Re: Unauthorized laptops & DHCP server 2000
From: Miha Pihler (mihap-news_at_atlantis.si)
Date: Wed, 23 Jun 2004 23:28:12 +0200
you could setup port authentication on your switch, but it is quite a
project to set it up. First you need the switch that supports this. Then you
need the client that supports this (e.g. Windows 2000 SP4, Windows XP, ...).
Next thing you need is RADIUS (IAS) server and now you have to interconnect
everything with AD. So if a user (or computer) have the account in AD (and
permission) they will get the IP. If they don't they don't get IP and they
don't get on the network.
Alternatives? Well you can unpatch all the publicly available network
sockets -- this way even if someone comes by and plugs in, he is not
connected to the network.
Filtering by MAC address is not really a security since MAC address can be
changed (in less then 30 seconds), but yes I would need to know a valid one
on the network (which is again quite easy to do. All I have to do is type
arp -a on a PC that is connected on the network)...
"Serge L" <Serge L@discussions.microsoft.com> wrote in message
> What are the ways for me to limit outside visitors to come in and plug in
> their laptops. From what I've read from previous posts is to create
> reservations and map addresses to MAC, but what if I am away and someone
> comes in office for presentation?
> In my perfect world any computers that are not in our domain would receive
> Login, password dialog or it that's not achievable then I would like to
> limit DHCP leases only to domain computers.
> Any suggestions?