Davy Davidson wrote:

> I have a little problem and seek for ur thoughts, let's assume I'm in a
> very open environment where everyone can very easily try to get his/her
> laptop on the network and IP addresses are assigned by a DHCP server and
> we are in a domain environment, how do I prevent machines that are not
> part of our domain to be assigned an IP address?

This is a chicken-egg-problem: Since DHCP is preceding all meaningful
communication in most networks, this only can be done by denying DHCP
communication beforehand. The Clients will need to prove that they are
members of the domain before they are able to get served by a DHCP
server. You can achieve this by using 802.1x throughout your network,
but this will require appropriate equipment.

Mostly, the problem "I do not want to get them a DHCP address" can be
refined as "I do not want them to communicate with any of my domain
members" which can be achieved by for example only allowing encrypted
communications (i.e. implementing IPSEC) for every domain member. You
should be able to trust the domain authentication mechanisms not to let
just anybody to get to your domain machines, providing your password
policy is feasible, your systems are patched and access controls are set
correctly (read: with the least privelege needed).

Denis

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

[ reply ]