General discussion

  • Creator
    Topic
  • #2277613

    Prohibit DHCP to visitors in the office

    Locked

    by adembo ·

    I am looking for a way to have visitors that come in with their own laptops and plug into an available port be denied a DHCP address until I can verify the laptop has proper security set and antivirus software running. What are some of the ways this can be done. I had thought about a certificate server, but didnt know if that would work. They do not have to log on to our network, so I dont see how group policy could help.

    Any ideas?

All Comments

  • Author
    Replies
    • #2708613

      Reply To: Prohibit DHCP to visitors in the office

      by brian ·

      In reply to Prohibit DHCP to visitors in the office

      Make your Domain controller the DNS server and the DHCP server.

    • #2712655

      Reply To: Prohibit DHCP to visitors in the office

      by adembo ·

      In reply to Prohibit DHCP to visitors in the office

      I dont understand how that makes a difference. All servers are domain controllers and all are DNS servers. If you plug a windows xp laptop into an available network port, it goes out and asks for a DHCP server using UDP. So I dont see what difference making the DNS and DHCP on the same server do.

    • #2712653

      Reply To: Prohibit DHCP to visitors in the office

      by edlockett ·

      In reply to Prohibit DHCP to visitors in the office

      I think you could use user class options to distinguish between approved and non-approved PCs. Read the help, and do a search to see how this could be accomplished.

    • #2721171

      Reply To: Prohibit DHCP to visitors in the office

      by brian_e ·

      In reply to Prohibit DHCP to visitors in the office

      DHCP does not provide any authentication mechanisms. However, DHCP is based on the old BOOTP protocol that was used to provide IP configuration to known computers.

      The specific steps will vary from vendor to vendor of DHCP servers. Generally, you would have to know the MAC address of all authorized computers. Be aware, this information can be easily spoofed.

      You may want to control network access at the switch using similar MAC filtering.

      Take a look into 802.1X and EAP. This allows you to authenticate users prior to being granted network access (and being assigned an IP). This requires a switch that supports 802.1X. Windows integrates this 802.1X authentication with the Windows logon (i.e. CTL+ALT+DEL). You will need a RADIUS server for the switch to authenticate users against (this can integrate with AD, SecurID or others depending on the RADIUS server being used).

    • #2721085

      Reply To: Prohibit DHCP to visitors in the office

      by drsysadmin ·

      In reply to Prohibit DHCP to visitors in the office

      Ok.. Here is the thing – go to the DHCP users group and remove the EVERYONE group.
      What you have is EVERYONE – autheticated to your network or not, is listed as a valid DHCP user. Take that out – and you should get what you requested.
      Luck.
      Dr. Sys

    • #2720527

      Reply To: Prohibit DHCP to visitors in the office

      by trien ·

      In reply to Prohibit DHCP to visitors in the office

      If you have a layer 3 switch, you can have the router go by mac addresses and then add them as neccessary.

    • #2723212

      Reply To: Prohibit DHCP to visitors in the office

      by rfurze ·

      In reply to Prohibit DHCP to visitors in the office

      Hmmm..A couple of questions – How will you handle visitors that don’t have A/V software (or current A/V signature files)? Are you willing to sell them a license or get involved in installing or updating the software on their laptop (no thanks!)? Could they unknowingly already have malware installed on their system, ready to have a go at your servers and workstations?

      If the visitors plug into specific connections in a conference room or guest area could those connections go back to a separate DMZ zone that isn’t on your regular network? If they don’t need to login to your network and only need Internet access there is much less risk and work involved if they are on their own network. I would also have in place an appropriate policy and procedure that they are educated in and sign off on before they plug in.

    • #2724110

      Reply To: Prohibit DHCP to visitors in the office

      by adembo ·

      In reply to Prohibit DHCP to visitors in the office

      This question was closed by the author

Viewing 7 reply threads