Hi   I have a small 120 pc  (10 mac) user network. We have a large number of volunteers also. This is my problem. Users with a valid name and password are brininging in their own laptops and more Mac's, They create shares and use their own computers. I would like to find a way to only offer this if they ask for and get temporary permission. I use DHCP and as we grow would like to keep using rather than manage mac address's.

 Thanks for any input

 

llawren

So what your saying is you want to be able to stop anyone from plugging into the network and getting access? (or getting an ip address rather?)

In the past I've used DHCP with reservations only which means they have to come to you and give you their mac address if they want access to the network via dhcp.

Yep, that's a good one.  Doesn't bypass use of nonstandard protocols like Netbeui or IPX/SPX but yep.  That's a good one. 

 Can NAP help out in this or is there a way with a good managed switch to build an "Allowed" table based upon Mac addresses.   Same idea as reserved DHCP but the advantage would be that if they guessed the IP address/Subnet from accessing another machine or running some standard lan sniffing software, it could kill their access at the switch.

 Does that exist at the switch level or am I getting too creative?

 Of course you could always tazer anybody walking past security with their own equipment.  A little extreme I think personally, but one good example should deter others.  Or just shred non standard equipment brought in after distributing a nasty "IT Policy memo on non standard equipement"

 But personally, I like the reserved Mac address DHCP idea myself.  Much less costly and few law suits involved.

---

Well all else fails, make an offering to the computer gods. Preferably in small unmarked bills.

Yes that kind of functionality is available at the switch level and is the most secure way of doing it but DHCP is alot less painful.

And after all, we're all lazy admins around here right?   ;) lol

OK ok... you've got a point.

 Tazers all round for everybody.

 OR! (Oh THIS would just cheese them all!) SWITCH TO TOKEN RING!

 "Hey My Mac won't plug into this!"

"I just fried my network card"

"My phone is making funny noises"

---

Well all else fails, make an offering to the computer gods. Preferably in small unmarked bills.

Ok... not funny part.

 If you have a list of the Mac Addresses (from DHCP of course), can you not export that list (and manually add the few statics you have) and somehow import that into a switch table?

 There!  That's a lot better than keying in 120 mac addresses!  (ALMOST lazy, involved a little brain work but not so much running about)

 AH!  Sean didn't say something funny.   Hide and run

---

Well all else fails, make an offering to the computer gods. Preferably in small unmarked bills.

Hey guys!

I am having the same issues over here.  We have users bringing in laptops and connecting to our network (trying to hack the network).  Our winows servers dont give out DHCP, our Cisco routers do.  I am trying to come up with a rather painless way to restrict access by MAC address, but we have over 1000+ laptops, thin clients and desktops that need to connect daily.  Any suggestions on how to handle this monumental task of capturing mac address's?

Can you not configure the router in a similar way?  The router should keep a table of all the mac addresses connected to it so you can capture them that way.  Or just use an ip scanner to can the network and grab the mac's.

Let us know how you go :)
 

To be honest, i try not to mess with the routers as much as i can.  Im not boned up on cisco at all.  But what you said makes sense.  Perhaps I the next time we get the router guy out here he can take a look for us.

Yeah, I mean if your router wasn't the one serving up dhcp then it would be a bit simpler.  I'd get on to your router guy for sure and see what he can do.

Cheers