client authentication

[Guest]

How to block a user from accessing the Windows 2000 Server by the MAC
address? Is there a way not to offer IP address from the DHCP server??

 

[Roger Abell]

First you need to be aware the many nic card drivers do
allow one to set the MAC address that will be used.

You first ask about controlling access to a W2k server,
and next about controlling leasing of IPs from DHCP.
Are these two different concerns or a reexpression of
one? If one, then DHCP will offer an IP to any machine
that asks, if it has available IPs. You can reserve IPs
that are then available each only for a specific MAC,
and if all IPs in the scope are so reserved then there
are none available to MAC addresses which have not
been so provided for. This is sort of a tedious way to
get at what you are after, except in reverse.

 

[Steven L Umbach]

Not directly but your options could be to use mac filtering with a switch
that is capable of such, an ipsec filtering policy on the server, or better
yet an ipsec negotiation policy that requires computer authentication before
access is allowed to the server. Ipsec negotiation however can not be used
if the server is a domain controller. All of that would be controlling
access of the computer and not the user directly. To control user access you
can also use user rights such as access or deny access this computer from
the network or restrictive share/ntfs permissions. That would restrict the
user no matter what computer he was on while restricting computer access
would restrict all users on the computer. --- Steve