Some of my users need to have an IP from a specific range to use some services and some others don't. Since many users have access to different PCs (and sometimes they share the same PCs, too) is it possible for Windows Server 2012 DHCP to assign an IP address based user name?
I did some researches and it looks like it's not possible, since the DHCP addresses are assigned before a user logs in. Am I right?
I found that DHCP policies in Windows Server can be based on one ore more of these parameters:
- MAC Address
- Vendor Class
- User Class
- Client Identifier
- Relay Agent Information
but I think they are all related to the hardware installed on the PC.
How can I solve this problem? I thought about a login script that changes the IP after the login, but in this case I need to statically assign a different IP to each user. Is there a way to achieve this dynamically?
Best Answer
What you want to do is some form of 802.1x at the switch level with something like a NAP (Windows) or FreeRADIUS (*nix) back end. When a client connects initially, they are all put on a "quarantine" VLAN that doesn't have access to anything except logging in. Then, based on either their computer certificate or logon name or group membership in AD, they are put on the correct VLAN at the switch-port level.
You can't do this natively with DHCP, you need switches that support 802.1x and RADIUS as a minimum or something like Cisco Clean Access or ISE, but those do far more than VLAN quarantining.