Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, August 27, 2013 7:44 PM
On Windows Server 2008 R2, I look at the DHCP log lease roster and see several leases whose status is "Deny," but their lease doesn't expire for several days. Why are they being given a lease if they're denied access? And how do I stop this, since our network is a little crowded and I don't want to run out of IP's due to idiots trying to log onto our network without a user account or password?
All replies (6)
Thursday, August 29, 2013 3:47 PM ✅Answered
See if this helps to make sure no steps were missed. And keep in mind, you must find the MACs of all interfaces on the devices to block them. So if a laptop has a wired and wireless interface, they both need to be blocked.
Enable and Configure MAC Address Filtering - Windows 2008 and newer
http://technet.microsoft.com/en-us/magazine/ff521761.aspx
-
FYI, based on that article above, there are three scenarios you can set it up as:
•Enable and define an explicit allow list. The DHCP server provides DHCP services only to clients whose MAC addresses are in the allow list. Any client that previously received IP addresses is denied address renewal if its MAC address isn’t on the allow list.
•Enable and define an explicit deny list. The DHCP server denies DHCP services only to clients whose MAC addresses are in the deny list. Any client that previously received IP addresses is denied address renewal if its MAC address is on the deny list.
•Enable and define an allow list and a block list. The block list has precedence over the allow list. This means that the DHCP server provides DHCP services only to clients whose MAC addresses are in the allow list, provided that no corresponding matches are in the deny list. If a MAC address has been denied, the address is always blocked even if the address is on the allow list.
I'm not sure how you have it currently setup, and assuming that you have it set to block MACs that you discover as time goes by, it may be better to get an inventory of the MACs of all your machines that you want to allow and put them in an Explicit Allow list, so others are blocked.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, August 28, 2013 9:26 AM
Hi,
According to your description, I shall clarify something for you.
If the lease didn’t expire client will continue working with the original IP.
Only when 50 percent of the original lease time or run command “ipconfig /renew” will client renew IP address.
On the server side, the filter would work when client request or renew IP address.
You can reduce the lease since you have a lot of client in your network.
Hope this helps.
Thursday, August 29, 2013 12:49 AM
Since you don't know what machines that have an IP with a MAC you recently denied, you have to wait for the lease to expire.
You can also keep track of the unwanted MACs and deny them on your switches and wireless AP.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, August 29, 2013 3:09 AM
I apparently need to clarify something for you. The MACs in question belong to employees who were blocked months ago, and they periodically attempt to gain access. When they make the attempt, they are denied a login because they don't have a domain account, but they are given a lease that is set to expire at the correct time in the future it would expire if they were on the allow filter pre filtered out. My understanding is this filter is that it is supposed to deny the lease entirely; is that not correct?
"Being able to speak doesn't make you intelligent." --Kwai Gon Jin
Thursday, August 29, 2013 3:15 AM
Since you don't know what machines that have an IP with a MAC you recently denied, you have to wait for the lease to expire.
You can also keep track of the unwanted MACs and deny them on your switches and wireless AP.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
Umm, I do know exactly what devices I have recently denied because they have been in the deny filter for several months, and therefore they shouldn't have been issued a lease at all, should they?
"Being able to speak doesn't make you intelligent." --Kwai Gon Jin
Thursday, August 29, 2013 1:37 PM
Umm, absolutely. So that beckons us to ask, since it's apparently not working, how did you setup the filter? What step by step did you follow?
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.