Client/user Static IP HELP

[Lurick]

I did some digging and it took me a while to narrow it down correctly but what you're looking for is 802.1x coupled with a RADIUS server for dynamic VLAN assignment. At that point you'll be able to pass down a VLAN based on the user's AD group. The switch needs to support this but most enterprise stuff will. You cannot reserve an IP address per user but you can define a range of addresses for each VLAN and based on the VLAN passed down to the switch will determine what range everything gets picked from.

[neckoblack]

6 minutes ago, Lurick said:

I did some digging and it took me a while to narrow it down correctly but what you're looking for is 802.1x coupled with a RADIUS server for dynamic VLAN assignment. At that point you'll be able to pass down a VLAN based on the user's AD group. The switch needs to support this but most enterprise stuff will. You cannot reserve an IP address per user but you can define a range of addresses for each VLAN and based on the VLAN passed down to the switch will determine what range everything gets picked from.

Thank you

[neckoblack]

1 hour ago, Lurick said:

I did some digging and it took me a while to narrow it down correctly but what you're looking for is 802.1x coupled with a RADIUS server for dynamic VLAN assignment. At that point you'll be able to pass down a VLAN based on the user's AD group. The switch needs to support this but most enterprise stuff will. You cannot reserve an IP address per user but you can define a range of addresses for each VLAN and based on the VLAN passed down to the switch will determine what range everything gets picked from.

how would i go about configuring that on the server?

[brwainer]

7 hours ago, neckoblack said:

how would i go about configuring that on the server?

First, set up VLANs on your router and switches, each VLAN should have its own subnet and DHCP range. Verify that computers can get online when manually assigned to each VLAN. Then set up AD. Then, set up the switch you use for 802.1X, pointing to the AD server as the radius server (you may have to enable/set up the radius function, it is part of Network Policy Services). I am 99% sure that the virtual switches in both VirtualBox and HyperV do not support 802.1X, you need to use hardware switches with hardware computers. Once you have it set up that users have to log into AD in order to access the network, then you can change the configuration so that logging in assigns them a VLAN.

[davidna2002]

i find this thread interesting as it makes no sense to me for real world purposes.  unless your doing it for the heck of it.  so many ways to track & secure users nowadays.  this would seem like a nightmare to troubleshoot & manage.  most firewalls with AD integration would give you most of their activity on the network.

[davidna2002]

alternatively one way you could do this is with virtual desktops where all users remote into their own VM which has a fixed IP, and you deny them all the local stuff via GPO.  this way they can remote in via BYOD or company machine.  it would also make managing the user VM's more easily.

[Mikensan]

Why do departments need to be separated at the IP level? Accounting and Engineering can ride the same subnet without any concern - the resources they access should be restricted by username anyway. Lets say there is a network share you only want accounting to access. The best way is to set permissions on the share, then Engineering can try until they are blue in the face and never gain access.

 

You should not have any network resources that's open to anyone who can simply connect.

 

If for some reason you are not allowed to say why, then say so. Otherwise it's a big mystery why users "need" a static IP address and it's frustrating to try and help without additional knowledge.

 

I believe Windows Firewall can create rules that are user based. So if you want to block network access then poke around windows firewall a little. (Changing an IP address is no different then using a firewall since you're still physically connected to the same network)

[neckoblack]

15 minutes ago, Mikensan said:

Why do departments need to be separated at the IP level? Accounting and Engineering can ride the same subnet without any concern - the resources they access should be restricted by username anyway. Lets say there is a network share you only want accounting to access. The best way is to set permissions on the share, then Engineering can try until they are blue in the face and never gain access.

 

You should not have any network resources that's open to anyone who can simply connect.

 

If for some reason you are not allowed to say why, then say so. Otherwise it's a big mystery why users "need" a static IP address and it's frustrating to try and help without additional knowledge.

 

I believe Windows Firewall can create rules that are user based. So if you want to block network access then poke around windows firewall a little. (Changing an IP address is no different then using a firewall since you're still physically connected to the same network)

The users with the static IP are managment level employees and need/want a static IP, the benifits of that being:

Configur bandwith for those users (i think), and other security resons as i was told

As for the pool of ips for that department, i belive its to ensure that they have there own pool thus less risk of them being booted of the system because of the ip lease expiring, i have tried to explain the situation the best i can but i always seem to forget to add details

[dalekphalm]

40 minutes ago, neckoblack said:

The users with the static IP are managment level employees and need/want a static IP, the benifits of that being:

Configur bandwith for those users (i think), and other security resons as i was told

As for the pool of ips for that department, i belive its to ensure that they have there own pool thus less risk of them being booted of the system because of the ip lease expiring, i have tried to explain the situation the best i can but i always seem to forget to add details

Why do the managers need static IP's? For what reason? I get the feeling one of them heard some term they don't understand and that's what is causing this nonsensical request.

 

Configuring bandwidth should be doable using AD integration. And "other security reasons" doesn't mean anything at all. They need to be specific about what security reasons.

 

Also, unless you have hundreds of computers, you shouldn't have any issues with DHCP lease issues. If the lease expires, they get a new IP - that's not a bad thing.

[Mikensan]

I think you could convince them they do not need static IP address especially if they're going to be on the same network but just different IP addresses. More so if they're sharing a computer lol.

 

 

Speaking of sharing a computer, one thing you should look at is Microsoft Multipoint Server 2016.

https://rlevchenko.com/2015/11/22/multipoint-services-role-in-windows-server-2016/

 

This may allow you to accomplish what you want. I'm trying to give suggestions to accomplish what you want, but I also feel that to be a good IT admin you have to stand by good practices and set reasonable expectations. Try to take their needs and create a good solution, don't let them tell you the solution just their needs.

[dalekphalm]

1 hour ago, Mikensan said:

I think you could convince them they do not need static IP address especially if they're going to be on the same network but just different IP addresses. More so if they're sharing a computer lol.

 

 

Speaking of sharing a computer, one thing you should look at is Microsoft Multipoint Server 2016.

https://rlevchenko.com/2015/11/22/multipoint-services-role-in-windows-server-2016/

 

This may allow you to accomplish what you want. I'm trying to give suggestions to accomplish what you want, but I also feel that to be a good IT admin you have to stand by good practices and set reasonable expectations. Try to take their needs and create a good solution, don't let them tell you the solution just their needs.

Indeed - you are IT for a reason. If they want to tell you how to do your job, they should manage IT themselves. A good manager will tell IT what they need, and a good IT admin will tell the manager how to accomplish that.

 

Setting IP's per user makes no sense what-so-ever on a local network.

[neckoblack]

Thank you