How Can You Prevent Non-Domain Users from Getting an IP Configuration



  • Hi ML community

    i have a question regarding a policy i want to apply in my network, we have a very big envirenment and some users format their PCs in order to gain full access over their machine (they don't want to be part of the domain), i want to solve this problem by preventing any non domain machine from getting ip configuration so that they are forced to join their machin into our domain in order to get ip configuration,

    how i can acheive that, i heard that their is some setting in the switch that can prevent non domain users from getting into the network but i have no clue how to proceed, any enlightenment please ??



  • How would this even work? You need to have an IP address to be able to communicate and bind to the domain.

    Are you saying you're okay if the user statically assigns an address to their PC? And then maybe, somehow block that device at your switch or firewall because it's not bound?



  • Why do you allow them to wipe the PCs? Disable booting from USB, optical drives and floppy, and everything that's not the drive main OS is installed on, and password protect BIOS.

    Next time you catch a user wiping their drive, take it to upper management and recommend termination of said employee. Once the word gets out, nobody will try any more shenanigans.



  • @DustinB3403 said in how to prevent non domain users from getting ip configuration:

    How would this even work? You need to have an IP address to be able to communicate and bind to the domain.

    Are you saying you're okay if the user statically assigns an address to their PC? And then maybe, somehow block that device at your switch or firewall because it's not bound?

    you strike a good point, i forget about the fact that in order to determine a joint computer from non is done after the machine get ip configuration



  • @IT-ADMIN said in how to prevent non domain users from getting ip configuration:

    Hi ML community

    i have a question regarding a policy i want to apply in my network, we have a very big envirenment and some users format their PCs in order to gain full access over their machine (they don't want to be part of the domain), i want to solve this problem by preventing any non domain machine from getting ip configuration so that they are forced to join their machin into our domain in order to get ip configuration,

    how i can acheive that, i heard that their is some setting in the switch that can prevent non domain users from getting into the network but i have no clue how to proceed, any enlightenment please ??

    Everyone has hit the obvious point here. But to your question.

    You're looking for 802.1x and RADIUS. Most switches can be configured for this and will prevent anyone who isn't on a domain machine (with a domain cert) or a domain user to not authenticate on the switch.



  • A NAC can totally do this. Usually you'd buy a device like fortigate, forescout, or Cisco make them for example.

    You can configure non domain devices in a holding area and/or force them to domain join before allowing fukk network access. You can also do things like ban systems that aren't up to date with patches, av, and many other things.

    I've been meaning to try packetfence. It's a FOSS tool that works with a variety of network devices including affordable ones like ubiquity.
    https://packetfence.org/



  • @IRJ said in how to prevent non domain users from getting ip configuration:

    A NAC can totally do this. Usually you'd buy a device like fortigate, forescout, or Cisco make them for example.

    You can configure non domain devices in a holding area and/or force them to domain join before allowing fukk network access. You can also do things like ban systems that aren't up to date with patches, av, and many other things.

    I've been meaning to try packetfence. It's a FOSS tool that works with a variety of network devices including affordable ones like ubiquity.
    https://packetfence.org/

    We have Packetfence setup. Works a charm for the wireless devices we have on it.

    If they are on a Windows network the Windows NAP application and a RADIUS server can do this as well.



  • @coliver said in how to prevent non domain users from getting ip configuration:

    @IRJ said in how to prevent non domain users from getting ip configuration:

    A NAC can totally do this. Usually you'd buy a device like fortigate, forescout, or Cisco make them for example.

    You can configure non domain devices in a holding area and/or force them to domain join before allowing fukk network access. You can also do things like ban systems that aren't up to date with patches, av, and many other things.

    I've been meaning to try packetfence. It's a FOSS tool that works with a variety of network devices including affordable ones like ubiquity.
    https://packetfence.org/

    We have Packetfence setup. Works a charm for the wireless devices we have on it.

    If they are on a Windows network the Windows NAP application and a RADIUS server can do this as well.

    With packet fence you can likely send them to a limited access remediation area for holding. Which can be an advantage if you want to continue to allow public access, but restrict private network access until remediation.

    I know you could do that with forescout.



  • @IRJ said in how to prevent non domain users from getting ip configuration:

    A NAC can totally do this. Usually you'd buy a device like fortigate, forescout, or Cisco make them for example.

    You can configure non domain devices in a holding area and/or force them to domain join before allowing fukk network access. You can also do things like ban systems that aren't up to date with patches, av, and many other things.

    I've been meaning to try packetfence. It's a FOSS tool that works with a variety of network devices including affordable ones like ubiquity.
    https://packetfence.org/

    yeah - NAC was the first thing I thought of... but I have no idea how complicated it is to setup and maintain.



  • @IT-ADMIN said in how to prevent non domain users from getting ip configuration:

    Hi ML community

    i have a question regarding a policy i want to apply in my network, we have a very big envirenment and some users format their PCs in order to gain full access over their machine (they don't want to be part of the domain), i want to solve this problem by preventing any non domain machine from getting ip configuration so that they are forced to join their machin into our domain in order to get ip configuration,

    how i can acheive that, i heard that their is some setting in the switch that can prevent non domain users from getting into the network but i have no clue how to proceed, any enlightenment please ??

    You need network access control like 802.1x and conditional access. That's the only real way.



  • @IT-ADMIN said in how to prevent non domain users from getting ip configuration:

    i want to solve this problem by preventing any non domain machine from getting ip configuration

    Chicken and egg... how do you become a domain user without already having an IP configuration?



  • @IT-ADMIN said in how to prevent non domain users from getting ip configuration:

    i heard that their is some setting in the switch that can prevent non domain users from getting into the network

    You must have misheard or the speaker was confused. A switch cannot do this.



  • @IT-ADMIN said in how to prevent non domain users from getting ip configuration:

    preventing any non domain machine from getting ip configuration

    In a situation where they are allowed to rebuild their machines, they don't need an IP configuration from you. So just as they can bypass the domain security, they can bypass this IP security, too. It's so easy to do that they might do so accidentally and not even realize that you had attempted to block them.



  • @Obsolesce said in how to prevent non domain users from getting ip configuration:

    @IT-ADMIN said in how to prevent non domain users from getting ip configuration:

    Hi ML community

    i have a question regarding a policy i want to apply in my network, we have a very big envirenment and some users format their PCs in order to gain full access over their machine (they don't want to be part of the domain), i want to solve this problem by preventing any non domain machine from getting ip configuration so that they are forced to join their machin into our domain in order to get ip configuration,

    how i can acheive that, i heard that their is some setting in the switch that can prevent non domain users from getting into the network but i have no clue how to proceed, any enlightenment please ??

    You need network access control like 802.1x and conditional access. That's the only real way.

    Yeah, specialty hardware that handles it.



  • You would need something like this expensive product.
    https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html



  • Discussion on the policy side of this is over here:

    https://mangolassi.it/topic/20894/policies-vs-network-access-control