Options
Prevent rogue machines accessing internet on wired network in 2003 AD domain
I have an AD domain (W2K3) which has a DHCP server leasing addresses. What I would like to do is prevent someone that plugs their laptop network cable into a network jack and accessing the internet once they have received DHCP settings (i.e. their laptop network card is set to obtain settings automatically). I am happy with the wireless connection, I want to sort the wired network now.
I know they won't be able to join the domain, but what are some of the ways I could prevent them from accessing the internet (I would still like to provide internet access to valid domain users/computers). I think 802.1x / RADIUS implementation would be one such method.
I would like students in the training room to be able to learn on their own laptops if they so wish, and I know someone will try it at some stage when staff are not around, would like to remain one step ahead of them.
Anybody have to deal with such a scenario before and what solution did you implement. Thanks.
I know they won't be able to join the domain, but what are some of the ways I could prevent them from accessing the internet (I would still like to provide internet access to valid domain users/computers). I think 802.1x / RADIUS implementation would be one such method.
I would like students in the training room to be able to learn on their own laptops if they so wish, and I know someone will try it at some stage when staff are not around, would like to remain one step ahead of them.
Anybody have to deal with such a scenario before and what solution did you implement. Thanks.
Comments
-
OptionsEveryone Member Posts: 1,661One option would be a Web Proxy that requires authentication. Users that are logged into the domain won't notice anything. Anyone not authenticated with the domain will be prompted to enter a username and password when trying to get to the web.
802.1x is probably an even better option though. With that you can prevent unauthorized devices from accessing anything on your network. Great for security. -
Optionsit_consultant Member Posts: 1,903I have an AD domain (W2K3) which has a DHCP server leasing addresses. What I would like to do is prevent someone that plugs their laptop network cable into a network jack and accessing the internet once they have received DHCP settings (i.e. their laptop network card is set to obtain settings automatically). I am happy with the wireless connection, I want to sort the wired network now.
I know they won't be able to join the domain, but what are some of the ways I could prevent them from accessing the internet (I would still like to provide internet access to valid domain users/computers). I think 802.1x / RADIUS implementation would be one such method.
I would like students in the training room to be able to learn on their own laptops if they so wish, and I know someone will try it at some stage when staff are not around, would like to remain one step ahead of them.
Anybody have to deal with such a scenario before and what solution did you implement. Thanks.
If you have managed switches you can go old school and simply shut your unused switchports down. If you want to prevent people from unplugging a legit computer and plugging theirs in then 802.1x on the switch level is the way to go. -
OptionsKenC Member Posts: 131Thanks for suggestions, in truth I never even considered the Web Proxy as an option, which is why forums like this have real value. Further suggestions welcome.
-
Optionsptilsen Member Posts: 2,835 ■■■■■■■■■■I would say 802.1x is definitely your best bet.
-
Optionsshaqazoolu Member Posts: 259 ■■■■□□□□□□Alternative to the previously mentioned suggestion of shutting down unused switchports, you could also use port security. This of course heavily depends on whether your infrastructure hardware even supports port security. However, if this is in an environment where the MAC address that you want using that port changes frequently (as in a training room setting like it sounds), it will probably be more trouble than it is worth.:study:
-
Optionsqcomer Member Posts: 142RADIUS/802.1x
I already use it here (Microsoft NPS Server) for our managed wireless so setting it up for desktops would be nice too. Pretty easy to setup too. -
OptionsKenC Member Posts: 131RADIUS/802.1x
I already use it here (Microsoft NPS Server) for our managed wireless so setting it up for desktops would be nice too. Pretty easy to setup too.
It is for Server 2003 environment, any experiences with that? I've never worked with IAS, but I'm pretty sure I set up SBS 2003 as a RADIUS server (it has been a while so a bit rusty). -
Optionsqcomer Member Posts: 142It is for Server 2003 environment, any experiences with that? I've never worked with IAS, but I'm pretty sure I set up SBS 2003 as a RADIUS server (it has been a while so a bit rusty).
NPS and IAS are almost identicaly. You could pretty much follow along a guide for either, changing a view key phrases and words, and setup either one with the opposite guide. I had never setup NPS before the beginning of summer and I didnt even need the guide- worked very well. -
OptionsDevilsbane Member Posts: 4,214 ■■■■■■■■□□I would say 802.1x is definitely your best bet.
+1
Typically used to protect a wifi network, but it doesn't have to be. Take a look at Download: Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows - Microsoft Download Center - Download DetailsDecide what to be and go be it.