Welcome, Guest: Register On Nairaland / LOGIN! / Trending / Recent / NewStats: 3,194,187 members, 7,953,677 topics. Date: Thursday, 19 September 2024 at 10:38 PM |
Nairaland Forum / Science/Technology / Computers / Restricting Non Domain Computers From Obtaining Ip Addresses: Help (8496 Views)
Want To Get Computers From Yankee & Have No Time To Travel? Yankeetome Can Help / Who Knows How To Upgrade Hp 2nd Gen Computers From 64mb Dedicated Memory To 512m / Cheap Computers From Usa (2) (3) (4)
Restricting Non Domain Computers From Obtaining Ip Addresses: Help by lordimpaq(m): 5:53pm On Jun 05, 2007 |
hello all, i need help with something, i want to restrict non domain compuers from obtaining ip addresses on my network, i use cisco 2950 switches with 2800 series ISR router. i really need this, can someone help |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by Maleeq(m): 6:07am On Jun 06, 2007 |
For a computer to successfully join a domain, it means it has a valid IP address. A system without a valid IP or no IP configuration cannot be joined into a domain. Thus, DHCP servers issue IP configuration to any system that sends an "IP configuration request" on the network segment where the server is located. Thus, you cant restrict which system receives an IP or not. The only "un-realistic" approach is to create reservations for all the systems you want to have on your network and then take out unused IP. This would prevent unwanted systems picking up IPs , but this would require a physical visit to all the systems you want on your network to retrieve their MAC addresses!(Imagine how crazy this would be when you have 100+ systems ) |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by wormedup(m): 12:13pm On Jun 06, 2007 |
if u use static IP addressing then u could disable DHCP i think |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by lordimpaq(m): 7:10pm On Jun 06, 2007 |
Maleeq:First of all, what is a valid IP address, an address request would be made if the network card of the system is configured to automatically obtain valid ip addresses. Maleeq:I believe there is a way Maleeq: Something close to that was considered but we have 200+ systems. what we wanted to do was to get the MAC addresses of all the systems and put it into the mac address table for all the switches we have on the domain so the switches allow dhcp requests against the mac address table in the switch, this has to be done on like 5 switches as we do not VTP. Please note we run MS active directory and the domain controller is the DHCP server so it has to be an active directory thing, hardware is out of it already, |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by lordimpaq(m): 7:11pm On Jun 06, 2007 |
wormedup: That is totally out of line, static addresses for 200 plus systems then what the hell do we have a DHCP server for |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by Maleeq(m): 2:10am On Jun 07, 2007 |
lordimpaq:What I meant by "valid IP address" is that the IP address on the system matches your network's scheme, and thus they can communicate. Check this, 192.168.1.0/24 could be considered invalid on a 192.168.2.0/24 network scheme. lordimpaq:Please, let us know when you find a way around this, if you find a way! lordimpaq:It is "technically the same thing if you create reservations on the DHCP server or you use the MAC Address Table on the switches approach. Bottom line is that YOU WILL NEED TO GET THE PHYSICAL (MAC) ADDRESSES OF ALL THE SYSTEMS. Though not efficient, but if you feel comfortable with this approach, carry on. It would easier to maintain than the switches MAC address table approach. It's only logical, follow these question/answers(you provide answers too) to see why it's not feasible(with current technology at least): Q-Why does a system request an IP config? A-It does not have configuration already set and It's set to AUTO config Q-To join a domain, the system MUST be able to contact the Domain Controller(DC). How does it do this? A-It must have a valid IP to get to the DC. Q-How does it pick up a valid IP? A-Either manually configured or assigned by the DHCP server. |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by kayodus(m): 3:19am On Jun 07, 2007 |
setup an arp server. that helps to obtain the hardware address of the system requesting ip, also try naming the systems in your network. it helps a great deal in handling unwarranted connection to your domain |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by lordimpaq(m): 3:15pm On Jun 07, 2007 |
kayodus: i'm assuming the arp server would have to be a member of the domain, and sorry but am asking, i neva knew there was an arp server, now that i know i'll check up on it, my understanding of arp is that it is being handled by the router, on which you can check address resolutions, anyways thanks, is there any software i can use. |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by lordimpaq(m): 5:16pm On Jun 07, 2007 |
Guys can anyone help me with how i can get an ARP server up and running |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by KpopHam(m): 2:22am On Jun 08, 2007 |
Maleeq: Have you considered scripting? |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by Maleeq(m): 6:23am On Jun 08, 2007 |
Kpop-Ham:Wow, I never knew scripts could make "PHYSICAL" [/b]visits to systems to be joined into a domain!. Scripting would only work when the systems are connected and assigned IPs, but then it would be unnecessary because you can simply query the arp table[b] to get the IP-to-MAC resolutions |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by Maleeq(m): 6:44am On Jun 08, 2007 |
