Re: Re: DHCP Authorization in active directory.
- From: "Ryan Hanisco" <rhanisco@xxxxxxxxxxxxxx>
- Date: Fri, 6 May 2005 17:07:30 -0500
Ryan,
You might also consider enabling 802.1x with EAP to authenticate the
computer account before an IP address is even assigned. This would require
computer certificates on all machines and a well planned PKI.
--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Chicago, IL
"Paul" <Paul@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2CA49A1C-5D63-4301-83C0-EF3005E4AC21@xxxxxxxxxxxxxxxx
> Infrastructure products to assist:
>
> Cisco ACS
> Cisco WLSE (Wireless)
>
> ** A Cisco Agent hooks into AD, then, when a client asks for an IP address
> the Cisco device simply asks for the AD credentials. If they match they
> get
> an IP, if they don't, no access.
>
> VLANs are also a way of helping limit unauthorized users to a degree.
>
> "MoscowHippy" wrote:
>
>> "ping2" wrote:
>> > Hi Lara, thanks for the info. I had a feeling that your answer
>> > would be no.
>> >
>> > It would be real nice if dhcp did auth against AD this would
>> > put an
>> > end to free internet access to rouge laptops. As I see it then
>> > there
>> > is no point in authorizing dhcp in active directory. I think
>> > ms intent
>> > was to try stop rouge dhcp servers from assigning bad ip's
>> > with this
>> > method.
>> >
>> > The problem with dhcp is that whatever dhcp server responds to
>> > a
>> > clients request first normally assigns the ip to the client.
>> > If you
>> > really want to hose a internal network just hook up a lowcost
>> > netgear
>> > router and hand out dhcp assignments on your subnet,,,
>> >
>> > I got about 200 client pc's on the network. In the above test
>> > the
>> > netgear typically bet MS Dhcp server in assinging ip's to the
>> > client.
>> > Needless to say they were the wrong ips.
>> >
>> > Thanks for your insight.
>> >
>> > JJ
>> >
>> >
>> >
>> >
>> >
>> > On 10 Jan 2005 14:51:44 -0500, lforbes
>> > <UseLinkToEmail@xxxxxxxxxxxxxxxxx> wrote:
>> >
>> > >Hi,
>> > >
>> > > > Here is what I am trying to accomplish. Person hooks
>> > up their
>> > > > laptop to company network. Laptop broadcasts for a
>> > dhcp assignment
>> > > > dhcp server responds. Dhcp server checks active
>> > directory for a
>> > > > valid user... None exists. Dhcp declines assigning
>> > the ip.
>> > >
>> > >I also posed this question a month back and the answer is no.
>> > DHCP
>> > >doesn't authenticate to AD and therefore anyone with a laptop
>> > can get
>> > >an IP. DHCP is not domain specific.
>> > >
>> > >The only way I have got around this somewhat is to install an
>> > ISA
>> > >server. The only reason my users plug their laptops in is to
>> > get
>> > >internet service. The ISA requires AD authentication so
>> > therefore no
>> > >internet service.
>> > >
>> > >I also scan my DHCP on a daily basis. All my Network Names
>> > are easily
>> > >identified and start with the same letter R for Room # eg.
>> > R123-123
>> > >
>> > >If I see an unidentified machines, I get the mac address and
>> > then
>> > >assign an ip like 192.0.0.0 which isn't a correct IP.
>> > >
>> > >Cheers,
>> > >
>> > >Lara
>>
>> I have also been looking for this, or a similar capability. While I
>> think that polling the active directory is a good idea, we have quite
>> a few wireless pda's that are not in active directory nor should be.
>>
>> I would rather have / build a table of authorized MAC addresses that
>> all DHCP servers could verify against before handing out an IP
>> address.
>>
>> request for address
>> server receives
>> verify valid mac address
>> if in table - yes, otherwise 0.0.0.0 and flag an admin staffer
>>
>> Granted, a dhcp scope reservation is exactly the solution, it defeats
>> the purpose of dhcp with my mobile (l)users. I would rather have one
>> table that all my servers point to with all authorized mac's so I
>> don't have to worry about what site, what subnet, etc.
>>
>> No valid MAC, No valid IP address
>>
>> Or if a script that watched the various scopes watching for change,
>> verifying each new address against the above prebuild table and
>> revoking licenses as they come up.
>>
>> For what it's worth...
>>
>> --
>> Posted using the http://www.WindowsForumz.com/ interface, at author's
>> request
>> Articles individually checked for conformance to usenet standards
>> Topic URL:
>> http://www.WindowsForumz.com/Active-Directory-DHCP-Authorization-ftopict248227.html
>> Visit Topic URL to contact author (reg. req'd). Report abuse:
>> http://www.WindowsForumz.com/eform.php?p=762163
>>
.
- References:
- Prev by Date: Re: Force authentication to a specific DC where multiple DC's exist in an AD site
- Next by Date: Upgrade to Win2003: Any sequence needed ?
- Previous by thread: Re: Re: DHCP Authorization in active directory.
- Next by thread: Reading Distribution List Membership
- Index(es):
Relevant Pages
|
