Click here to get back home

URGENT: Prevent from connecting Notebooks to my LAN
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
URGENT: Prevent from connecting Notebooks to my LAN Jazmin Gutierrez 10-09-2007
Posted by Jazmin Gutierrez on October 9, 2007, 9:30 am
Please log in for more thread options
 Is there anyway to prevent from connecting notebooks and PDAs to my LAN?
I heard that IPSec is the solution but I STILL have Windows 98 computers in
my network.

1) Is is possible to apply IPSec only for Windows XP/Vista computers? Most
notebooks have XP/Vista OSs.

2) How to prevent DHCP server to assign and IP address to an unauthorized
computer?

3) What other solutions do I have (that includes windows 98)? Maybe
MAC-Address based control? Is it included with Windows 2003?

Thanks!





Posted by George Ellis on October 9, 2007, 9:43 am
Please log in for more thread options
 One way is Network Access Control or Identity Based Networking Services.
Layer 2 denial of a connection based on not having the correct certificate.
Requires the right infrastructure. MS has a layer 3 equivalent in Longhorn.

For Layer 2, you need a CA (PKI) complex, Cisco ACS, and Cisco 35xx switches
or better. AD membership is the criteria some use, but you can make it
group based too. The beauty of it is, you can put authenicated users in one
VLAN and failed in another.

ForeScout has a device that can do it in layer 3 through posturing IIRC

> Is there anyway to prevent from connecting notebooks and PDAs to my LAN?
> I heard that IPSec is the solution but I STILL have Windows 98 computers
> in
> my network.
>
> 1) Is is possible to apply IPSec only for Windows XP/Vista computers? Most
> notebooks have XP/Vista OSs.
>
> 2) How to prevent DHCP server to assign and IP address to an unauthorized
> computer?
>
> 3) What other solutions do I have (that includes windows 98)? Maybe
> MAC-Address based control? Is it included with Windows 2003?
>
> Thanks!
>
>
>
>



Posted by Chris Hills on October 10, 2007, 7:07 am
Please log in for more thread options
George Ellis wrote:
> For Layer 2, you need a CA (PKI) complex, Cisco ACS, and Cisco 35xx switches
> or better. AD membership is the criteria some use, but you can make it
> group based too. The beauty of it is, you can put authenicated users in one
> VLAN and failed in another.

Correction: you do not need Cisco hardware at all. You can use any
802.1X compatible network devices with guest vlan support. In addition
you do not need PKI to accomplish this (as I first thought).

Regards

Chris

Posted by jas0n on October 10, 2007, 5:39 pm
Please log in for more thread options
chaz@chaz6.com says...
> George Ellis wrote:
> > For Layer 2, you need a CA (PKI) complex, Cisco ACS, and Cisco 35xx switches
> > or better. AD membership is the criteria some use, but you can make it
> > group based too. The beauty of it is, you can put authenicated users in one
> > VLAN and failed in another.
>
> Correction: you do not need Cisco hardware at all. You can use any
> 802.1X compatible network devices with guest vlan support. In addition
> you do not need PKI to accomplish this (as I first thought).
>
> Regards
>
> Chris
>

We are going down the NAC route at the moment but before NAC we were
looking at 802.1x which looked straight forward enough - if you run
Windows Servers you already have IAS which is a radius server you can
use with most managed switches that support 802.1x.

I did at one point have it on two seperate vlans where the guest would
stay in the original vlan which had basic internet access and only if
authenticated moved them into the company vlan with access to servers
etc.

Posted by Phillip Windell on October 9, 2007, 10:40 am
Please log in for more thread options
How do they make the people come to work on time? Make them do their work?
Keep them from stealing the toilet paper? You just don't let them bring
outside machines into the building, if they do then they have to stay in the
bag, if they don't obey then have estblished "punishments" in place. If
Management won't do that then you are wasting your time since I.T. people
typically don't run the company.

Networking equipment gets smarter all the time,...but networking equipment
still is not a "babysitter".


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

> Is there anyway to prevent from connecting notebooks and PDAs to my LAN?
> I heard that IPSec is the solution but I STILL have Windows 98 computers
> in
> my network.
>
> 1) Is is possible to apply IPSec only for Windows XP/Vista computers? Most
> notebooks have XP/Vista OSs.
>
> 2) How to prevent DHCP server to assign and IP address to an unauthorized
> computer?
>
> 3) What other solutions do I have (that includes windows 98)? Maybe
> MAC-Address based control? Is it included with Windows 2003?
>
> Thanks!
>
>
>
>



Similar ThreadsPosted
Re: connecting to vpn kills lan connectivity / vpn disconnect January 25, 2008, 1:35 pm
HELP! Error /w Wireless Client Connecting to Win2003 Server /w IAS, CA November 12, 2005, 4:31 pm
What is the difference between logging into an AD Domain versus connecting to network resource? January 26, 2006, 4:32 pm
No credentials [urgent] March 15, 2006, 10:45 pm
Urgent help needed. May 1, 2006, 4:25 am
URGENT!! certificate timestamp October 5, 2005, 11:32 am
URGENT: syskey utilization January 13, 2006, 9:02 am
GPO - password policy - Urgent February 2, 2006, 11:34 am
urgent please help ..microsoft event id +4199 June 29, 2006, 5:47 am
Urgent - Subordinate CA certificate expired April 2, 2007, 12:04 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap