Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, February 2, 2012 3:39 PM
hi all
i have a win 2008 R2 domain and a joined win2008 R2 DHCP server. i want do a task so that my DHCP Server assings ip address to computers which are join to domain only ( but not to non-joined computers ).
how can achive this goal ?
can i achive this with the combination of NAP and CA server ?
please tell me the title of steps in detail ( not the hole steps ).
thanks in advance
All replies (4)
Friday, February 3, 2012 7:38 AM âś…Answered
Hi John,
Thanks
Please start form the steps in the checklists and select to use DHCP enforcement method that we are going to deployment:
Checklist: Staging a NAP Deployment
http://technet.microsoft.com/en-us/library/dd314146(WS.10).aspx
Meanwhile, we may also consider to have 802.1X capable devices and setting RADIUS server with defining policies on it in order to restrict the unauthenticated host into our network :
802.1X Authenticated Wired Access
http://technet.microsoft.com/en-us/library/cc753354(WS.10).aspx
802.1X Authenticated Wireless Access
http://technet.microsoft.com/en-us/library/cc771455(WS.10).aspx
Thanks.
Tiger Li
Tiger Li
TechNet Community Support
Thursday, February 2, 2012 4:57 PM
So, you are on the correct path. DHCP itself does not have security built in so only assigning IPs to domain members is not really an option. Think about networking as a whole... The DHCP protocol is used for any TCP/IP enabled host, not just windows. So, to accomplish what you are trying to do requires additional networking services such as 802.1x, NAP, CAs, RADIUS, etc...
Even with these technologies in place, the computer will still require an IP address. once the IP is given, you use these technologies to restrict access until certain pre-requisites are met, such as domain membership, service pack levels, AV client installation, etc...
I would start with getting an overview on Network Access Protection and go from there. There are way too many steps to discuss in a single forum thread.
Maybe start here: http://technet.microsoft.com/en-us/network/bb545879
Guides and tutorials, visit ITGeared.com.
Friday, February 3, 2012 2:18 AM
So, you are on the correct path. DHCP itself does not have security built in so only assigning IPs to domain members is not really an option. Think about networking as a whole... The DHCP protocol is used for any TCP/IP enabled host, not just windows. So, to accomplish what you are trying to do requires additional networking services such as 802.1x, NAP, CAs, RADIUS, etc...
Even with these technologies in place, the computer will still require an IP address. once the IP is given, you use these technologies to restrict access until certain pre-requisites are met, such as domain membership, service pack levels, AV client installation, etc...
I would start with getting an overview on Network Access Protection and go from there. There are way too many steps to discuss in a single forum thread.
Maybe start here: http://technet.microsoft.com/en-us/network/bb545879
Guides and tutorials, visit ITGeared.com.
![]()
![]()
![]()
hi jorge. thank you for answer. that link is very General. i am familiar with NAP. my you please tell me only the step titles in brief ?
thanks
Friday, February 3, 2012 4:38 PM
Hi John,
Thanks
Please start form the steps in the checklists and select to use DHCP enforcement method that we are going to deployment:
Checklist: Staging a NAP Deployment
http://technet.microsoft.com/en-us/library/dd314146(WS.10).aspx
Meanwhile, we may also consider to have 802.1X capable devices and setting RADIUS server with defining policies on it in order to restrict the unauthenticated host into our network :
802.1X Authenticated Wired Access
http://technet.microsoft.com/en-us/library/cc753354(WS.10).aspx
802.1X Authenticated Wireless Access
http://technet.microsoft.com/en-us/library/cc771455(WS.10).aspx
Thanks.
Tiger Li
Tiger Li
TechNet Community Support
Hi Tiger. thank you very much for solution