Limiting DHCP address assignments

Here to help

Limiting DHCP address assignments

I'd like to secure our network so that a person could not simply plug into a network port and be assigned an IP allowing them to run all kinds of network tools against it.  I thought I could limit DHCP to known MAC addresses but I don't see it in my MX security appliance.  Is there another way to accomplish my goal that I'm not thinking of?  I could assign IPs manually but that's not a great option.



Kind of a big deal
Kind of a big deal

What MX do you have?  Do you have an MS as wekk? 

MX80 . MS220 switches.

You have a couple of options.  On your MS220 switches you could move to 802.1x port authentication.  This means only authenticated machines will be able to attach to your machine.  This is the most secure but also the most complex to setup.

This is typically done with a RADIUS server and a Windows AD domain, but you can also use Meraki Authentication if you have a small number of machines. 


The next options are around group policy.  You could make the default VLAN be a VLAN that is not conncted to anything.  And then apply a group policy that overrides the VLAN and puts the user into a working VLAN.

You could also use a similar approach where you change the default L3 firewall rules to "deny any" and then use group policy to override those firewall rules to allow access. 

On re-consideration, forget the VLAN option.  MS doesn't respond to group policies.  So one of the other two options,

Just to add: not giving out IP addresses (or even limiting those to known hosts) is nothing that would add a layer of security to your network.


If you really want to go for added security, see Philips advice on using 802.1x.

Philip thanks for the links! It looks like using hybrid authentication on the switch port might be the way to go... Now I need to figure out how to test it out on a small number of ports to see how it works. I have a radius server set up and functioning. Just figuring out the MAC portion is my challenge. Thanks for the idea!


Hybrid Authentication
When a hybrid access policy is enabled on a switchport, the client will first be prompted to provide their domain credentials for 802.1X authentication. If 802.1X authentication fails, it will deny the client and will not move to MAB authentication. If the switch does not receive any EAP packets, 802.1X authentication will timeout in 8 seconds, and the client's MAC address will then be authenticated via MAB. If 802.1X authentication timeout and MAB fails, the device will be put on a "guest" VLAN, if one is defined.
Hybrid authentication is helpful in environments where not every device supports 802.1X authentication since MAB exists as a failover mechanic.

Looking into it further I cannot list MAC addresses in my Radius server. I am using Jumpcloud as my DaaS, I have opened a ticket on using MACs in the Radius server but they do not support it.  Now looking at just whitelisting MACs in the MS port.  I need to test to see if it will block other MACs from passing traffic on that port.



Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.