DHCP Authorization in active directory.

  • Thread starter Thread starter xxx
  • Start date Start date
X

xxx

When a win 2k/3k dhcp server is authorized in active directory
will the DHCP Server just hand out ip addresses even if a user
account does not exist in active directory.

Here is what I am trying to accomplish. Person hooks up their
laptop to company network. Laptop broadcasts for a dhcp assignment
dhcp server responds. Dhcp server checks active directory for a
valid user... None exists. Dhcp declines assigning the ip.

Any insight on this would be most welcome.

Thank You. JJ7
 
Has absolutely nothing to do with user account objects at all - unless I am
missing something.

You might want to think about setting up VLANs.

HTH,

Cary
 
Hi,
Here is what I am trying to accomplish. Person hooks up their
laptop to company network. Laptop broadcasts for a dhcp assignment
dhcp server responds. Dhcp server checks active directory for a
valid user... None exists. Dhcp declines assigning the ip.
Click to expand...

I also posed this question a month back and the answer is no. DHCP
doesn’t authenticate to AD and therefore anyone with a laptop can get
an IP. DHCP is not domain specific.

The only way I have got around this somewhat is to install an ISA
server. The only reason my users plug their laptops in is to get
internet service. The ISA requires AD authentication so therefore no
internet service.

I also scan my DHCP on a daily basis. All my Network Names are easily
identified and start with the same letter R for Room # eg. R123-123

If I see an unidentified machines, I get the mac address and then
assign an ip like 192.0.0.0 which isn’t a correct IP.

Cheers,

Lara
 
Hi Lara, thanks for the info. I had a feeling that your answer
would be no.

It would be real nice if dhcp did auth against AD this would put an
end to free internet access to rouge laptops. As I see it then there
is no point in authorizing dhcp in active directory. I think ms intent
was to try stop rouge dhcp servers from assigning bad ip's with this
method.

The problem with dhcp is that whatever dhcp server responds to a
clients request first normally assigns the ip to the client. If you
really want to hose a internal network just hook up a lowcost netgear
router and hand out dhcp assignments on your subnet,,,

I got about 200 client pc's on the network. In the above test the
netgear typically bet MS Dhcp server in assinging ip's to the client.
Needless to say they were the wrong ips.

Thanks for your insight.

JJ
 
ping2 said:
Hi Lara, thanks for the info. I had a feeling that your answer
would be no.

It would be real nice if dhcp did auth against AD this would
put an
end to free internet access to rouge laptops. As I see it then
there
is no point in authorizing dhcp in active directory. I think
ms intent
was to try stop rouge dhcp servers from assigning bad ip's
with this
method.

The problem with dhcp is that whatever dhcp server responds to
a
clients request first normally assigns the ip to the client.
If you
really want to hose a internal network just hook up a lowcost
netgear
router and hand out dhcp assignments on your subnet,,,

I got about 200 client pc's on the network. In the above test
the
netgear typically bet MS Dhcp server in assinging ip's to the
client.
Needless to say they were the wrong ips.

Thanks for your insight.

JJ






 > > Here is what I am trying to accomplish. Person hooks
up their
 > > laptop to company network. Laptop broadcasts for a
dhcp assignment
 > > dhcp server responds. Dhcp server checks active
directory for a
 > > valid user... None exists. Dhcp declines assigning
the ip.
Click to expand...

I have also been looking for this, or a similar capability. While I
think that polling the active directory is a good idea, we have quite
a few wireless pda’s that are not in active directory nor should be.

I would rather have / build a table of authorized MAC addresses that
all DHCP servers could verify against before handing out an IP
address.

request for address
server receives
verify valid mac address
if in table - yes, otherwise 0.0.0.0 and flag an admin staffer

Granted, a dhcp scope reservation is exactly the solution, it defeats
the purpose of dhcp with my mobile (l)users. I would rather have one
table that all my servers point to with all authorized mac’s so I
don’t have to worry about what site, what subnet, etc.

