Hello all,
I have a question regarding IAS & DHCP. Is it possible to
configure things in such a way that any unauthorized MAC
addresses on the network will not get an address through
DHCP? We are not using wireless, this applies to our LAN
only. Most of the articles I have read about this are
geared towards remote or wireless users and authenticating
on the network. I would like to set it up in such a way
that any system hooked to the network who's MAC address is
not in some kind of "approved" database can't get an
address through DHCP. I know there are dedicated DHCP
appliances that can do this but I looking for a low cost
(as in free) solution using what we already have if
possible. If anyone can help I would appreciate it. Thank
you.

[ Post a follow-up to this message ]

How about a cisco switch? Done it with them.


"Sean" <anonymous@discussions.microsoft.com> wrote in message
news:521801c480ac$285a8e10$a501280a@phx.gbl...
> Hello all,
> I have a question regarding IAS & DHCP. Is it possible to
> configure things in such a way that any unauthorized MAC
> addresses on the network will not get an address through
> DHCP? We are not using wireless, this applies to our LAN
> only. Most of the articles I have read about this are
> geared towards remote or wireless users and authenticating
> on the network. I would like to set it up in such a way
> that any system hooked to the network who's MAC address is
> not in some kind of "approved" database can't get an
> address through DHCP. I know there are dedicated DHCP
> appliances that can do this but I looking for a low cost
> (as in free) solution using what we already have if
> possible. If anyone can help I would appreciate it. Thank
> you.

[ Post a follow-up to this message ]

I too was wondering about that.  When you view the properties for a wired
connection under Windows, there is an authentication tab where IEEE 802.1x
is checked.  That would seem to imply that there is a way to do this.

If you find out, please post your results and I will do the same.

Jeff


"Sean" <anonymous@discussions.microsoft.com> wrote in message
news:521801c480ac$285a8e10$a501280a@phx.gbl...
> Hello all,
> I have a question regarding IAS & DHCP. Is it possible to
> configure things in such a way that any unauthorized MAC
> addresses on the network will not get an address through
> DHCP? We are not using wireless, this applies to our LAN
> only. Most of the articles I have read about this are
> geared towards remote or wireless users and authenticating
> on the network. I would like to set it up in such a way
> that any system hooked to the network who's MAC address is
> not in some kind of "approved" database can't get an
> address through DHCP. I know there are dedicated DHCP
> appliances that can do this but I looking for a low cost
> (as in free) solution using what we already have if
> possible. If anyone can help I would appreciate it. Thank
> you.

[ Post a follow-up to this message ]

I was thinking about this more.  Because you have to enter a list of
authorized MAC addresses in the first place, there may be a way to
accomplish what you need with DHCP.  Depending upon the size of your list,
you could create a reservation for each MAC address thereby utilizing all of
the addresses in your pool.  This essentially is a static address and one
might say why use a DHCP server to do this.  With this, you can still
configure scope options where your clients get assigned all of the other
attributes from DHCP (DNS, gateway, domain name, etc.).

Jeff


"Jeff Durham" <jdurham.nospam@cinci.rr.com> wrote in message
news:urEJTkclEHA.2224@tk2msftngp13.phx.gbl...
>I too was wondering about that.  When you view the properties for a wired
>connection under Windows, there is an authentication tab where IEEE 802.1x
>is checked.  That would seem to imply that there is a way to do this.
>
> If you find out, please post your results and I will do the same.
>
> Jeff
>
>
> "Sean" <anonymous@discussions.microsoft.com> wrote in message
> news:521801c480ac$285a8e10$a501280a@phx.gbl... 
>
>

[ Post a follow-up to this message ]

This is not supported by IAS.
IAS is an authentication piece of the puzzle, not enforcer

With 802.1x capable switch you can authenticate users/computer before
they're allowed access on the network. That's why you see that
authentication Tab

In the future IAS and DHCP will be integrated more together and this will
allow IAS to decide whether a specific user should get a valid IP or not.
This is part of the NAP (Network access protection) services in the future

HTH

Sam Salhi [MSFT]

--
 ========================================
=====
This posting is provided "AS IS" with no warranties, and confers no
rights.
 ========================================
=====

"Jeff Durham" <jdurham.nospam@cinci.rr.com> wrote in message
news:e1wEmrclEHA.952@TK2MSFTNGP14.phx.gbl...
>I was thinking about this more.  Because you have to enter a list of
>authorized MAC addresses in the first place, there may be a way to
>accomplish what you need with DHCP.  Depending upon the size of your list,
>you could create a reservation for each MAC address thereby utilizing all
>of the addresses in your pool.  This essentially is a static address and
>one might say why use a DHCP server to do this.  With this, you can still
>configure scope options where your clients get assigned all of the other
>attributes from DHCP (DNS, gateway, domain name, etc.).
>
> Jeff
>
>
> "Jeff Durham" <jdurham.nospam@cinci.rr.com> wrote in message
> news:urEJTkclEHA.2224@tk2msftngp13.phx.gbl... 
>
>

[ Post a follow-up to this message ]