Re: IP address assignment problem

Davy Davidson wrote:

> I have a little problem and seek for ur thoughts, let's assume I'm in a 
> very open environment where everyone can very easily try to get his/her 
> laptop on the network and IP addresses are assigned by a DHCP server and 
> we are in a domain environment, how do I prevent machines that are not 
> part of our domain to be assigned an IP address?

This is a chicken-egg-problem: Since DHCP is preceding all meaningful 
communication in most networks, this only can be done by denying DHCP 
communication beforehand. The Clients will need to prove that they are 
members of the domain before they are able to get served by a DHCP 
server. You can achieve this by using 802.1x throughout your network, 
but this will require appropriate equipment.

Mostly, the problem "I do not want to get them a DHCP address" can be 
refined as "I do not want them to communicate with any of my domain 
members" which can be achieved by for example only allowing encrypted 
communications (i.e. implementing IPSEC) for every domain member. You 
should be able to trust the domain authentication mechanisms not to let 
just anybody to get to your domain machines, providing your password 
policy is feasible, your systems are patched and access controls are set 
correctly (read: with the least privelege needed).

Denis

---------------------------------------------------------------------------
---------------------------------------------------------------------------