One way that might work for you is to create a quarantine
network similar to what is used for VPN access. To get connected a user
has to meet certain criteria before being allowed on the trusted network
(where a browse list could be used/modified etc). Some criteria might be a
successful authentication (that would be a little odd though if they were in a
DMZ type network), valid certificate, etc. This is more commonly used for
wireless users from what I've seen, but it can be a similar process with
desktops, laptops, etc. This can also work with switching/network
equipment but it's fairly new to the scene IIRC.
I want to say that companies like Cisco, Microsoft, IBM and
so on are working on technologies to solve just that problem. Had a nice
airport conversation with an IBM rep talking about Cisco and Tivoli integration
for similar functionality.
As for using DHCP as the authentication I've not heard of,
nor can I think of a way to do that off the top of my head. Lilke you
said, the IP is required to even converse with any mechanism.
This would be a good thing to investigate, because even if
you disable the jacks not in use, that won't be as effective in preventing rogue
machines; they could just unplug a machine for example. Won't help with
wireless either I suspect.
Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Monday, May 16, 2005 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure DHCP I am wondering if there is any way
to secure DHCP from assigning leases to PCs that are not authorized on the
domain. I imagine that this is not possible since, in order to authenticate, a
PC needs an IP address. The problem is that the other day we
had a rogue PC plug into our network and, though probably coincidental, our
browse list was messed up afterwards. So I have been tasked with finding out if
there is a way to prevent unauthorized PCs from obtaining IP leases on our
network (other than disabling all jacks not in use, which is what we will be
doing). If not, does anyone have any suggestions on how to prevent the above
situation in the future? _________________________ PC Support
Specialist IAG
Research T. F. Measuring Ad Effectiveness on
Television The information contained
in this communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained within
this communication. If you have received this communication in error, please
contact the sender by telephone |
- RE: [ActiveDir] Secure DHCP Al Mulnick
- RE: [ActiveDir] Secure DHCP Charlie Kaiser
- RE: [ActiveDir] Secure DHCP Ruston, Neil
- RE: [ActiveDir] Secure DHCP Cace, Andrew
- RE: [ActiveDir] Secure DHCP Dan DeStefano
- RE: [ActiveDir] Secure DHCP Fugleberg, David A