Preventing access to clients with static IPs

I have a network consisting of ~1,000 ports and ~60 access points. A recent problem has been clients statically assigning themselves an IP address within my DHCP range.

I am using dhcpd on FreeBSD (I don't know the version off the top of my head), and I have it set to ping an address before leasing it. A lot of my available addresses are being abandoned due to this, however some clients with static IP addresses have firewalls set to not respond to ICMP packets. In these cases, the server is still trying to lease the address, which is causing problems.

I am curious to hear how other people have solved this problem; I cannot imagine I am the first to encounter this. A few points:

- Setting static IP addresses across the network and moving away from DHCP is not an option. The vast majority of my clients are basic users who do not know what an IP address is, and the need to accommodate guests prevents me from using dynamically-assigned addresses or assigning static addresses myself.

- I have my switches set to prevent users from assigning static IP address on my wired network, so my problems exist only for my wireless network. I have the MAC addresses of clients using static addresses as well as the radio they are connected to, but do not have a good method of finding them beyond that.

Does anyone have any advice for what I can do in this situation to prevent clients from using static IP addresses, preferably in an automated manner that doesn't require me to run around policing people?

I don't know if it exists, but it would be great if I could find a software package that monitors traffic with the clients on one side and the DHCP server and gateway on the other side; it would track DHCP leases and then verify the IP/MAC combination of packets on their way to the gateway, removing packets which did not have an IP/MAC binding assigned by the DHCP server. This is what my switches do for my wired network, but they cannot do it for my wireless.

Sorry for the long post, and thank you in advance for any advice!
 
Is your DHCP server setup in a pure-dynamic setup, or do you use host entries to lock IPs to MAC addresses?

If the latter (which is the setup we use), we have a script that monitors for rogue MAC addresses, and alerts us via e-mail with the output of an nmap scan of the rogue station.

If doing pure dynamic, you may be SoL.
 
I've found something about executing commands in dhcpd.conf (in ISC dhcpd):

Code:
on commit
{
}

on expiry
{
}

on release
{
}

It could help to configure the packet filter of your choice (preferably one which understands MAC addresses).

Unfortunatelly, I cannot find any reasonable documentation about the event listeners above. Enter dhcpd.conf "on commit" in Google for some examples how to use this.
 
Thank you all for your replies.

The environment is purely dynamic with no dynamically-reserved addresses on the DHCP server. Essentially, I have to give an IP address to anyone who asks for one (guests, etc).

The DHCP daemon is running on the gateway, which is also serving as a firewall for the network. So using the information you provided nakal may allow me to update firewall rules to permit the MAC addresses which are assigned a lease. I'll investigate that more.

I also have the ability to use ACLs to block the MAC addresses of people using static addresses. My fear is that they would just change their MAC and keeping going. Maybe if I keep doing it, they'll finally give in and resort to a DHCPed address.
 
rjon17469 said:
I also have the ability to use ACLs to block the MAC addresses of people using static addresses. My fear is that they would just change their MAC and keeping going. Maybe if I keep doing it, they'll finally give in and resort to a DHCPed address.

You could adjust the amount of bandwidth people using unleased addresses are given... Or adjust their images as that classic example of a few years ago. Or redirect their web access to a static page that says "You have won a prize! Call (number of IT) to collect it!".
 
rjon17469 said:
I am using dhcpd on FreeBSD (I don't know the version off the top of my head), and I have it set to ping an address before leasing it. A lot of my available addresses are being abandoned due to this, however some clients with static IP addresses have firewalls set to not respond to ICMP packets. In these cases, the server is still trying to lease the address, which is causing problems.
Don't rely on ICMP to work. Use ARP, eg.

Code:
arp -d $IP >/dev/null 2>&1
ping -c 2 -i 0.1 -W 0.1 $IP >/dev/null 2>&1
arp -n $IP >/dev/null 2>&1
if [ $? -eq 1 ]; then
   # allow lease
fi

With some variation to the above, you could do the right thing and block users who set static IPs from the dynamic pool.
 
Someone already suggested a 2x4 to the user's head (my personal preference). The other option would be to implement some sort of 802.1x authorization.
 
Back
Top