Re: Certificate-based DHCP authentication
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 11/23/05
- Next message: Steven L Umbach: "Re: Securing Network Browsing from Workgroup PC"
- Previous message: Steven L Umbach: "Re: File Log on Domain Server"
- In reply to: Miha Pihler [MVP]: "Re: Certificate-based DHCP authentication"
- Next in thread: Miha Pihler [MVP]: "Re: Certificate-based DHCP authentication"
- Reply: Miha Pihler [MVP]: "Re: Certificate-based DHCP authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Nov 2005 16:16:22 -0600
"When I do this for a customer, I usually also disable
access to Internet from clients that are not members of domain... If user
still brings computer to the network and the computer will get IP address
assigned, but it can't talk to anyone."
Hey Mike how are you doing that - to block access for a non domain computer
to the internet. Via ISA server and ipsec or ?? Thanks --- Steve
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:OvdwiLF8FHA.1000@tk2msftngp13.phx.gbl...
> Hi,
>
> Currently there is no easy way of doing this. You get DHCP IP by
> broadcasting the need for IP. DHCP was not designed with goal of assigning
> IP addresses to only specific computer (or devices) but to any device that
> requests it.
>
> There are few solutions out there -- but more or less all of them (can)
> cost quite a bit.
> - first one to mention is 802.1x where you authenticate computer on switch
> port. For this to work you need switch that supports authentication and
> enough ports to connect every PC to one of these ports. Next, you need to
> setup RADIUS server and certificates etc... In the end you need clients
> that know how to work with 802.1x (e.g. Windows 2000 SP4 or later).
> - another option would be to build IPSec policy. In this case you use your
> existing infrastructure (if you have Active Directory set up). What the
> policy defines is that only computers joined to domain can talk among
> themselves. Any computer not member of domain (or that does not have
> appropriate certificate) will not be able to talk to other computers that
> members of domain. When I do this for a customer, I usually also disable
> access to Internet from clients that are not members of domain... If user
> still brings computer to the network and the computer will get IP address
> assigned, but it can't talk to anyone.
>
> Last option that I also highly recommend is to write a corporate policy
> where you prohibit connection of any device that is not a property of your
> company to company network. Of course you must define what consequences
> are and your management must sign such policy.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> <Stryder Honeymonkey> wrote in message
> news:5629o1ht2ejnrbk7k75fudahqg2kj3s6v6@4ax.com...
>> Hi All,
>>
>> I'm trying to prevent users in my office from bringing PCs and laptops
>> from home, plugging them into the office network, and ending up on the
>> same IP subnet as our other office PCs.
>>
>> I'm thinking maybe I can use machine certificates to somehow
>> authenticate valid PCs to the DHCP server before an IP address is
>> handed out?
>>
>> Is my thinking right on this, or is there a better way to accomplish
>> what I want?
>>
>> Your help is appreciated!
>> 'monkey
>
>
- Next message: Steven L Umbach: "Re: Securing Network Browsing from Workgroup PC"
- Previous message: Steven L Umbach: "Re: File Log on Domain Server"
- In reply to: Miha Pihler [MVP]: "Re: Certificate-based DHCP authentication"
- Next in thread: Miha Pihler [MVP]: "Re: Certificate-based DHCP authentication"
- Reply: Miha Pihler [MVP]: "Re: Certificate-based DHCP authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
