OT: DHCP IP address lockdown
fs at WPI.EDU
Thu Dec 8 19:20:32 UTC 2011
On 12/08/2011 02:07 PM, Paul Reilly wrote:
> This is slightly off-topic, but I'm guessing people here will know the answer.
> We have a large DHCP pool, and 99% of people use the IP we allocate them, but
> some statically assign whatever IP they want to their machines. We cannot lock
> down the client machines as they can be anything (linux, mac, windows, mobile
> etc). We are using 802.1x so users authenticate to access the network.I know
> we can lock our cisco ports down to a single MAC address, but this doesn't
> prevent a person setting their own IP address manually. How do others solve
> this problem? Can it be solved at the network level? I want users to only
> get network access using the IP address we assign them.
That's not a problem that can be solved via DHCP directly. There are two
general ways I could see solving it.
The first is that since you're already requiring 802.1x, you may be able to
leverage that. Some implementations allow you to set various enforcement
policies that must be met before they can get on the network, such as patch
levels or virus scanner installation. This is especially true of some third
party 1x clients.
Alternatively, depending on your edge switch vendor, they may have features to
enforce usage of DHCP on clients. They snoop DHCP transactions, and filter
out traffic from a given MAC until it successfully gets an IP address from a
DHCP server via a trusted uplink port. Ideally, it will also include some
form of IP/ARP inspection to ensure that the machine uses only its DHCP
assigned IP address.
But a strictly DHCP server side solution - no luck there, as it's simply not
located in the right data path to do anything.
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
Manager of Network Operations | is simple, elegant, and wrong.
Worcester Polytechnic Institute | - HL Mencken
More information about the dhcp-users