How to control when new systems request for a connection

[Zent User]

I'm using Zentyal DHCP server in my network,the problem is "when a new system is connected to un-used ports of switch then that system is getting internet connection",how can I restrict this ? If Zentyal admin allows the new connection then only new system should get internet or whatever access, how can I achieve this ?

[robb]

Zentyal is not aware of the switchport a client is using. If you want port security on a switch you need a switch that supports such a feature.

[Zent User]

Using DHCP and MAC address of client system is it not possible ?

[christian]

It depends what you intend to achieve 

If goal is to prevent unknown machine to get valid IP address and therefore access your LAN, then you could provide DHCP lease only to known MAC addresses but:
- this can be painful if you have a lot of machines
- this doesn't bring security as faking MAC address is quite easy
- machine can still connect without using DHCP

Another approach could have been to implement authenticated DHCP but Zentyal doesn't provide this feature.

If goal is to prevent unauthorized account to access internet (i.e. browse), then you could just enable HTTP proxy authentication 

[robb]

DHCP IS using macaddress.... I think you need to read something about how DHCP works. It is perfectly possible to give a machine with a specific MAC address always the same IP address. Making rules for certain IP addresses to access or not access internet you should be able to solve your specific objective.

[Zent User]

@ Christian

     

- machine can still connect without using DHCP

        Is it ? oh I wondered after reading above statement.If this problem is not there means I might go for this approach because in my network few systems there and I can manage Lease DHCP with known MAC address. Can't we solve this issue ?

     

If goal is to prevent unauthorized account to access internet (i.e. browse), then you could just enable HTTP proxy authentication

      If go for above approach then

     1. Is it possible to implement with explicit proxy,because I may go explicit proxy as suggested in previous posts to control HTTPs ?

    2. This may not suit for me because,one of my team member will know Proxy credentials then if he bring a laptop(which is unknown machine to me from my point of view) to my office and can able connect to network,which is unauthorized work,So I want to stop this.

[christian]

Sure you want to stop this but how are you going to prevent this same user to bring his own laptop, set static IP matching your current LAN and then access internet ?
Using MAC address based leased and restrict access to this network object only? So far so good.
Then how are you going to prevent this same user to change MAC address on its own laptop and fool your rule?

[Zent User]

If it work upto that its enough,changing MAC address of the system that much knowledge my staff don't have,even though you've said drawback of this approach,thanks for that.

      Any post regarding Leased DHCP with MAC ? I'll glad to you

[christian]

Any post regarding Leased DHCP with MAC ? I'll glad to you

I suppose you even didn't try because Zentyal 3.0 is straightforward and easy with this: in DHCP, go to static address section and click on "add new".
If there is no network object, you can even create a new on from there and add objects inside.

The trick is to not define any dynamic range so that machine with MAC address not part of your network object will not get any IP.

[Zent User]

Ok thanks,Currently I'm using 2.2,I'll try 3.0 in this week.

[christian]

2.2 works exactly the same way except that you have to define your network object before so that you can then use it in DHCP settings.