OT: DHCP IP address lockdown

Randall C Grimshaw rgrimsha at syr.edu
Fri Dec 9 12:34:31 UTC 2011

The Cisco 802.1x wireless controller has three settings... essentially to block dhcp, allow dhcp & static, and enforce dhcp - dhcp must originate from the listed servers ala snooping. I would have to refer you to the tech for more detail. We enforce the use of our DHCP servers on wireless (not in proxy mode).

Regarding the dhcp/firewall portal solution, we used this for a while and it was mostly successful. It was still possible to statically configure for an in-use address and frustrate the originator who might then curse the network and take a break... allowing the squatter to have network access for the remainder of the lease. Not often seen but this and all of the other 'open wireless' exposures still apply. You will also hit the scalability wall with the gateway as your device count and bandwidth demand increases. Merry Christmas, WiFi enabled devices will replace the proverbial bad-tie. This explosion will also be the driver for IPv6 adoption.

On the wire, you must implement dhcp snooping at minimum - this has been a lifesaver. It is still possible to statically configure. Pre-MacAuth-VLAN steering, we originally built our NAC to register a machine and program the switch to bind the mac to the port... binding was never implemented due to support paranoia and the maintenance overhead of un-binding etc. Instead we used automated ARP table monitoring and manual chasing (administrative port locking). What we eventually purchased uses dynamic layer-3 routing so that even if statically configured, the squatter machine is redirected to an authentication page. Layer-2 ...

By the time IPv6 is widely implemented I believe 802.1x on the wire will be the norm.

Randall Grimshaw rgrimsha at syr.edu
From: dhcp-users-bounces+rgrimsha=syr.edu at lists.isc.org [dhcp-users-bounces+rgrimsha=syr.edu at lists.isc.org] on behalf of Valery Soldatov [vssold at gmail.com]
Sent: Friday, December 09, 2011 6:01 AM
To: Users of ISC DHCP
Subject: Re: OT: DHCP IP address lockdown

we use Option 82 and a simple script. The script adds address to
Alowed Table in firewall (firewall works on the same server with ISC
DHCPD). Another script (3-4 lines) refreshes this table, or deletes
address from it on timeout-release event. So, static-configured
addresses can not pass through.

Valeriy Sol.

2011/12/8 Paul Reilly <astropaul at gmail.com>:
> Hello,
> This is slightly off-topic, but I'm guessing people here will know the
> answer.
> We have a large DHCP pool, and 99% of people use the IP we allocate them,
> but some statically assign whatever IP they want to their machines. We
> cannot lock down the client machines as they can be anything (linux, mac,
> windows, mobile etc).  We are using 802.1x so users authenticate to access
> the network.I know we can lock our cisco ports down to a single MAC address,
> but this doesn't prevent a person setting their own IP address manually. How
> do others solve this problem?  Can it be solved at the network level?  I
> want users to only get network access using the IP address we assign them.
> Thanks.
> Paul
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
dhcp-users mailing list
dhcp-users at lists.isc.org

More information about the dhcp-users mailing list