I'd also look into domain isolation: http://technet.microsoft.com/en-us/network/bb545651
As explained by Steve Rilley and Jesper Johansen, it prevents a flaw in 802.11x on wired networks. -----Original Message----- From: Matthew W. Ross [mailto:[email protected]] Sent: Tuesday, February 21, 2012 1:23 PM To: NT System Admin Issues Subject: Re: Limiting DHCP 802.11x authentication looks awesome, but all of my (admittingly amateur) experiments to try to implement it have failed me. I'd be very interested on hearing success stories of this solution. --Matt Ross Ephrata School District ----- Original Message ----- From: Steve Kradel [mailto:[email protected]] To: NT System Admin Issues [mailto:[email protected]] Sent: Tue, 21 Feb 2012 10:34:55 -0800 Subject: Re: Limiting DHCP > Look into 802.11x authentication... or at least filter whitelisted > MACs at the router. DHCP is not any kind of access control mechanism. > > --Steve > > On Tue, Feb 21, 2012 at 1:17 PM, Jonathan Link > <[email protected]> > wrote: > > I think he's wanting to prevent anyone from connecting to his > > network by just plugging in anywhere, with any device... > > > > > > On Tue, Feb 21, 2012 at 12:54 PM, Michael B. Smith > > <[email protected]> > > wrote: > >> > >> Isn’t the DMZ a separate network segment? It should be…. > >> > >> > >> > >> From: Evan Brastow [mailto:[email protected]] > >> Sent: Tuesday, February 21, 2012 12:35 PM > >> To: NT System Admin Issues > >> Subject: Limiting DHCP > >> > >> > >> > >> Hi all, > >> > >> > >> > >> I've recently set up a wireless router in the DMZ on our firewall. > >> This will allow consultants, salesmen, etc... to have a connection > >> to the Internet when they come in, with no connection to our network. > >> > >> > >> > >> Now, however, in order to take the final step in this process and > >> be sure someone can't just plug into a network port, it would seem > >> I need to do > one > >> of two things: > >> > >> > >> > >> 1) Stop our DHCP server and give all network devices (less than 50 > >> or so) static IP's. > >> > >> > >> > >> or > >> > >> > >> > >> 2) Restrict DHCP to only listed MAC addresses. > >> > >> > >> > >> So, my questions are - which of these two would be easier (does it > >> really make much difference?) or is there a third option I don't see? > >> > >> > >> > >> Thanks, as always :) > >> > >> > >> > >> Evan > >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
