Re: Certificate-based DHCP authentication

From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 11/23/05 

Date: Wed, 23 Nov 2005 18:25:21 +0100

Hi,

Currently there is no easy way of doing this. You get DHCP IP by
broadcasting the need for IP. DHCP was not designed with goal of assigning
IP addresses to only specific computer (or devices) but to any device that
requests it.

There are few solutions out there -- but more or less all of them (can) cost
quite a bit.
- first one to mention is 802.1x where you authenticate computer on switch
port. For this to work you need switch that supports authentication and
enough ports to connect every PC to one of these ports. Next, you need to
setup RADIUS server and certificates etc... In the end you need clients that
know how to work with 802.1x (e.g. Windows 2000 SP4 or later).
- another option would be to build IPSec policy. In this case you use your
existing infrastructure (if you have Active Directory set up). What the
policy defines is that only computers joined to domain can talk among
themselves. Any computer not member of domain (or that does not have
appropriate certificate) will not be able to talk to other computers that
members of domain. When I do this for a customer, I usually also disable
access to Internet from clients that are not members of domain... If user
still brings computer to the network and the computer will get IP address
assigned, but it can't talk to anyone.

Last option that I also highly recommend is to write a corporate policy
where you prohibit connection of any device that is not a property of your
company to company network. Of course you must define what consequences are
and your management must sign such policy. 

-- 
Mike
Microsoft MVP - Windows Security
<Stryder Honeymonkey> wrote in message 
news:5629o1ht2ejnrbk7k75fudahqg2kj3s6v6@4ax.com...
> Hi All,
>
> I'm trying to prevent users in my office from bringing PCs and laptops
> from home, plugging them into the office network, and ending up on the
> same IP subnet as our other office PCs.
>
> I'm thinking maybe I can use machine certificates to somehow
> authenticate valid PCs to the DHCP server before an IP address is
> handed out?
>
> Is my thinking right on this, or is there a better way to accomplish
> what I want?
>
> Your help is appreciated!
> 'monkey

Relevant Pages

  • Re: Limit DHCP addresses
    ... DHCP was not designed with goal of assigning ... Another option would be to build IPSec policy. ... network outlets -- but only the one in use. ...
    (microsoft.public.windows.server.general)
  • Re: dhclient in 6.0
    ... ...it's worth considering the way it standardizes ... DHCP is worthwhile, learning to do ARP also lets us pick up on Bernard ... I'm not really interested in arguing with either you or ISC's policy, ... Because of the placement of the buffer which might be overflowed, it is unlikely this bug will result in serious consequences, however the possibility of a remotely triggered server crash cannot be ruled out. ...
    (freebsd-stable)
  • Re: Windows XP Clients WINS registrations
    ... We are using DHCP. ... I normally edit a PCs description field in the ADUC and add the user name, ... but I am not the only one who puts PCs on the network, ... qualification (I've done the Win2K and Win2K Server exams), ...
    (microsoft.public.win2000.networking)
  • Re: Fixed Lease DHCP Doesnt Work After Connecting Different Netwo
    ... Shouldn't be the one on the network you aren't connected to! ... then changing back to DHCP. ... One way around this would be to do an ipconfig /release *before* shutting ... Why is this happening and who can I fix it without assigning myself ...
    (microsoft.public.windowsxp.network_web)
  • Re: wifi network connection
    ... Chain FORWARD (policy ACCEPT) ... I also tried ifconfig eth1 down and run eth1 by udhcpc, ... I tried to set static IP down and using dhcp client to test dhcp ...
    (Debian-User)