client on the PC, then you will need to manually set a different and valid IP address on the USB port to allow the device to talk TCP/IP to the PC. ... > I have made sure that all the settings are done as per the requirement. ...
    (microsoft.public.pocketpc)
  • Re: DHCP Strangest Problem I ever Seen in my life
    ... I debuged the switches and ... transmitting the DHCP discover etc? ... > 100 MB port fast ... DHCPDiscover (from client) ...
    (microsoft.public.win2000.networking)