DHCP for AD Computers only

P

PallBearer

Well-Known Member
Joined
Sep 18, 2009
Messages
261
Reaction score
0
Hi All,

Is it possible to have a DHCP server assign an certain IP from a range to the computer, if that computer is in the AD Computer list?

The issue I'm having is staff members know the wireless key, and they logging on with the phones and personal laptops.

What i'd like to accomplish is the following

Have to IP Ranges. 10.x.x.x and then the 192.168.x.x that we currently use.
When a DHCP request is received, it checks the AD for the computer account and then assigns the 192.168.x.x IP, otherwise is must issue the 10.x.x.x IP.

I have so many reservation entries now, and they holding the IP's.

Thanks
 
Would be helpfull to know what the difference is between the 10.x.x.x and 192.168.x.x is, there may be a better way to deal with the actual problem and not just that everyone has access to the wifi and can do what they want. Also the scale of the problem under 10 or over 100 users?

Example.
Problem - users are using our internet and downloading games and updates etc.
Requirements - i need to have only authorised devices on wifi able to access the internet.
or
Problem - users are getting access to secure servers !
Requirements - we (don't/do) mind users having internet access, they should not be able to access our secure servers
 
you are making use of 2 scopes...

you could either assign the IP's via reservations, which would require that you know the MAC address of the devices.
You could also make use of filters and allow only certain mac addresses in the one scope...every other mac address will not get an ip in that range (scope).
then in the other scope, allow the previously disallowed mac addresses.

why the two ranges though?
 
The 10.x.x.x range does not exist, i would want to use this to let the devices get an IP address, and do nothing with it. No Internet access or anything like that.

Looks like i'm going to have to use a Guest WiFi on separate wifi AP's.

Problem is that i have 4 Wireless sites on our single site (4 separate buildings on a piece of land)

I have a Untangle box for Internet access, but the knobs also know that password or use their current account to gain access.
 
Using MAC Address Filtering could prevent unauthorized MAC Address to associate with the AP.
If they are high end devices you might even be able to manage that centrally witht he supporting software suite.

Seems to me you're stuck with three options.
1. Either controlling access with MAC addressess from the APs (means maintaining a allowed list for each AP), perhaps find the offending devices and block their MACs(vulnerable to new devices, unless you have a monitoring program checking for new devices ;) ) .

2. Controlling access through a combination of IP ranges and firewall rules.(means maintaining a rez list of allowed devices)

3. Change the Wireless key and only have IT enter they Key into the devices(obviously only works if the users don't know how to look at a saved wifi key on a device/pc)

With windows DHCP server it's easy to convert the current leases to reservations(not sure if you're using the untangle as the DHCP but i'm gussing no) Then all you have to do is make the default scope an IP range that Untangle Blocks.
 
Why are you having wireless on your main network? Big risk there.

Anyways.

Add a second NIC to your server. Assign it an IP of 10.1.1.1
Create a new DHCP scope for 10.1.1.x
Connect the wifi router to this NIC - and you should be all set.

But seriously, having wifi on your main network is like giving the burglar a cop of your house's keys.

You should look seriously at putting the wifi on another network segment, which cannot access the server at all.

I have done such a thing successfully - with Smoothwall.

Simply by adding a second NIC to Smoothwall, and having Smoothwall deal out DHCP on that separate network, it means that all wifi devices will get a different DHCP address, but they cannot access the main network at all.

So if any ne'er-do-well manage to crack the wifi password, he/she can't access your server or any sensitive company documents/data.
 
The_Librarian said:
Why are you having wireless on your main network? Big risk there.

Anyways.

Add a second NIC to your server. Assign it an IP of 10.1.1.1
Create a new DHCP scope for 10.1.1.x
Connect the wifi router to this NIC - and you should be all set.

But seriously, having wifi on your main network is like giving the burglar a cop of your house's keys.

You should look seriously at putting the wifi on another network segment, which cannot access the server at all.

I have done such a thing successfully - with Smoothwall.

Simply by adding a second NIC to Smoothwall, and having Smoothwall deal out DHCP on that separate network, it means that all wifi devices will get a different DHCP address, but they cannot access the main network at all.

So if any ne'er-do-well manage to crack the wifi password, he/she can't access your server or any sensitive company documents/data.
Click to expand...

Not all that easy, they would need to crack one of the users passwords as well.
 
A few ways to do things

I would probably enable 802.1x
If there is authentication via AD credentials to your radius, set their port to specific vlan and assign scope from that vlan
If they are guest, assign guest vlan and scope

This can work with wireless as well.

There are cheap and expensive ways to do this. Depends on your budget and switch infrastructure
 
The_Librarian said:
Why are you having wireless on your main network? Big risk there.

Anyways.

Add a second NIC to your server. Assign it an IP of 10.1.1.1
Create a new DHCP scope for 10.1.1.x
Connect the wifi router to this NIC - and you should be all set.

But seriously, having wifi on your main network is like giving the burglar a cop of your house's keys.

You should look seriously at putting the wifi on another network segment, which cannot access the server at all.

I have done such a thing successfully - with Smoothwall.

Simply by adding a second NIC to Smoothwall, and having Smoothwall deal out DHCP on that separate network, it means that all wifi devices will get a different DHCP address, but they cannot access the main network at all.

So if any ne'er-do-well manage to crack the wifi password, he/she can't access your server or any sensitive company documents/data.
Click to expand...

How would my laptops then connect to Exchange / servers?
They are valid company laptops and so.
 
Rickster said:
As they said, use MAC Address Filtering.
Click to expand...

Not really a scalable solution. Depending on the size of the company or potential growth in the future, maintenance of MAC address filtering tables could become somewhat annoying
 
syntax said:
A few ways to do things

I would probably enable 802.1x
If there is authentication via AD credentials to your radius, set their port to specific vlan and assign scope from that vlan
If they are guest, assign guest vlan and scope

This can work with wireless as well.

There are cheap and expensive ways to do this. Depends on your budget and switch infrastructure
Click to expand...

This. Use individual credentials to auth to the wireless network. Track users who are connecting more than one MAC with their own credentials. Visit their desk with a cluebat. Done.

Alternatively, offer a separate wireless network for "untrusted" devices (phones, etc), and simply encourage your users to use that. You can throttle it as required.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X