DHCP deny mac address

HWhite · 27-03-2009

Hi all. I've searched around and have found some discussions dated 2005
regarding denying DHCP leases based on mac addresses. Basically the
conclusion was it couldn't be done through Windows Server 2003 DHCP. I'm
wondering if this has changed in the 3 years that have passed.

Here's my situation... I have a network with a wireless router. The router
is basically being used as an access point, passing through data rather than
doing any actual routing. Consequently, I can't connect to it via web
interface to log in and change anything. So, for the time being, lets say
that I cannot change the wireless password or set up mac filtering, which
would be the easiest thing to do. The wireless clients obtain a DHCP address
from a Windows 2003 SBS.

Over time, the wireless password has obviously been leaked. I have repeat
offenders with iPhones and other devices leaching off the bandwidth. These
are not devices or users on my network. Since they are the same devices over
and over, I would like to be able to block them from obtaining IP addresses,
or restricting their network usage after obtaining an address.

Can somebody recommend the best way to do this? I'm open to 3rd party
solutions.

Thanks!

Pegasus [MVP] · 27-03-2009

"HWhite" <HWhite@discussions.microsoft.com> wrote in message
news:E9DB20C9-EB04-47E4-9411-F125409B9249@microsoft.com...
> Hi all. I've searched around and have found some discussions dated 2005
> regarding denying DHCP leases based on mac addresses. Basically the
> conclusion was it couldn't be done through Windows Server 2003 DHCP. I'm
> wondering if this has changed in the 3 years that have passed.
>
> Here's my situation... I have a network with a wireless router. The
> router
> is basically being used as an access point, passing through data rather
> than
> doing any actual routing. Consequently, I can't connect to it via web
> interface to log in and change anything. So, for the time being, lets say
> that I cannot change the wireless password or set up mac filtering, which
> would be the easiest thing to do. The wireless clients obtain a DHCP
> address
> from a Windows 2003 SBS.
>
> Over time, the wireless password has obviously been leaked. I have repeat
> offenders with iPhones and other devices leaching off the bandwidth.
> These
> are not devices or users on my network. Since they are the same devices
> over
> and over, I would like to be able to block them from obtaining IP
> addresses,
> or restricting their network usage after obtaining an address.
>
> Can somebody recommend the best way to do this? I'm open to 3rd party
> solutions.
>
> Thanks!

I don't quite see why you should not be able to connect to the wireless
router's web interface. Regardles of its function as an access point or as a
router, it has an IP address that can be in any subnet you choose. You'll
find the default address in the router's manual - it's often something like
192.168.1.1. If you changed it and forgot its value then you'll have to
reset the router and reprogram it.

HWhite · 27-03-2009

If I had physical access to this router, I would just solve the problem. I
don't, which is why I posted here. I can't log into the router's web
interface. Whether it is because remote administration was not checked, or
some other reason, the login for the router doesn't appear when I go to the
address. If I must get my hands on this router, it can happen, but it isn't
easy.

"Pegasus [MVP]" wrote:

>
> "HWhite" <HWhite@discussions.microsoft.com> wrote in message
> news:E9DB20C9-EB04-47E4-9411-F125409B9249@microsoft.com...
> > Hi all. I've searched around and have found some discussions dated 2005
> > regarding denying DHCP leases based on mac addresses. Basically the
> > conclusion was it couldn't be done through Windows Server 2003 DHCP. I'm
> > wondering if this has changed in the 3 years that have passed.
> >
> > Here's my situation... I have a network with a wireless router. The
> > router
> > is basically being used as an access point, passing through data rather
> > than
> > doing any actual routing. Consequently, I can't connect to it via web
> > interface to log in and change anything. So, for the time being, lets say
> > that I cannot change the wireless password or set up mac filtering, which
> > would be the easiest thing to do. The wireless clients obtain a DHCP
> > address
> > from a Windows 2003 SBS.
> >
> > Over time, the wireless password has obviously been leaked. I have repeat
> > offenders with iPhones and other devices leaching off the bandwidth.
> > These
> > are not devices or users on my network. Since they are the same devices
> > over
> > and over, I would like to be able to block them from obtaining IP
> > addresses,
> > or restricting their network usage after obtaining an address.
> >
> > Can somebody recommend the best way to do this? I'm open to 3rd party
> > solutions.
> >
> > Thanks!
>
> I don't quite see why you should not be able to connect to the wireless
> router's web interface. Regardles of its function as an access point or as a
> router, it has an IP address that can be in any subnet you choose. You'll
> find the default address in the router's manual - it's often something like
> 192.168.1.1. If you changed it and forgot its value then you'll have to
> reset the router and reprogram it.
>
>
>

