Restrict DHCP

Hi!

I want to restrict users from plugging on their laptops into network points
and get an IP from DHCP and access internet. I checked a couple of sites but
they r mentioning VLAN or 802.1x authentication - which I believe needs some
investment to implement.

Ofcourse I did not patch all the network outlets to the network, but people
at times plug in their laptops to a couple of 4 port switches in the office
at some places and are getting hooked.

Is there an easier way to restrict users ? Like some file with all the
allowed MAC address - so that when ever a alien laptop is plugged, the DHCP
server checks the file - if MAC address is in list issues IP otherwise
denies.

Thanks in advance
Regards
Harry

"Harry" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi!
>
> I want to restrict users from plugging on their laptops into network
points
> and get an IP from DHCP and access internet. I checked a couple of sites
but
> they r mentioning VLAN or 802.1x authentication - which I believe needs
some
> investment to implement.
>
> Ofcourse I did not patch all the network outlets to the network, but
people
> at times plug in their laptops to a couple of 4 port switches in the
office
> at some places and are getting hooked.
>
> Is there an easier way to restrict users ? Like some file with all the
> allowed MAC address - so that when ever a alien laptop is plugged, the
DHCP
> server checks the file - if MAC address is in list issues IP otherwise
> denies.
>
> Thanks in advance
> Regards
> Harry
>

Some routers let you set up rules that permit/deny specific MAC
addresses access to the Internet.

Thank you,
But Can I make the DHCP " not to issue" at IP in the first place? So that
whoever plugs in an alien PC will not get an IP and cannot infect the
network with a virus he may have.
Many Thanks
Harry

"Pegasus (MVP)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Harry" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Hi!
>>
>> I want to restrict users from plugging on their laptops into network
> points
>> and get an IP from DHCP and access internet. I checked a couple of sites
> but
>> they r mentioning VLAN or 802.1x authentication - which I believe needs
> some
>> investment to implement.
>>
>> Ofcourse I did not patch all the network outlets to the network, but
> people
>> at times plug in their laptops to a couple of 4 port switches in the
> office
>> at some places and are getting hooked.
>>
>> Is there an easier way to restrict users ? Like some file with all the
>> allowed MAC address - so that when ever a alien laptop is plugged, the
> DHCP
>> server checks the file - if MAC address is in list issues IP otherwise
>> denies.
>>
>> Thanks in advance
>> Regards
>> Harry
>>
>
> Some routers let you set up rules that permit/deny specific MAC
> addresses access to the Internet.
>
>

Or you could just use ISA.

"Harry" <(E-Mail Removed)> wrote in message
news:u%(E-Mail Removed)...
> Thank you,
> But Can I make the DHCP " not to issue" at IP in the first place? So that
> whoever plugs in an alien PC will not get an IP and cannot infect the
> network with a virus he may have.
> Many Thanks
> Harry
>
> "Pegasus (MVP)" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>
>> "Harry" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> Hi!
>>>
>>> I want to restrict users from plugging on their laptops into network
>> points
>>> and get an IP from DHCP and access internet. I checked a couple of sites
>> but
>>> they r mentioning VLAN or 802.1x authentication - which I believe needs
>> some
>>> investment to implement.
>>>
>>> Ofcourse I did not patch all the network outlets to the network, but
>> people
>>> at times plug in their laptops to a couple of 4 port switches in the
>> office
>>> at some places and are getting hooked.
>>>
>>> Is there an easier way to restrict users ? Like some file with all the
>>> allowed MAC address - so that when ever a alien laptop is plugged, the
>> DHCP
>>> server checks the file - if MAC address is in list issues IP otherwise
>>> denies.
>>>
>>> Thanks in advance
>>> Regards
>>> Harry
>>>
>>
>> Some routers let you set up rules that permit/deny specific MAC
>> addresses access to the Internet.
>>
>>
>
>

"Harry" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi!
>
> I want to restrict users from plugging on their laptops into network
> points and get an IP from DHCP and access internet. I checked a couple of
> sites but they r mentioning VLAN or 802.1x authentication - which I
> believe needs some investment to implement.
>
> Ofcourse I did not patch all the network outlets to the network, but
> people at times plug in their laptops to a couple of 4 port switches in
> the office at some places and are getting hooked.
>
> Is there an easier way to restrict users ? Like some file with all the
> allowed MAC address - so that when ever a alien laptop is plugged, the
> DHCP server checks the file - if MAC address is in list issues IP
> otherwise denies.
>
> Thanks in advance
> Regards
> Harry

