Networking

Use DHCP Class to deny Internet access to unauthorized machines

Learn how to set up a DHCP Class that can be used to keep unauthorized machines from getting a DHCP address on a corporate network.

Problem


Two Technical Q&A postings were both looking for ways to prevent unauthorized systems from connecting to the corporate network and accessing the Internet. Since the solution that both of them were searching for is so similar, we decided to group the questions and solutions together.

TechRepublic member slk1@rcn.com asked, "How do I prevent unauthorized personnel from accessing the Internet with their Macs on my Windows network?"

Meanwhile, in a separate question, TechRepublic member adembo posted, "I am looking for a way to have visitors that come in with their own laptops and plug into an available port to be denied a DHCP address until I can verify the laptop has proper security set and antivirus software running. What are some of the ways this can be done? I had thought about a certificate server, but didn't know if that would work. The users do not have to log on to our network, so I don't see how Group Policy could help. Any ideas?"

Solution


The best solution was provided by member zrabi: "If you use Windows 2000 [or Windows Server 2003] as your DHCP server, you can assign your Windows machines a DHCP Class. In DHCP, you specify a gateway (router) address to that class. Machines with no DHCP Class or another class will not get the router address ... and hence no Internet access. And now for the links:

From Microsoft Knowledge Base article Q240247, here's how to set up a DHCP class:

Create a New User or Vendor Option Class

  1. Start DHCP Manager.
  2. In the console tree, click the applicable DHCP server branch.
  3. Right-click the server, and then click Define User Classes to create a new user class, or click Define Vendor Classes to create a new vendor class. 
  4. Click Add.
  5. In the New Class dialog box, type a descriptive identifying name for the new option in the Display name box. You may also add additional information to the Description box.
  6. Type in the data to be used by the DHCP Server service for matching the class ID provided by DHCP clients under ID or ASCII. To enter the data as hexadecimal byte numeric values, click the left side of the text box. To enter data as American Standard Code for Information Interchange (ASCII) text character values, click the right side of the text box.
  7. Click OK, and then click Close.

Configure a DHCP Scope with the New Class ID

  1. In DHCP Manager, double-click the appropriate DHCP scope.
  2. Right-click Scope Options and then click Configure Options.
  3. Click Advanced.
  4. Click to select the check box or boxes next to the features you want to use with the new vendor or user class.
  5. Click OK.

Set the Specified DHCP Class ID String for Client Computers

Client computers that connect to a Windows 2000-based DHCP server can use the following command to set the specified DHCP class ID string:

ipconfig /setclassid adapter_name class_id

For example, to configure an adapter called "Local Area Connection" with a user class ID called "myuserclass", type ipconfig /setclassid "Local Area Connection" myuserclass at a command prompt, and then press ENTER.

Alternate solutions


Besides setting up a DHCP Class, there are some other ways to restrict unauthorized machines from accessing the Internet.

Member markusfrei@gmx.net suggested, "You could install a proxy server and set up your PCs to only be allowed access to the Internet via that proxy server. Within the proxy server you could then set the users who are allowed Internet access."

Member rfurze also provided a suggestion for allowing Internet access to guests, while keeping the corporate network safe: "The visitors could plug into specific connections in a conference room or guest area and those connections could go back to a separate DMZ zone that isn't on your regular network. If they don't need to login to your network and only need Internet access there is much less risk and work involved if they are on their own separate network on a DMZ. I would also recommend having an appropriate policy and procedure that they are educated in, and sign off on, before they plug in."


Note

The text of discussion posts from TechRepublic members has been slightly edited for spelling, punctuation, and clarity.


0 comments

Editor's Picks