No valid MAC, No valid IP address

Or if a script that watched the various scopes watching for change,
verifying each new address against the above prebuild table and
revoking licenses as they come up.

For what it’s worth...
 
ping2 said:
Hi Lara, thanks for the info. I had a feeling that your answer
would be no.

It would be real nice if dhcp did auth against AD this would
put an
end to free internet access to rouge laptops. As I see it then
there
is no point in authorizing dhcp in active directory. I think
ms intent
was to try stop rouge dhcp servers from assigning bad ip's
with this
method.

The problem with dhcp is that whatever dhcp server responds to
a
clients request first normally assigns the ip to the client.
If you
really want to hose a internal network just hook up a lowcost
netgear
router and hand out dhcp assignments on your subnet,,,

I got about 200 client pc's on the network. In the above test
the
netgear typically bet MS Dhcp server in assinging ip's to the
client.
Needless to say they were the wrong ips.

Thanks for your insight.

JJ






 > > Here is what I am trying to accomplish. Person hooks
up their
 > > laptop to company network. Laptop broadcasts for a
dhcp assignment
 > > dhcp server responds. Dhcp server checks active
directory for a
 > > valid user... None exists. Dhcp declines assigning
the ip.
Click to expand...

I have also been looking for this, or a similar capability. While I
think that polling the active directory is a good idea, we have quite
a few wireless pda’s that are not in active directory nor should be.

I would rather have / build a table of authorized MAC addresses that
all DHCP servers could verify against before handing out an IP
address.

request for address
server receives
verify valid mac address
if in table - yes, otherwise 0.0.0.0 and flag an admin staffer

Granted, a dhcp scope reservation is exactly the solution, it defeats
the purpose of dhcp with my mobile (l)users. I would rather have one
table that all my servers point to with all authorized mac’s so I
don’t have to worry about what site, what subnet, etc.

No valid MAC, No valid IP address

Or if a script that watched the various scopes watching for change,
verifying each new address against the above prebuild table and
revoking licenses as they come up.

For what it’s worth...
 
Paul,

I used to know this stuff!

I thought that you could set up VLANS and then reservations ( MAC
Addresses ) so that no unauthorized computer could attach itself to the
internal network. Looks like having a baby ( and another on the way! ) has
affected my brain. I speak fluent ga-ga now, though!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Paul,

Thank you. I am still working on the Active Directory site ( using plain
old HTML and tables for layout! ) but will soon upgrade it to XHTML and CSS
( Just have to learn those first! ). The Group Policy site will be
available 'soon'. Nothing there at all yet.

I know that using VLANS and reservations was a solution somewhere in my
life.......just can not remember where! But it probably is a bit tedious.
I seem to like tedious!

Link to it....I do not mind at all! I will return the favor in my links
page ( currently just a handful of some more common MSKB Articles ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Well it's looking good - I can't wait for some articles - your posts are
almost articles in themselves.

I'd like to see an article on SRV record prioritisation -the weights and
priorities that you always do a great job of explaining...
...I will return the favor in my links page...
Click to expand...

Awesome!!! I'd be honoured.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Paul,

Thank you. I am still working on the Active Directory site ( using plain
old HTML and tables for layout! ) but will soon upgrade it to XHTML and CSS
( Just have to learn those first! ). The Group Policy site will be
available 'soon'. Nothing there at all yet.

I know that using VLANS and reservations was a solution somewhere in my
life.......just can not remember where! But it probably is a bit tedious.
I seem to like tedious!

Link to it....I do not mind at all! I will return the favor in my links
page ( currently just a handful of some more common MSKB Articles ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Infrastructure products to assist:

Cisco ACS
Cisco WLSE (Wireless)

** A Cisco Agent hooks into AD, then, when a client asks for an IP address
the Cisco device simply asks for the AD credentials. If they match they get
an IP, if they don't, no access.

VLANs are also a way of helping limit unauthorized users to a degree.
 
Ryan,

You might also consider enabling 802.1x with EAP to authenticate the
computer account before an IP address is even assigned. This would require
computer certificates on all machines and a well planned PKI.
 
Back
Top