1

I search a way to prevent network access to devices not belonging to our corporate Active Directory domain.

Some people connect their personnal laptops to our corporate network, and some of them unintentionnally cause problems.

I aleady use a DHCP policy to give them a separate DNS name (aliens.contoso.com), allowing me to quickly see if such a device is connected (I just have a look at the DNS console). This policy is activated when the client does not belong to our contoso.com domain.
The problem with this method is: the unwanted laptop has perfectly corrects IP settings, so the user can use it.
This only allow to have a separate DNS name. I can't specify a different router or an unusable IP address.

We'd like to assign unusable IP settings to those laptops. So the users won't use it, or phone us. This will allow us to ensure the laptop is clean, and to give directions to the users.

Of course they can manually enter the correct settings, but few of our users can do that, and this will considerably reduce the problems.
I don't plan to enforce network access with 802.1X. I know the DHCP method is weaker.

I think we can do it with Network Protection Server (we use Windows 2012 R2 for our server), but I didn't understood how.

Gregory MOUSSAT
  • 1,673
  • 2
  • 25
  • 50

2 Answers2

2

In short: you can't

In order for the DHCP server to know if a device is inside the domain, it have to communicate with a domain controler, thus it first have an IP address.
This is why the settings you want are greyed out.

A trick can be to name your computer with a special prefix. Then the DHCP server can detect it when the computer negociate it DHCP lease. So the desired option will be available (not greyed out).

Bertrand SCHITS
  • 2,922
  • 1
  • 13
  • 15
1

The usual way of doing this is with 802.1X authentication, but you've said that you don't want to do this. NPS is used with 802.1X so if you're not going to use that, then you're not going to have much of a use for NPS.

The only other way I can think of doing it is to use port-based VLANs (not 802.1q) to move all the un-used network ports (that could be "guest" ports) onto a different vlan, add a DHCP Helper onto that VLAN and forward the DHCP requests to your 2012 R2 server and issue them different subnet/gateway/etc. Or you could direct them to a captive portal. Or you could just not issue them an IP address at all and don't have a gateway.

Mark Henderson
  • 68,823
  • 31
  • 180
  • 259
  • 1
    As I understand NPS, if it works for 802.1x enforcement then it works for DHCP enforcement too. But I didn't found a way to separate computers only based on the sole fact they are inside the domain or not (nothing else). – Gregory MOUSSAT Jan 12 '15 at 16:13