How Can You Prevent Non-Domain Users from Getting an IP Configuration
-
@IRJ said in how to prevent non domain users from getting ip configuration:
A NAC can totally do this. Usually you'd buy a device like fortigate, forescout, or Cisco make them for example.
You can configure non domain devices in a holding area and/or force them to domain join before allowing fukk network access. You can also do things like ban systems that aren't up to date with patches, av, and many other things.
I've been meaning to try packetfence. It's a FOSS tool that works with a variety of network devices including affordable ones like ubiquity.
https://packetfence.org/We have Packetfence setup. Works a charm for the wireless devices we have on it.
If they are on a Windows network the Windows NAP application and a RADIUS server can do this as well.
-
@coliver said in how to prevent non domain users from getting ip configuration:
@IRJ said in how to prevent non domain users from getting ip configuration:
A NAC can totally do this. Usually you'd buy a device like fortigate, forescout, or Cisco make them for example.
You can configure non domain devices in a holding area and/or force them to domain join before allowing fukk network access. You can also do things like ban systems that aren't up to date with patches, av, and many other things.
I've been meaning to try packetfence. It's a FOSS tool that works with a variety of network devices including affordable ones like ubiquity.
https://packetfence.org/We have Packetfence setup. Works a charm for the wireless devices we have on it.
If they are on a Windows network the Windows NAP application and a RADIUS server can do this as well.
With packet fence you can likely send them to a limited access remediation area for holding. Which can be an advantage if you want to continue to allow public access, but restrict private network access until remediation.
I know you could do that with forescout.
-
@IRJ said in how to prevent non domain users from getting ip configuration:
A NAC can totally do this. Usually you'd buy a device like fortigate, forescout, or Cisco make them for example.
You can configure non domain devices in a holding area and/or force them to domain join before allowing fukk network access. You can also do things like ban systems that aren't up to date with patches, av, and many other things.
I've been meaning to try packetfence. It's a FOSS tool that works with a variety of network devices including affordable ones like ubiquity.
https://packetfence.org/yeah - NAC was the first thing I thought of... but I have no idea how complicated it is to setup and maintain.
-
@IT-ADMIN said in how to prevent non domain users from getting ip configuration:
Hi ML community
i have a question regarding a policy i want to apply in my network, we have a very big envirenment and some users format their PCs in order to gain full access over their machine (they don't want to be part of the domain), i want to solve this problem by preventing any non domain machine from getting ip configuration so that they are forced to join their machin into our domain in order to get ip configuration,
how i can acheive that, i heard that their is some setting in the switch that can prevent non domain users from getting into the network but i have no clue how to proceed, any enlightenment please ??
You need network access control like 802.1x and conditional access. That's the only real way.
-
@IT-ADMIN said in how to prevent non domain users from getting ip configuration:
i want to solve this problem by preventing any non domain machine from getting ip configuration
Chicken and egg... how do you become a domain user without already having an IP configuration?
-
@IT-ADMIN said in how to prevent non domain users from getting ip configuration:
i heard that their is some setting in the switch that can prevent non domain users from getting into the network
You must have misheard or the speaker was confused. A switch cannot do this.
-
@IT-ADMIN said in how to prevent non domain users from getting ip configuration:
preventing any non domain machine from getting ip configuration
In a situation where they are allowed to rebuild their machines, they don't need an IP configuration from you. So just as they can bypass the domain security, they can bypass this IP security, too. It's so easy to do that they might do so accidentally and not even realize that you had attempted to block them.
-
@Obsolesce said in how to prevent non domain users from getting ip configuration:
@IT-ADMIN said in how to prevent non domain users from getting ip configuration:
Hi ML community
i have a question regarding a policy i want to apply in my network, we have a very big envirenment and some users format their PCs in order to gain full access over their machine (they don't want to be part of the domain), i want to solve this problem by preventing any non domain machine from getting ip configuration so that they are forced to join their machin into our domain in order to get ip configuration,
how i can acheive that, i heard that their is some setting in the switch that can prevent non domain users from getting into the network but i have no clue how to proceed, any enlightenment please ??
You need network access control like 802.1x and conditional access. That's the only real way.
Yeah, specialty hardware that handles it.
-
You would need something like this expensive product.
https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html -
Discussion on the policy side of this is over here:
https://mangolassi.it/topic/20894/policies-vs-network-access-control