>There are DHCP products that require authentication prior to giving out >a DHCP address and these can be linked to AD. This can be setup to >require a user to authenticate before the first IP address is handed
You mean: a machine that has been issued a NAT-based IP at boot time loads a GUI and envokes an authentication based interface which a user must complet in order to obtain an Internet IP? Otherwise, the products you speak of probably doesn't interface with AD at the boot time because DHCP leasing happens before AD authentication. In other words, the network traffic during DHCP negotiation does not correspond to "AD domain membership". Instead, the DHCP Server software can probably lookup MAC address of the incoming request and check it against a database of *valid* MAC addresses. But these valid MACs dont necessarily mean that a DHCP request is coming from a particular machine, afterall, one can swap network cards in and out the computer or manually change the MAC address with software. At some point in the past, Checkpoint was making a DHCP Server software which allowed you to build a dHCP database of IPs. Slawek -----Original Message----- >From: "Depp, Dennis M." <[EMAIL PROTECTED]> >Sent: Dec 21, 2005 8:45 AM >To: Murad Talukdar <[EMAIL PROTECTED]>, [email protected] >Subject: RE: prevent DHCP server giving out leases to non-domain machines? > >There are DHCP products that require authentication prior to giving out >a DHCP address and these can be linked to AD. This can be setup to >require a user to authenticate before the first IP address is handed >out. During the renewals you might be able to use the Machine >authentication to renew an IP address. > >Dennis > >-----Original Message----- >From: Murad Talukdar [mailto:[EMAIL PROTECTED] >Sent: Tuesday, December 20, 2005 9:00 PM >To: [email protected] >Subject: prevent DHCP server giving out leases to non-domain machines? > >Hi, >Is there a way to stop a W2003 DHCP server from giving out leases for >IP's >if a machine does not belong to the domain? >Or is this a fruitless question that someone simply needs to point out >something very simple to me. > >A machine can't join the domain if it doesn't have an IP first(chicken >and >egg type thing) I can see that but obviously I'm missing something >here-perhaps it's a question of layers-the domain is working at a >'higher' >layer? >Kind Regards >Murad Talukdar > > > > > > >------------------------------------------------------------------------ >--- >------------------------------------------------------------------------ >--- > > >--------------------------------------------------------------------------- >--------------------------------------------------------------------------- > ________________________________________ PeoplePC Online A better way to Internet http://www.peoplepc.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------
