Re: Certificate-based DHCP authentication

From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 11/24/05 

Date: Thu, 24 Nov 2005 22:03:34 +0100

Hi Steve,

Sorry I meant to mention it but I forgot. Yes in most cases I use ISA server
and IPSec. It is also a very good way to force people to be part of domain.

I had one case some time ago where employees didn't want to be part of
domain. They said it was too restrictive and they didn't like the idea of
administrator going through their PCs.
What we did with their IT is set up ISA server and made a policy that only
computers that are members of domain can surf the web. Now it was up to the
users if they want to be part of domain. Now that they are part of domain
they get patched, they get antivirus and they can surf the internet... 

-- 
Mike
Microsoft MVP - Windows Security
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message 
news:eJPoJuH8FHA.3388@TK2MSFTNGP11.phx.gbl...
> "When I do this for a customer, I usually also disable
> access to Internet from clients that are not members of domain... If user
> still brings computer to the network and the computer will get IP address
> assigned, but it can't talk to anyone."
>
> Hey Mike how are you doing that - to block access for a non domain 
> computer to the internet. Via ISA server and ipsec or ??  Thanks   ---  
> Steve
>
> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message 
> news:OvdwiLF8FHA.1000@tk2msftngp13.phx.gbl...
>> Hi,
>>
>> Currently there is no easy way of doing this. You get DHCP IP by 
>> broadcasting the need for IP. DHCP was not designed with goal of 
>> assigning IP addresses to only specific computer (or devices) but to any 
>> device that requests it.
>>
>> There are few solutions out there -- but more or less all of them (can) 
>> cost quite a bit.
>> - first one to mention is 802.1x where you authenticate computer on 
>> switch port. For this to work you need switch that supports 
>> authentication and enough ports to connect every PC to one of these 
>> ports. Next, you need to setup RADIUS server and certificates etc... In 
>> the end you need clients that know how to work with 802.1x (e.g. Windows 
>> 2000 SP4 or later).
>> - another option would be to build IPSec policy. In this case you use 
>> your existing infrastructure (if you have Active Directory set up). What 
>> the policy defines is that only computers joined to domain can talk among 
>> themselves. Any computer not member of domain (or that does not have 
>> appropriate certificate) will not be able to talk to other computers that 
>> members of domain. When I do this for a customer, I usually also disable 
>> access to Internet from clients that are not members of domain... If user 
>> still brings computer to the network and the computer will get IP address 
>> assigned, but it can't talk to anyone.
>>
>> Last option that I also highly recommend is to write a corporate policy 
>> where you prohibit connection of any device that is not a property of 
>> your company to company network. Of course you must define what 
>> consequences are and your management must sign such policy.
>>
>> -- 
>> Mike
>> Microsoft MVP - Windows Security
>>
>> <Stryder Honeymonkey> wrote in message 
>> news:5629o1ht2ejnrbk7k75fudahqg2kj3s6v6@4ax.com...
>>> Hi All,
>>>
>>> I'm trying to prevent users in my office from bringing PCs and laptops
>>> from home, plugging them into the office network, and ending up on the
>>> same IP subnet as our other office PCs.
>>>
>>> I'm thinking maybe I can use machine certificates to somehow
>>> authenticate valid PCs to the DHCP server before an IP address is
>>> handed out?
>>>
>>> Is my thinking right on this, or is there a better way to accomplish
>>> what I want?
>>>
>>> Your help is appreciated!
>>> 'monkey
>>
>>
>
>

Relevant Pages

  • Re: authentication problem
    ... issue as well including the W2003 ipsec guide which does not flat out say it ... Traffic between Active Directory domain controllers and the application ... The "complexity of the IPSecc policy configuration" tells me that just ... enabling client/respond on domain members first and then a require on domain ...
    (microsoft.public.win2000.security)
  • Re: WSE464: No policy could be found for this message.
    ... The problem is only happening when coming in through the isa server. ... My endpoints are upper and lower case. ... I changed the CLIENT policy file so that the endpoints ... But I had no problems with my web services this way. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Researching site-to-site MS-to-hardware VPN solution
    ... Configuring IPSec Site-to-Site Connections Between ISA Server 2004 and ... Sonic OS 3.1 Enhanced and Microsoft ISA Server 2004 ... Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and SmoothWall ...
    (microsoft.public.isa.vpn)
  • RE: ISA Server 2004 IPSec Identifier
    ... negotiations. ... The plan is to use it as the back firewall in a 2-firewall ... The ISA Server will also be used as a VPN gateway. ... > I have IPSec pass-through working on the front firewall. ...
    (microsoft.public.isa.vpn)
  • RE: ISA 2004 Error
    ... I had forgotten that I disabled IPSEC because it was not in use. ... > Thank you for posting in SBS newsgroup. ... Try to reboot the ISA server to see ... > Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
Loading