DHCP authentication.
 

What are some of the ways that you might go about ensuring that a DHCP server only gives an IP to client machines that you wish?

Anyone have some stories about having to do such things? What would you recommend, and why? Any DHCP server that you preffer, and why? Thanks.

Not sure if this counts, but I've configured an Apple Airport which distributes IP addresses to machines connected to it. I know you can specify a range of addresses, but I don't think you can specifically match an IP to a machine. I suppose if you had something that assigned IP addresses based on each computer's MAC address you could do this, but I'm not sure.

DHCP can be a tricky business, firstly, you may set a static IP address on the computers you want on your network. This means that each computer is manually setup with an IP address you state. Using dynamic IP address allocation means you create an IP address range for computers to connect to directly.

Now, the idea of DHCP is you can connect any computer to a network that is running a DHCP server and it will hand out on IP addresses if the computer hasn't already been set with a static IP address. The problem you have PUG is you want to assign specific IP addresses to computers on a network and as luck would have it, you can do just that. It is done using the MAC address from the computers you have on your network and if your DHCP supports MAC address allocation (most do these days) you can assign an IP address to a MAC address.

For an example, if you have 5 computers at home, you would set the DHCP scope to have a range of 5 IP address (this is not taking into account any other devices that may need an IP address). After collecting the MAC address from each computer, you would enter those MAC addresses into the DHCP MAC allocation and it would force the IP addresses you want to those MAC addresses.

The only drawback here is if someone comes along with their laptop and manually sets their own static IP address, they can gain access to your network. Good news is if they enter an IP address you have set in the DHCP scope, it won't work since the laptops MAC address won't match. But if an IP address that is not in your scope is entered, then access it possible.

Setting aside CISCO DHCP servers, normal DHCP servers would have to be entered with a full range of 'fake' MAC addresses to all possible IP addresses that can be done on your network.

Example Network with DHCP:

Range: 192.168.1.1 - 192.168.1.254 (subnet mark: 255.255.255.0)

In this situation, 254 computers could be connected and for this example, we will have a DHCP scope of 10 computers ranging between192.168.1.1 - 192.168.1.10. You set the DHCP scope with MAC addresses (shown below) and now those IP addresses have been allocated to those MAC addresses.

Example MAC Address Table:
1. 00:00:00:00:00:0A - 192.168.1.1
2. 00:00:00:00:00:0B - 192.168.1.2
3. 00:00:00:00:00:0C - 192.168.1.3
4. 00:00:00:00:00:0D - 192.168.1.4
5. 00:00:00:00:00:0E - 192.168.1.5
6. 00:00:00:00:00:1A - 192.168.1.6
7. 00:00:00:00:00:1B - 192.168.1.7
8. 00:00:00:00:00:1C - 192.168.1.8
9. 00:00:00:00:00:1D - 192.168.1.9
10. 00:00:00:00:00:1E - 192.168.1.10

To prevent manually set IP addresses, you would need to fill the other IP addresses with 'fake' MAC addresses so that the DHCP server will only assign those IP addresses with the MAC addresses you have entered.

As for recommending a DHCP server, CISCO would be way but they are very expensive and the DHCP servers I have used in the past all have to be configured in the way I have explained above to be totally secure.

In a wireless environment, even the cheap home Linksys wireless routers support 802.1X (via RADIUS). This will allow you to restrict access at the data link layer to clients that have a valid username/password combination.

MAC Address Filters are about the only way to do it, and even then they can be spoofed.

Thanks for your points. Unfortunately that's the only solution I'd come up with as well. More or less defeats the purpose of it, so I'll probably just stick with static addressing.