Adembo asked the following:
"I am looking for a way to have visitors that come in with their own laptops and plug into an available port to be denied a DHCP address until I can verify the laptop has proper security set and antivirus software running. What are some of the ways this can be done? I had thought about a certificate server, but didn't know if that would work. The users do not have to log on to our network, so I don't see how Group Policy could help. Any ideas?"
Answer: Cisco and Non-Routed VLANs. Cisco has a product called Network Admission Control (NAC) that allows you to drop users into a non-routed VLAN until their MS Patch levels and Anti-Virus def levels are verified to meet that of your organizational policy.
Using NAC, organizations can provide network access to endpoint devices such as PCs, PDAs, and servers that are verified to be fully compliant with established security policy. NAC can also identify noncompliant devices and deny them access, place them in a quarantined area, or give them restricted access to computing resources
.
http://www.cisco.com/en/US/netsol/ns466/networking_solutions_white_paper0900aecd800fdd66.shtml
Verify nice technology.
Discussion on:
View:
Show:
NAC is more a philosophy rather than a product. MS also have a NAC product in the works as do many other vendors.
Cisco's main NAC appliance, Cisco Clean Access, requires a hell of a lot of extra equipment to implement, including switches and at least two dedicated servers. When all you need is a way of preventing access to the internet from guest computers, this is a bit of overkill.
However, if your requirement is to ensure that any computer connecting to your network is compliant with your network security and patch policy, this is one of a number of options.
Cisco's main NAC appliance, Cisco Clean Access, requires a hell of a lot of extra equipment to implement, including switches and at least two dedicated servers. When all you need is a way of preventing access to the internet from guest computers, this is a bit of overkill.
However, if your requirement is to ensure that any computer connecting to your network is compliant with your network security and patch policy, this is one of a number of options.
I tried to add user class as well vendor class, I user Dhcp user class -training dept, desc- deny access and set binary id 0 0 (but still ID is 0000 is there by default) then
and advanced option I set trainig as a user class then I clicked on router and set other ip address for GW.
and client side I set DHCP class id - then restart pc. but when I see ipconfig it shows old gateway only and i am gatting internet also.
pls help me
madhukar
and advanced option I set trainig as a user class then I clicked on router and set other ip address for GW.
and client side I set DHCP class id - then restart pc. but when I see ipconfig it shows old gateway only and i am gatting internet also.
pls help me
madhukar
This solution works for the second question of how to prevent an unauthorized user from receiving a DHCP address but it does not solve the first question: "How do I prevent unauthorized personnel from accessing the Internet with their Macs on my Windows network?"
Just because you're not handed an address from a server doesn't mean you can't configure a static one from the available pool. A saavy user can quickly obtain subnet/gateway information from an existing nearby PC (or by packet sniffing) and ping a few random addresses to find one that isn't currently in use. S/he can then configure the unauthorized machine with a valid address and merrily surf away. Of course this only works as long as the stolen address isn't subsequently handed out by the DHCP server but a lot can happen in just a few minutes on a network.
I think a better route would be a proxy server specifically for outbound traffic.
Just because you're not handed an address from a server doesn't mean you can't configure a static one from the available pool. A saavy user can quickly obtain subnet/gateway information from an existing nearby PC (or by packet sniffing) and ping a few random addresses to find one that isn't currently in use. S/he can then configure the unauthorized machine with a valid address and merrily surf away. Of course this only works as long as the stolen address isn't subsequently handed out by the DHCP server but a lot can happen in just a few minutes on a network.
I think a better route would be a proxy server specifically for outbound traffic.
I use DHCP reservations for machines for which I want to restrict internet access. I put them all in a specific range on address, then create a rule on my firewall to prevent all outgoing packets from that range. I actually have move to two such groups, one with no access, one with access during a specific time frame.
If I ever need to connect one of those machines I don't have to monkey with settings, I just turn the firewall rule off, then turn it back on when I'm done. Not necessarily elegant or technically sophisticated, but simple and effective.
Best part is it will work cross platform with any DCHP server that allow MAC based reservation and any business level configurible firewall.
cheers,
TjD
If I ever need to connect one of those machines I don't have to monkey with settings, I just turn the firewall rule off, then turn it back on when I'm done. Not necessarily elegant or technically sophisticated, but simple and effective.
Best part is it will work cross platform with any DCHP server that allow MAC based reservation and any business level configurible firewall.
cheers,
TjD
You can also add a key to
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters]
DefaultTTL"=dword:0000000a
That value is actually hops. You can make that value 4 and your clients can go all over your network - as long as the destination is only 4 hops away. That won't get you to a an external website though. You will see that setting included when you PING. The interesting thing is that TRACERT will work because it does its own TTL, increasing by 1 until it reaches the destination. So you could TRACERT a site but still couldn't PING it.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters]
DefaultTTL"=dword:0000000a
That value is actually hops. You can make that value 4 and your clients can go all over your network - as long as the destination is only 4 hops away. That won't get you to a an external website though. You will see that setting included when you PING. The interesting thing is that TRACERT will work because it does its own TTL, increasing by 1 until it reaches the destination. So you could TRACERT a site but still couldn't PING it.
I had a similar problem but it was with a customer who had a user who was abusing the internet. The customer did not want to go to the expence of a proxy server.
I setup a login script fo that user that added a "fake" proxy server to their registry.
This could be done in Active Directory as a policy for that user as well, but the login script was quicker.
Most company users won't know how to solve this one so it tends to work ok.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001
"ProxyServer"="Server23:8080"
"ProxyOverride"=""
"DisablePasswordCaching"=dword:00000001
I setup a login script fo that user that added a "fake" proxy server to their registry.
This could be done in Active Directory as a policy for that user as well, but the login script was quicker.
Most company users won't know how to solve this one so it tends to work ok.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001
"ProxyServer"="Server23:8080"
"ProxyOverride"=""
"DisablePasswordCaching"=dword:00000001
Doesn't work, since guest has adminitrative privileges on it's laptop, he can get the IP but not the gateway so he can try some subnet's IP to use as a default gateway and that's it he can gain access.
I have been using that to effectively address Adembo's issues.
Until the mac address of each hardware is on the allow list , they will not be allocated an IP address.
Reference link
http://www.petri.co.il/filter-mac-address-windows-server-2008-dhcp-server-callout-dll.htm
It applies to both 2003 and 2008 server.
Hope that helps, 3 yrs already have been using that.
Until the mac address of each hardware is on the allow list , they will not be allocated an IP address.
Reference link
http://www.petri.co.il/filter-mac-address-windows-server-2008-dhcp-server-callout-dll.htm
It applies to both 2003 and 2008 server.
Hope that helps, 3 yrs already have been using that.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
