Re: Restricting DHCP to specific users
- From: "Evan" <ewgy@xxxxxxxxxxx>
- Date: Mon, 3 Dec 2007 19:27:49 -0500
That's a good point (printers and devices)
I've been considering an 802.1x EAP
certificate solution. I haven't seen much but theory
on it.
I guess implementing it with devices that don't
support certificates would depend on the switches capabilities
of being able to exempt a port that has a device that doesn't
support certificates.
However this wouldn't help if a rogue user plugged into
the exempt port.
Perhaps the non 802.1x supported devices could be placed in a DMZ
that doesn't have access to the internal network,
but the internal network would have access to the DMZ
and those devices.
Yeah that's the ticket
"Roger" <Roger@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:80DB2FC3-6EED-423A-9931-E293BA1684F0@xxxxxxxxxxxxxxxx
I dont' know much about that, but I'd say if machine certificates are used
and only domain machines with the certs are allowed on the network then it
sounds like a good setup. You just want to make sure you're not just
allowing
them on your network simply because they authenticate. You want them to be
allowed only if they're on approved devices, which what I assume the
machine
cert is for.
Like I said, I'm not that familiar with it, but I'd imagine some other
type
of security would still need to be in place for
OSes/printers/devices/terminals that don't support those certs.
Good luck,
Roger
"Evan" wrote:
What if he were to use 802.1x
authentication using an EAP-TLS machine certificate?
"Roger" <Roger@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8C62485A-D4C0-4D8A-9319-D4C9506F1047@xxxxxxxxxxxxxxxx
Hi Neil,
The problem with a setup such as this is that the end user can just
statically assign an IP address and you'd be stuck with the same risk
(and
possibly some conflicting IPs). You're better off not letting them on
the
network at all using some of the methods I mentioned to Nite_Owl.
Port security is a good option, but the end user can spoof the MAC
address
of the machine they're unplugging if they know what they're up against.
A
combination of technologies is your best bet.
Good luck
Roger
"Neil" wrote:
We often have users at branch offices bringing their laptops from
home. As always these systems pose a security risk.
How can I have my DHCP server NOT assign IP address to these untrusted
users.
OR
Is there a way so that these users get a diff IP address and I can
move them to a different vlan
Thank you for your help.
.
- References:
- Re: Restricting DHCP to specific users
- From: Evan
- Re: Restricting DHCP to specific users
- Prev by Date: Server resets (restarts) every few days (after blue screen)
- Next by Date: Re: Server 2003 Cannot shutdown - after Cloning HD- [ Final Solution ]
- Previous by thread: Re: Restricting DHCP to specific users
- Next by thread: Re: Windows Home Server or Windows Server (2008 or 2003)..?
- Index(es):
Relevant Pages
|
