We have visitors on our campus who bring their own laptops and devices and use our wireless and wired networks. When we receive a copyright infringement notice (typically BitTorrenting), we are required to quarantine that MAC address so that it no longer has Internet access. No matter what website it tries to visit, it is sent to a web page explaining to the user that the device has been quarantined.
We have thus far implemented this in ISC DHCP on Linux. We have multiple VLANs with one or more public-IP subnets and one RFC1918 quarantine subnet each. All clients are leased IPs in the public-IP subnet(s) unless you're in a list of known bad MACs. Then, you are sent to the quarantine subnet so that your traffic is unroutable on the Internet (you are isolated by subnet only, not by VLAN).
We would like to move to Windows DHCP in light of the IPAM role but I cannot figure out how to replicate this in Windows DHCP 2012 (Assign DHCP IPs for specific MAC prefixes on Windows Server 2008 R2 suggests it was not possible in 2008 R2), even while using policies.
So here's what I'd like: The administrator/help desk provides and maintains a list of MAC addresses that are to be quarantined. The DHCP server places those MACs into the quarantine subnet on the respective VLAN, no matter which VLAN the client is in.
I don't think reservations would work: We currently have about 300 registered bad MACs and about 12 VLANs. I don't want to make 300 x 12 reservations nor have to add 12 reservations per new MAC address. Not to mention all of the quarantine subnets are /24s.
We do not have NPS/NAC. You do not have to register your MAC address get network access. We use Cisco routers/switches.
Thanks.
Best Answer
The Microsoft DHCP server has no concept of a list of MAC addresses that are outside one of the configured DHCP scopes. I'm also not aware of any way to get the Microsoft DHCP server to return an IP address outside of the scope in which the DHCP relay agent's GIADDR address falls. I don't think you're going to be able to replicate what you had w/ the Microsoft DHCP Server.
As an aside: Before you consider handing-out IP addresses to public clients using a Microsoft DHCP server you may want to get a clear statement from Microsoft as to whether or not these devices need CALs. Microsoft has made contradictory statements about this. To be "safe" I always use a non-Microsoft DHCP server for public subnets.
Edit:
You're absolutely right that a DHCP superscope will allow IP addresses to be assigned to clients outside the subnet of the GIADDR that the relay agent passes. It's not a feature I've ever used in production but, even so, I feel like a bit of an ass for not thinking of it.