How to block a client from DHCP?

We have a dhcp server (win 2000). It is running normally. Is there any way
to block a workstation from using our dhcp server if I know the workstation's
MAC address?

Thanks!

Harvey

No. You would have to just give the machine a static address to begin with.

There are pre-authentication techniques out there for creating "quarentine
zones" for machines before they are allowed to get an address and be on the
network, but those things are complex and are still "early" in the
developement cycle.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Harvey" <(E-Mail Removed)> wrote in message
news:B4D1407E-8069-4362-89F7-(E-Mail Removed)...
> We have a dhcp server (win 2000). It is running normally. Is there any
way
> to block a workstation from using our dhcp server if I know the
workstation's
> MAC address?
>
> Thanks!
>
> Harvey

Then, can I deny any non-domain-member computers from using our domain dhcp
server? This is because some people bring laptop from home and simply plug
into the wrok place's network port. Those computers, very often, are not set
up correctly from security point of view, easy to be hacked and then hack
other systems. If I can block non-domain-member computers, then they have to
ask me to check and set up the system and it will be much safer.

Any suggestion? Thanks a lot!

Harvey

"Phillip Windell" wrote:

> No. You would have to just give the machine a static address to begin with.
>
> There are pre-authentication techniques out there for creating "quarentine
> zones" for machines before they are allowed to get an address and be on the
> network, but those things are complex and are still "early" in the
> developement cycle.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> "Harvey" <(E-Mail Removed)> wrote in message
> news:B4D1407E-8069-4362-89F7-(E-Mail Removed)...
> > We have a dhcp server (win 2000). It is running normally. Is there any
> way
> > to block a workstation from using our dhcp server if I know the
> workstation's
> > MAC address?
> >
> > Thanks!
> >
> > Harvey
>
>
>

"Harvey" <(E-Mail Removed)> wrote in message
news:47C6055D-E00B-4AF4-BCCB-(E-Mail Removed)...
> Then, can I deny any non-domain-member computers from using our domain
dhcp
> server?

No. DHCP and Domains have no relationship to each other, at least in the
context you are asking. This is exactly why the "quarentine" methods I
mentioned are being developed.

But just because the Laptop gets an IP# doesn't mean they are "on the
Domain". They are only on the network in the Layer3 sense, but the Doamin
still does not acknowledge them without a valid user account and machine
membership.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Phillip Windell" wrote:

>
> But just because the Laptop gets an IP# doesn't mean they are "on the
> Domain". They are only on the network in the Layer3 sense, but the Doamin
> still does not acknowledge them without a valid user account and machine
> membership.
>

Actually, they don't want to be in the domain. They just want to go to
Internet for browsing. Then, they get hacked and spread viruses/worms. It
seems, as I understand, that I have no controll.

Sad, but still thank you for information!

"Harvey" <(E-Mail Removed)> wrote in message
news:CCE2A77C-5BA7-4DEC-855F-(E-Mail Removed)...
> "Phillip Windell" wrote:
> Actually, they don't want to be in the domain. They just want to go to
> Internet for browsing. Then, they get hacked and spread viruses/worms.
It
> seems, as I understand, that I have no controll.

That depends. Proxys or firewalls that can authenticate via User accounts
(like ISA Server, MS Proxy Server) will allow or deny based on who the user
is and not by what machine they are at or what IP# they get.

In our system all the "human" users are forced to go out via ISA Server and
are authenticated based on User accounts. All Servers and Utility machines
go out using a NAT based Firewall which allows only a certain range of IP#
out to the Net (the lower numbers) and these numbers are assigned statically
or by reservations in DHCP.

So,...with all that, there is one possibility. You said you knew the
machine's MAC address already. So you just setup DHCP with a "reserved" IP
address for that MAC so that this particular machine will always get the
same IP#. You then configure your Firewall device to deny that one IP#
access to the Net.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

802.1X authentication would work but requires a Certificate Authority, IAS
server, and compliant operating systems. The link below explains how this
can be done.

http://www.hp.com/rnd/pdf_html/guest_vlan_paper.htm

Another option is to use switches that can protect the network based on mac
addresses. This is not as secure as 802.1X but will prevent the average user
from gaining access by filtering switch ports to allow only certain mac
addresses. Even the lower end HP Procurve switches can do mac filtering for
example and have a "learning" mode to greatly reduce the need to manually
configure mac address tables. My HP2512 switch also can do port isolation
where you can configure ports on switches can access a common port such as
an internet gateway but not each other.--- Steve



"Harvey" <(E-Mail Removed)> wrote in message
news:47C6055D-E00B-4AF4-BCCB-(E-Mail Removed)...
> Then, can I deny any non-domain-member computers from using our domain
> dhcp
> server? This is because some people bring laptop from home and simply
> plug
> into the wrok place's network port. Those computers, very often, are not
> set
> up correctly from security point of view, easy to be hacked and then hack
> other systems. If I can block non-domain-member computers, then they have
> to
> ask me to check and set up the system and it will be much safer.
>
> Any suggestion? Thanks a lot!
>
> Harvey
>
> "Phillip Windell" wrote:
>
>> No. You would have to just give the machine a static address to begin
>> with.
>>
>> There are pre-authentication techniques out there for creating
>> "quarentine
>> zones" for machines before they are allowed to get an address and be on
>> the
>> network, but those things are complex and are still "early" in the
>> developement cycle.
>>
>> --
>>
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>> "Harvey" <(E-Mail Removed)> wrote in message
>> news:B4D1407E-8069-4362-89F7-(E-Mail Removed)...
>> > We have a dhcp server (win 2000). It is running normally. Is there any
>> way
>> > to block a workstation from using our dhcp server if I know the
>> workstation's
>> > MAC address?
>> >
>> > Thanks!
>> >
>> > Harvey
>>
>>
>>

Also in the DHCP reservation for this client give it a default gateway that
is the same as the IP address you assign it. This way the client will not be
able to go anywhere outside its own subnet unless static routes are added.

--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.


"Phillip Windell" <@.> wrote in message
news:uBrQ$(E-Mail Removed)...
>
> "Harvey" <(E-Mail Removed)> wrote in message
> news:CCE2A77C-5BA7-4DEC-855F-(E-Mail Removed)...
> > "Phillip Windell" wrote:
> > Actually, they don't want to be in the domain. They just want to go to
> > Internet for browsing. Then, they get hacked and spread viruses/worms.
> It
> > seems, as I understand, that I have no controll.
>
> That depends. Proxys or firewalls that can authenticate via User accounts
> (like ISA Server, MS Proxy Server) will allow or deny based on who the
user
> is and not by what machine they are at or what IP# they get.
>
> In our system all the "human" users are forced to go out via ISA Server
and
> are authenticated based on User accounts. All Servers and Utility
machines
> go out using a NAT based Firewall which allows only a certain range of IP#
> out to the Net (the lower numbers) and these numbers are assigned
statically
> or by reservations in DHCP.
>
> So,...with all that, there is one possibility. You said you knew the
> machine's MAC address already. So you just setup DHCP with a "reserved" IP
> address for that MAC so that this particular machine will always get the
> same IP#. You then configure your Firewall device to deny that one IP#
> access to the Net.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>