Davy Davidson wrote:
I have a little problem and seek for ur thoughts, let's assume I'm in a very open environment where everyone can very easily try to get his/her laptop on the network and IP addresses are assigned by a DHCP server and we are in a domain environment, how do I prevent machines that are not part of our domain to be assigned an IP address?
This is a chicken-egg-problem: Since DHCP is preceding all meaningful communication in most networks, this only can be done by denying DHCP communication beforehand. The Clients will need to prove that they are members of the domain before they are able to get served by a DHCP server. You can achieve this by using 802.1x throughout your network, but this will require appropriate equipment.
Mostly, the problem "I do not want to get them a DHCP address" can be refined as "I do not want them to communicate with any of my domain members" which can be achieved by for example only allowing encrypted communications (i.e. implementing IPSEC) for every domain member. You should be able to trust the domain authentication mechanisms not to let just anybody to get to your domain machines, providing your password policy is feasible, your systems are patched and access controls are set correctly (read: with the least privelege needed).
Denis --------------------------------------------------------------------------- ---------------------------------------------------------------------------
