Refusing Non domain Computers

[BKGarry]

Hello,

Does anyone know of way, in either DHCP or DNS, to refuse any network access and authentication for any laptops or workstations that are not a part of out Domain.

We are running 2003 server all nice and vanilla.

Gaz

[Geoff]

Buy switches that support 802.1X authentication. Set them up to use the IAS service (same way as a Wifi AP).

[BKGarry]

We have a full HPProcurve backbone including the WAPs just wondering if you could do it with DHCP

Gaz

[Geoff]

It's possible to do it with Secure DHCP. However the stock DHCP server included in w2k3 doesn't do that. You'd need to replace your current W2k3 DHCP/DNS infrastructure with a *nix based one.

Another option would be to set reservations for all your PC's MAC addresses but that's tedious and doesn't protect you at all really. You'd have the same problem as Wifi AP's do with clients running with spoofed MAC addresses.

The 'correct' solution as I've already stated is 802.1X authentication, just like Wifi AP's use. I have no idea if HP Procurves support it, they might.

[fooby]

I have a procurve, will investigate also

[BKGarry]

trying to find out exactly how to do it, if you discover this magic let met know

[ZeroHour]

Yeh sounds good

[DMcCoy]

I've been looking into this today. Its seems like you will need to utilise vlans as well to make the network useful. That way non authenticated machines could access some services. Ghost or RIS for example.

I'm trying to work out ip vlans, ip routing, subnets and 802.1x atm. The section in the procurve manuals is 700+ pages and I'm a bit out of my depth :P

[tarquel]

I hear you there - that stuff baffled me too.

Wheres the trainin' man....wheres the trainin'?

Nath.