An arp server is used to intercept and reply hosts on a physical network segment's request for other hosts MAC address mostly on ATM(Asynchronous Transfer Mode) networks. I t would still be irrelevant to your cause here becos the arp server must already have the IP-to-MAC resolutions in its unit tables, plus your network is TCP/IP not ATM and we dont have any IP yet. ARP server are used to to implement IP over ATM. Check this link out for a full description of the ARP server: ARP Server Patents Description |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by KpopHam(m): 1:44am On Jun 09, 2007 |
Maleeq, welcome to scripting technologies; you could write a script that retrieves all your computer names from Active Directory and then methodically connects to each of those computers, checking to see if that MAC address can be found - two kobo Better still here's a network tool; 'CC Get MAC Address' you can download from http://www.youngzsoft.net Good Luck |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by Maleeq(m): 7:17am On Jun 09, 2007 |
Kpop-Ham:I have been a Systems Administrator for about 2years now. I know the power of scripting. Obviously, you know it too but you seem not to understand what the poster needs here. Tell me, - How would you query the AD to retrieve information about a system not yet on that domain - How would you "methodically connect to a system without a valid IP assigned to it yet - How would you retrieve MAC address without being able to reach the system via an IP address Try this: If you have a network, take one system out, clear it's IP config. Purge the ARP cache. Then use your CC Get Mac or write any script to retrieve the MAC address or System Name. Let me know when you succeed. Kpop-Ham: Excerpt from the link you gave: "CC Get MAC Address is a handy tool for finding MAC address and computer name from IP address." For your "CC Get MAC Address" software tool to work, the systems MUST already have an IP Address! The poster here does not want to assign IPs to unauthorized systems. How then would your tool/script work? |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by KpopHam(m): 8:23am On Jun 09, 2007 |
Maleeq, this is beginning to sound like 'phone tag' . Okay; you had mentioned previously "The only 'un-realistic' approach is to create reservations for all the systems you want to have on your network and then take out unused IPs. This would prevent unwanted systems picking up IPs , but this would require a physical visit to all the systems you want on your network to retrieve their MAC addresses!(Imagine how crazy this would be when you have 100+ systems" . . and so, I'm inclined to think that this dude has pretty much solved this puzzle except for his problem of having to go round 100 network cards (that are already on the network with valid IP addresses) to get their mac addresses, so that he can implement his well thought out solution of creating reservations and taking out unused IPs. See? I know what the poster is looking for, and you have already started solving it. I'm only enabling you to help the poster, DIG? Speaking of which; if the technology weren't availlable to find those mac addresses and it meant physically visiting those 100+ systems to get the darn mac addresses - then so be it. |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by Maleeq(m): 9:24am On Jun 09, 2007 |
@Kpop-Ham Okay, maybe I didn't state completely what I meant in that quote. @poster Yes, scripting would would work if all the systems currently on your network are those you want(those on your domain). You could retrieve their MAC addresses via scripts and then create reservations via scritps. Remove unused IPs afterwards. |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by KpopHam(m): 5:43pm On Jun 09, 2007 |
All Correct. |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by lordimpaq(m): 6:31pm On Jun 11, 2007 |
if there is a script to do this can someone please send it to me, |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by Maleeq(m): 8:37am On Jun 12, 2007 |
Let me write one out for ya. |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by 2old4that(m): 7:55pm On Oct 13, 2007 |
How can i recover my cisco 3845 router having enabled NO PASSWORD RECOVERY MODE. . . ? NOTE: The problem is the router is not accepting break-keys during booting process. |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by kanna84: 2:10pm On Mar 04, 2010 |
Contact your services providers and domain sellers, Also try this site http://www.thewebpole.com/ for your safest domain with your pc s, also they provides some more free services from here @ reliable costs, |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by saviola77(m): 4:42pm On Mar 05, 2010 |
ever heard of dhcp snooping? |
Re: Restricting Non Domain Computers From Obtaining Ip Addresses: Help by mistern: 8:44pm On Feb 09, 2011 |
Hello, What you are looking for is called 802.1x. http://en.wikipedia.org/wiki/IEEE_802.1X It can be done via a managed switch (such as Cisco Catalyst), a RADIUS server (Such as Cisco ACS or MS IAS) and a user authentication database (Such as MS Active Directory). Hope this helps |
(1) (Reply)
Can You Stay Two Months Without Your Laptop And Phones? / When Will Nigerians Get Good Unlimited Internet Services In This Country? / Apple Home Genunie Advisor/ Technical Support Program live in Abuja, Nigeria.
(Go Up)
Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health religion celebs tv-movies music-radio literature webmasters programming techmarket Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) Nairaland - Copyright © 2005 - 2024 Oluwaseun Osewa. All rights reserved. See How To Advertise. 50 |