I've act this way.
Suppose the following situation:

Net Addr 192.168.1
Router 192.168.1.254
DC 192.168.1.10
10 Clients 192.168.1.11, 12, ... 20

Define:
DHCP Pool 192.168.1.1 192.168.1.254
DHCP Excl 192.168.1.1 192.168.1.10
192.168.1.21 192.168.1.254
DHCP Reserv 192.168.1.11 MAC Addr
192.168.1.12 ""
.......... ""
192.168.1.20 ""

At this point, in Event Viewer/System you'll se a DHCPServer Warning:
"Scope 192.168.1.0 is 100 per cent full with only 0 IP addresses remaining."

It seems to be working ok with me, but I'm very new to WinServer 2003;
possible some "side effects" not yet detected.

Bruno

Microsoft's DHCP server does not include this capability without some form
of help, as you've already discovered.

--
Richard G. Harper [MVP Shell/User] (E-Mail Removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"Harry" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi!
>
> I want to restrict users from plugging on their laptops into network
> points and get an IP from DHCP and access internet. I checked a couple of
> sites but they r mentioning VLAN or 802.1x authentication - which I
> believe needs some investment to implement.
>
> Ofcourse I did not patch all the network outlets to the network, but
> people at times plug in their laptops to a couple of 4 port switches in
> the office at some places and are getting hooked.
>
> Is there an easier way to restrict users ? Like some file with all the
> allowed MAC address - so that when ever a alien laptop is plugged, the
> DHCP server checks the file - if MAC address is in list issues IP
> otherwise denies.
>
> Thanks in advance
> Regards
> Harry
>
>

"Harry" <(E-Mail Removed)> wrote in message
news:u%(E-Mail Removed)...
> Thank you,
> But Can I make the DHCP " not to issue" at IP in the first place?

No.

There is technology concerning this, but it is in an infancy stage,..very
$$$,..very complex,...and not fully standardized,...and in my opinion, not
very dependable.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.

Your subject "Restrict.....DHCP" is pretty much an oxymoron. DHCP is a
convienience tool, not a security tool,...if security is allowed to become
based on the client's IP#, then DHCP can no longer be used. So if DHCP is
used then IP#s can never be allowed to be the focus of the security. One
guy suggested ISA Server, that is a good choice because it lets the security
focus be on a variety of other objects instead of the IP#s.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

Harry wrote:
> Hi!
>
> I want to restrict users from plugging on their laptops into network points
> and get an IP from DHCP and access internet. I checked a couple of sites but
> they r mentioning VLAN or 802.1x authentication - which I believe needs some
> investment to implement.
>
> Ofcourse I did not patch all the network outlets to the network, but people
> at times plug in their laptops to a couple of 4 port switches in the office
> at some places and are getting hooked.
>
> Is there an easier way to restrict users ? Like some file with all the
> allowed MAC address - so that when ever a alien laptop is plugged, the DHCP
> server checks the file - if MAC address is in list issues IP otherwise
> denies.
>
> Thanks in advance
> Regards
> Harry

Cisco Catalyst switches have a function called Port Security that
allows only pre-configured MAC addresses to access that port...

Thanks,
Dilan

How many IP Addresses? Why not use "Manual DHCP" a term I made up as a joke
at one time. Create your IP scope and options, then create DHCP reservations
for the devices you want to get addresses and only open the assignable range
for these addresses. This way there will be no available addresses for the
alien laptops and you can still benefit by a centrally managed IP scheme and
scope options. Downside is if you have a lot of devices, this is just not
practical.

"Harry" wrote:

> Hi!
>
> I want to restrict users from plugging on their laptops into network points
> and get an IP from DHCP and access internet. I checked a couple of sites but
> they r mentioning VLAN or 802.1x authentication - which I believe needs some
> investment to implement.
>
> Ofcourse I did not patch all the network outlets to the network, but people
> at times plug in their laptops to a couple of 4 port switches in the office
> at some places and are getting hooked.
>
> Is there an easier way to restrict users ? Like some file with all the
> allowed MAC address - so that when ever a alien laptop is plugged, the DHCP
> server checks the file - if MAC address is in list issues IP otherwise
> denies.
>
> Thanks in advance
> Regards
> Harry
>
>
>