Re: Certificate-based DHCP authentication

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 11/25/05 

Date: Thu, 24 Nov 2005 19:55:16 -0600

Cool. Thanks for the info! --- Steve

"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:erPqJqT8FHA.3660@TK2MSFTNGP09.phx.gbl...
> Hi Steve,
>
> Sorry I meant to mention it but I forgot. Yes in most cases I use ISA
> server and IPSec. It is also a very good way to force people to be part of
> domain.
>
> I had one case some time ago where employees didn't want to be part of
> domain. They said it was too restrictive and they didn't like the idea of
> administrator going through their PCs.
> What we did with their IT is set up ISA server and made a policy that only
> computers that are members of domain can surf the web. Now it was up to
> the users if they want to be part of domain. Now that they are part of
> domain they get patched, they get antivirus and they can surf the
> internet...
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:eJPoJuH8FHA.3388@TK2MSFTNGP11.phx.gbl...
>> "When I do this for a customer, I usually also disable
>> access to Internet from clients that are not members of domain... If user
>> still brings computer to the network and the computer will get IP address
>> assigned, but it can't talk to anyone."
>>
>> Hey Mike how are you doing that - to block access for a non domain
>> computer to the internet. Via ISA server and ipsec or ?? Thanks ---
>> Steve
>>
>> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
>> news:OvdwiLF8FHA.1000@tk2msftngp13.phx.gbl...
>>> Hi,
>>>
>>> Currently there is no easy way of doing this. You get DHCP IP by
>>> broadcasting the need for IP. DHCP was not designed with goal of
>>> assigning IP addresses to only specific computer (or devices) but to any
>>> device that requests it.
>>>
>>> There are few solutions out there -- but more or less all of them (can)
>>> cost quite a bit.
>>> - first one to mention is 802.1x where you authenticate computer on
>>> switch port. For this to work you need switch that supports
>>> authentication and enough ports to connect every PC to one of these
>>> ports. Next, you need to setup RADIUS server and certificates etc... In
>>> the end you need clients that know how to work with 802.1x (e.g. Windows
>>> 2000 SP4 or later).
>>> - another option would be to build IPSec policy. In this case you use
>>> your existing infrastructure (if you have Active Directory set up). What
>>> the policy defines is that only computers joined to domain can talk
>>> among themselves. Any computer not member of domain (or that does not
>>> have appropriate certificate) will not be able to talk to other
>>> computers that members of domain. When I do this for a customer, I
>>> usually also disable access to Internet from clients that are not
>>> members of domain... If user still brings computer to the network and
>>> the computer will get IP address assigned, but it can't talk to anyone.
>>>
>>> Last option that I also highly recommend is to write a corporate policy
>>> where you prohibit connection of any device that is not a property of
>>> your company to company network. Of course you must define what
>>> consequences are and your management must sign such policy.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> <Stryder Honeymonkey> wrote in message
>>> news:5629o1ht2ejnrbk7k75fudahqg2kj3s6v6@4ax.com...
>>>> Hi All,
>>>>
>>>> I'm trying to prevent users in my office from bringing PCs and laptops
>>>> from home, plugging them into the office network, and ending up on the
>>>> same IP subnet as our other office PCs.
>>>>
>>>> I'm thinking maybe I can use machine certificates to somehow
>>>> authenticate valid PCs to the DHCP server before an IP address is
>>>> handed out?
>>>>
>>>> Is my thinking right on this, or is there a better way to accomplish
>>>> what I want?
>>>>
>>>> Your help is appreciated!
>>>> 'monkey
>>>
>>>
>>
>>
>
>

Relevant Pages

  • Re: Internet Access Logging Required
    ... Is there a solution to the problem without using ISA? ... "Steve" wrote: ... members of the AD.If he accepted the fact that it is ... internet currently. ...
    (microsoft.public.windows.server.sbs)
  • Re: No DHCP?
    ... CEICW wizard do it all for you".... ... "Steve" wrote: ... in ISA is 10.0.0.1 -10.0.0.255 ... the DHCP request being denied based in last default rule. ...
    (microsoft.public.windows.server.sbs)
  • Re: Opening UDP port 20004
    ... Steve ... check the device's default gateway points at the ISA ... >> Though I have opened ports for SSH, SQL server and few other apps, I ...
    (microsoft.public.isa)
  • Re: Page cannot be displayed - Intermiitenly on Client
    ... Steve ... > Why don't you have ISA installed??? ... > make sure that proxy is empty and the Advanced button? ...
    (microsoft.public.backoffice.smallbiz)
  • Re: No DHCP?
    ... Thanks Steve, I took a quick look a the 10/20/06 entry and my problem seem ... especially after the update sp on ISA ... new ISA rule for all Internal traffic to be allowed to Protected ...
    (microsoft.public.windows.server.sbs)