DHCP authentication

Unanswered Question
May 1st, 2009

I want to turn a Cisco router to be a DHCP server, will it support authetication. I want to restrict the hosts which can get address from the DHCP server.

Thanks,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Laurent Aubert Sun, 05/03/2009 - 10:03

Hi,

There is no authentication mechanism embedded in the DHCP protocol.

You could do manual bindings and would need a pool per host. Use the client-identifier to bind your host to a pool:

ip dhcp pool POOL

host 10.1.1.4 255.255.255.0

client-identifier 0100.1b77.66cf.55

dns-server 24.200.241.37 24.201.245.77

default-router 10.1.1.254

!

The client-identifier for windows host is 01 prepended to the mac-address

HTH

Laurent.

sujitkr7cisco Sun, 05/03/2009 - 14:35

we can use FTP server where ip address and corresponding Mac address will (.txt file ) be mention .In this, when user wants ip through DHCP sever ,first goes to FTP sever ( *.txt) and after match , gets the corresponding IP address.

Note :- Static ip address has always

more preference than DHCP ip address.

Thanks ,

Sujeet

c.captari Sun, 05/03/2009 - 17:28

You may want to have a look at DHCP snooping:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/12ew/configuration/guide/dhcp.pdf

Basically this helps you define which interfaces are in trusted mode to receive DHCP conversations. It has a lot of features. I advise you to read the PDF.

From Cisco:

DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages

and by building and maintaining a DHCP snooping binding table. An untrusted message is a message

that is received from outside the network or firewall and that can cause traffic attacks within your

network.

The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type,

VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch;

it does not contain information regarding hosts interconnected with a trusted interface. An untrusted

interface is an interface that is configured to receive messages from outside the network or firewall. A

trusted interface is an interface that is configured to receive only messages from within the network.

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way

to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected

to the DHCP server or another switch.

Actions

This Discussion