Re: How to block a client from DHCP?

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 12/04/04 

Date: Fri, 3 Dec 2004 20:49:14 -0600

802.1X authentication would work but requires a Certificate Authority, IAS
server, and compliant operating systems. The link below explains how this
can be done.

http://www.hp.com/rnd/pdf_html/guest_vlan_paper.htm

Another option is to use switches that can protect the network based on mac
addresses. This is not as secure as 802.1X but will prevent the average user
from gaining access by filtering switch ports to allow only certain mac
addresses. Even the lower end HP Procurve switches can do mac filtering for
example and have a "learning" mode to greatly reduce the need to manually
configure mac address tables. My HP2512 switch also can do port isolation
where you can configure ports on switches can access a common port such as
an internet gateway but not each other.--- Steve

"Harvey" <Harvey@discussions.microsoft.com> wrote in message
news:47C6055D-E00B-4AF4-BCCB-8ED9239FB32C@microsoft.com...
> Then, can I deny any non-domain-member computers from using our domain
> dhcp
> server? This is because some people bring laptop from home and simply
> plug
> into the wrok place's network port. Those computers, very often, are not
> set
> up correctly from security point of view, easy to be hacked and then hack
> other systems. If I can block non-domain-member computers, then they have
> to
> ask me to check and set up the system and it will be much safer.
>
> Any suggestion? Thanks a lot!
>
> Harvey
>
> "Phillip Windell" wrote:
>
>> No. You would have to just give the machine a static address to begin
>> with.
>>
>> There are pre-authentication techniques out there for creating
>> "quarentine
>> zones" for machines before they are allowed to get an address and be on
>> the
>> network, but those things are complex and are still "early" in the
>> developement cycle.
>>
>> --
>>
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>> "Harvey" <Harvey@discussions.microsoft.com> wrote in message
>> news:B4D1407E-8069-4362-89F7-AF6B447C0B15@microsoft.com...
>> > We have a dhcp server (win 2000). It is running normally. Is there any
>> way
>> > to block a workstation from using our dhcp server if I know the
>> workstation's
>> > MAC address?
>> >
>> > Thanks!
>> >
>> > Harvey
>>
>>
>>

Relevant Pages

  • Re: ROGUE APs at Work - How to locate them?!
    ... If you have the MAC address and you have ethernet switches that are smart ... MAC address, then you lookup that MAc address on the switches until you find ... the hardware port. ... network card in the PC could unplug the computer, ...
    (alt.internet.wireless)
  • Re: Network scanning
    ... HP managed switches have this feature too, as a bonus you can also specify ... simultanious MACs on a port, or specify which addresses are allowed. ... Subject: Network scanning ... Most newer switches can lock down how many mac addresses are allowed to ...
    (Security-Basics)
  • Re: Seeing unexpected skinny heartbeats when sniffing IP phones network traffic
    ... :supposedly a normal occurance when the switches MAC table gets filled ... :its table, it sends it out all its ports; not as a broadcast packet, ... :but essentially a broadcast because it is sent out every port. ...
    (comp.dcom.sys.cisco)
  • Re: IP address conflicts
    ... I'm about the 4th or 5th successor to this network. ... > have to go without since we don't have the money for new switches" ... You need to be able to query the mac table in the switch ... > to see what port that address is coming in from. ...
    (freebsd-questions)
  • Re: Wireless Network in Public Places Options
    ... and implement a static bridging table. ... >> allows traffic to one other ethernet port, ... source MAC addresses. ... Packets with no destination addresses such as broadcasts and DHCP ...
    (microsoft.public.win2000.networking)