General discussion

Locked

Prohibit DHCP to visitors in the office

By adembo ·
I am looking for a way to have visitors that come in with their own laptops and plug into an available port be denied a DHCP address until I can verify the laptop has proper security set and antivirus software running. What are some of the ways this can be done. I had thought about a certificate server, but didnt know if that would work. They do not have to log on to our network, so I dont see how group policy could help.

Any ideas?

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
Thread display: Collapse - | Expand +

All Comments

Collapse -

by brian In reply to Prohibit DHCP to visitors ...

Make your Domain controller the DNS server and the DHCP server.

Collapse -

by adembo In reply to

Poster rated this answer.

Collapse -

by adembo In reply to Prohibit DHCP to visitors ...

I dont understand how that makes a difference. All servers are domain controllers and all are DNS servers. If you plug a windows xp laptop into an available network port, it goes out and asks for a DHCP server using UDP. So I dont see what difference making the DNS and DHCP on the same server do.

Collapse -

by EdLockett In reply to Prohibit DHCP to visitors ...

I think you could use user class options to distinguish between approved and non-approved PCs. Read the help, and do a search to see how this could be accomplished.

Collapse -

by adembo In reply to

Poster rated this answer.

Collapse -

by brian_e In reply to Prohibit DHCP to visitors ...

DHCP does not provide any authentication mechanisms. However, DHCP is based on the old BOOTP protocol that was used to provide IP configuration to known computers.

The specific steps will vary from vendor to vendor of DHCP servers. Generally, you would have to know the MAC address of all authorized computers. Be aware, this information can be easily spoofed.

You may want to control network access at the switch using similar MAC filtering.

Take a look into 802.1X and EAP. This allows you to authenticate users prior to being granted network access (and being assigned an IP). This requires a switch that supports 802.1X. Windows integrates this 802.1X authentication with the Windows logon (i.e. CTL+ALT+DEL). You will need a RADIUS server for the switch to authenticate users against (this can integrate with AD, SecurID or others depending on the RADIUS server being used).

Collapse -

by drsysadmin In reply to Prohibit DHCP to visitors ...

Ok.. Here is the thing - go to the DHCP users group and remove the EVERYONE group.
What you have is EVERYONE - autheticated to your network or not, is listed as a valid DHCP user. Take that out - and you should get what you requested.
Luck.
Dr. Sys

Collapse -

by Trien In reply to Prohibit DHCP to visitors ...

If you have a layer 3 switch, you can have the router go by mac addresses and then add them as neccessary.

Collapse -

by rfurze In reply to Prohibit DHCP to visitors ...

Hmmm..A couple of questions - How will you handle visitors that don't have A/V software (or current A/V signature files)? Are you willing to sell them a license or get involved in installing or updating the software on their laptop (no thanks!)? Could they unknowingly already have malware installed on their system, ready to have a go at your servers and workstations?

If the visitors plug into specific connections in a conference room or guest area could those connections go back to a separate DMZ zone that isn't on your regular network? If they don't need to login to your network and only need Internet access there is much less risk and work involved if they are on their own network. I would also have in place an appropriate policy and procedure that they are educated in and sign off on before they plug in.

Collapse -

by adembo In reply to

Poster rated this answer.

Back to Security Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums