Options

Prevent rogue machines accessing internet on wired network in 2003 AD domain

KenCKenC Member Posts: 131
in Off-Topic
I have an AD domain (W2K3) which has a DHCP server leasing addresses. What I would like to do is prevent someone that plugs their laptop network cable into a network jack and accessing the internet once they have received DHCP settings (i.e. their laptop network card is set to obtain settings automatically). I am happy with the wireless connection, I want to sort the wired network now.

I know they won't be able to join the domain, but what are some of the ways I could prevent them from accessing the internet (I would still like to provide internet access to valid domain users/computers). I think 802.1x / RADIUS implementation would be one such method.

I would like students in the training room to be able to learn on their own laptops if they so wish, and I know someone will try it at some stage when staff are not around, would like to remain one step ahead of them.

Anybody have to deal with such a scenario before and what solution did you implement. Thanks.
· Share on FacebookShare on Twitter

Comments

  • Options
    EveryoneEveryone Member Posts: 1,661
    One option would be a Web Proxy that requires authentication. Users that are logged into the domain won't notice anything. Anyone not authenticated with the domain will be prompted to enter a username and password when trying to get to the web.

    802.1x is probably an even better option though. With that you can prevent unauthorized devices from accessing anything on your network. Great for security.
    www.fixtheexchange.com
    · Share on FacebookShare on Twitter
  • Options
    it_consultantit_consultant Member Posts: 1,903
    KenC wrote: »
    I have an AD domain (W2K3) which has a DHCP server leasing addresses. What I would like to do is prevent someone that plugs their laptop network cable into a network jack and accessing the internet once they have received DHCP settings (i.e. their laptop network card is set to obtain settings automatically). I am happy with the wireless connection, I want to sort the wired network now.

    I know they won't be able to join the domain, but what are some of the ways I could prevent them from accessing the internet (I would still like to provide internet access to valid domain users/computers). I think 802.1x / RADIUS implementation would be one such method.

    I would like students in the training room to be able to learn on their own laptops if they so wish, and I know someone will try it at some stage when staff are not around, would like to remain one step ahead of them.

    Anybody have to deal with such a scenario before and what solution did you implement. Thanks.

    If you have managed switches you can go old school and simply shut your unused switchports down. If you want to prevent people from unplugging a legit computer and plugging theirs in then 802.1x on the switch level is the way to go.
    · Share on FacebookShare on Twitter
  • Options
    KenCKenC Member Posts: 131
    Thanks for suggestions, in truth I never even considered the Web Proxy as an option, which is why forums like this have real value. Further suggestions welcome.
    · Share on FacebookShare on Twitter
  • Options
    ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    I would say 802.1x is definitely your best bet.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
    · Share on FacebookShare on Twitter
  • Options
    shaqazoolushaqazoolu Member Posts: 259 ■■■■□□□□□□
    Alternative to the previously mentioned suggestion of shutting down unused switchports, you could also use port security. This of course heavily depends on whether your infrastructure hardware even supports port security. However, if this is in an environment where the MAC address that you want using that port changes frequently (as in a training room setting like it sounds), it will probably be more trouble than it is worth.
    :study:
    · Share on FacebookShare on Twitter
  • Options
    qcomerqcomer Member Posts: 142
    RADIUS/802.1x

    I already use it here (Microsoft NPS Server) for our managed wireless so setting it up for desktops would be nice too. Pretty easy to setup too.
    · Share on FacebookShare on Twitter
  • Options
    KenCKenC Member Posts: 131
    qcomer wrote: »
    RADIUS/802.1x

    I already use it here (Microsoft NPS Server) for our managed wireless so setting it up for desktops would be nice too. Pretty easy to setup too.

    It is for Server 2003 environment, any experiences with that? I've never worked with IAS, but I'm pretty sure I set up SBS 2003 as a RADIUS server (it has been a while so a bit rusty).
    · Share on FacebookShare on Twitter
  • Options
    qcomerqcomer Member Posts: 142
    KenC wrote: »
    It is for Server 2003 environment, any experiences with that? I've never worked with IAS, but I'm pretty sure I set up SBS 2003 as a RADIUS server (it has been a while so a bit rusty).

    NPS and IAS are almost identicaly. You could pretty much follow along a guide for either, changing a view key phrases and words, and setup either one with the opposite guide. I had never setup NPS before the beginning of summer and I didnt even need the guide- worked very well.
    · Share on FacebookShare on Twitter
  • Options
    DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    ptilsen wrote: »
    I would say 802.1x is definitely your best bet.

    +1

    Typically used to protect a wifi network, but it doesn't have to be. Take a look at Download: Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows - Microsoft Download Center - Download Details
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.