Pegasus [MVP] · 27-03-2009

"HWhite" <HWhite@discussions.microsoft.com> wrote in message
news:265A5885-C496-4939-9E9C-D06321870088@microsoft.com...
> If I had physical access to this router, I would just solve the problem.
> I
> don't, which is why I posted here. I can't log into the router's web
> interface. Whether it is because remote administration was not checked,
> or
> some other reason, the login for the router doesn't appear when I go to
> the
> address. If I must get my hands on this router, it can happen, but it
> isn't
> easy.

I think you have to grab this bull by its horns. Resetting the router and
managing it through its web interface is the only clean solution. Everything
else is a clumsy work-around that takes time to configure and will only
postpone the day when you have to reset the router anyway. After resetting
and reconfiguring it, remember to take a file snapshot of its configuration
so that you can rebuild it within minutes when you need to.

Dusko Savatovic · 27-03-2009

From what you write, you are not network administrator and this network is
not in your scope of responsibility, so why should you worry? And BTW, MAC
filtering is not effective security measure. It is easily spoofed. Anyway,
if this helps you, go ahead.
http://www.markmmanning.com/blog/200...n-windows.html

As an extra measure, there are some techniques to "attack" rogue access
points on the network and render them useless. Look at Cisco for some ideas.

"HWhite" <HWhite@discussions.microsoft.com> wrote in message
news:E9DB20C9-EB04-47E4-9411-F125409B9249@microsoft.com...
> Hi all. I've searched around and have found some discussions dated 2005
> regarding denying DHCP leases based on mac addresses. Basically the
> conclusion was it couldn't be done through Windows Server 2003 DHCP. I'm
> wondering if this has changed in the 3 years that have passed.
>
> Here's my situation... I have a network with a wireless router. The
> router
> is basically being used as an access point, passing through data rather
> than
> doing any actual routing. Consequently, I can't connect to it via web
> interface to log in and change anything. So, for the time being, lets say
> that I cannot change the wireless password or set up mac filtering, which
> would be the easiest thing to do. The wireless clients obtain a DHCP
> address
> from a Windows 2003 SBS.
>
> Over time, the wireless password has obviously been leaked. I have repeat
> offenders with iPhones and other devices leaching off the bandwidth.
> These
> are not devices or users on my network. Since they are the same devices
> over
> and over, I would like to be able to block them from obtaining IP
> addresses,
> or restricting their network usage after obtaining an address.
>
> Can somebody recommend the best way to do this? I'm open to 3rd party
> solutions.
>
> Thanks!

Joe Grover · 28-03-2009

Seconded. Without doing that then you'd probably be looking at using VLANs
and having any traffic that isn't set up on the VLAN going nowhere, and
that's assuming you have network equipment that supports VLANs.

"Pegasus [MVP]" <news@microsoft.com> wrote in message
news:e53y3GmrJHA.2368@TK2MSFTNGP06.phx.gbl...
>
> "HWhite" <HWhite@discussions.microsoft.com> wrote in message
> news:265A5885-C496-4939-9E9C-D06321870088@microsoft.com...
>> If I had physical access to this router, I would just solve the problem.
>> I
>> don't, which is why I posted here. I can't log into the router's web
>> interface. Whether it is because remote administration was not checked,
>> or
>> some other reason, the login for the router doesn't appear when I go to
>> the
>> address. If I must get my hands on this router, it can happen, but it
>> isn't
>> easy.
>
> I think you have to grab this bull by its horns. Resetting the router and
> managing it through its web interface is the only clean solution.
> Everything else is a clumsy work-around that takes time to configure and
> will only postpone the day when you have to reset the router anyway. After
> resetting and reconfiguring it, remember to take a file snapshot of its
> configuration so that you can rebuild it within minutes when you need to.
>