Disabling Internet Access for non-member PCs?

[Sir Asvald]

Hey guys, How can I deny access to the internet for PCs who try to connect via LAN who are not part of the domain? Do I do it within the group policy?

 

Thanks.

 

 

[Lennart van de Merwe]

2 minutes ago, Abdul201588 said:

Hey guys, How can I deny access to the internet for PCs who try to connect via LAN who are not part of the domain? Do I do it within the group policy?

 

Thanks.

 

 

Ummm, just add a password? Or am I being stupid?

[Technomancer__]

you can set your router to allow access to the computers you whitelist. you can add your devices mac to whitelist

[Sir Asvald]

1 minute ago, Lennart van de Merwe said:

Ummm, just add a password? Or am I being stupid?

If it was that simple.

Just now, Ethocreeper said:

you can set your router to allow access to the computers you whitelist. you can add your devices mac to whitelist

I could to that, but again. Anyone can Spoof Mac Address. 

[Technomancer__]

1 minute ago, Abdul201588 said:

I could to that, but again. Anyone can Spoof Mac Address. 

 

a yea i forgot about that

[Lennart van de Merwe]

1 minute ago, Abdul201588 said:

If it was that simple.

I could to that, but again. Anyone can Spoof Mac Address. 

You say anyone can spoof a Mac address, but unless you're dealing with other techies I'd say it isn't very probable to asume that everyone is gonna do that.

[Technomancer__]

i summon @Lurick to help

[Lurick]

6 minutes ago, Ethocreeper said:

i summon @Lurick to help

You have summoned me!

I demand payment of 1 billion dollars!

[Technomancer__]

2 minutes ago, Lurick said:

You have summoned me!

I demand payment of 1 billion dollars!

 

[Lurick]

If your network can do VLANs then just do a VACL to deny that VLAN out to the internet. Of course this would require separate VLANs for guest wireless access too.

[Just.Oblivious]

If your switches support it: 802.1X port-based network authentication with RADIUS.

[Falconevo]

MAC address filtering and rules on DHCP server to provide anyone outside of your assigned MAC's to not have a gateway or DNS server.  That will prevent them accessing anything other than the local network/subnet.

[Lurick]

3 hours ago, Just.Oblivious said:

If your switches support it: 802.1X port-based network authentication with RADIUS.

Depending on how your ACLs are pushed down and applied, that could work as well  

[Guest]

16 hours ago, Lurick said:

If your network can do VLANs then just do a VACL to deny that VLAN out to the internet. Of course this would require separate VLANs for guest wireless access too.

Firewall or gateway with RADIUS support might just be easier.. 

[LAwLz]

OP, there is absolutely no need to mess around with ACLs or such.

What you want is 802.1X authentication. What that means is that when a computer connects to the network it will be prompted to put in a username and password, which can be tied to your AD.

 

Look up how to implement 802.1X on the switches you use, and then install something like FreeRADIUS. You can also do it through Windows Server using NPS, but that can sometimes be a pain in the ass.

[Lurick]

7 hours ago, LAwLz said:

OP, there is absolutely no need to mess around with ACLs or such.

What you want is 802.1X authentication. What that means is that when a computer connects to the network it will be prompted to put in a username and password, which can be tied to your AD.

 

Look up how to implement 802.1X on the switches you use, and then install something like FreeRADIUS. You can also do it through Windows Server using NPS, but that can sometimes be a pain in the ass.

Or you just put a single ACL line that denies addresses from the guest range from leaving the network

Much simpler to do that 802.1X

[LAwLz]

29 minutes ago, Lurick said:

Or you just put a single ACL line that denies addresses from the guest range from leaving the network

Much simpler to do that 802.1X

That assumes that they already have something that separates non-domain PCs from domain ones (hopefully they do, but that's not sure), and it would not work with BYOD.

It would require the config to be copied (and changed) on all access switches as well, which could be a pain in the ass.

 

You can use access lists if you want, but why use the clunky method when we have a standard designed for this?

[Lurick]

Just now, LAwLz said:

That assumes that they already have something that separates non-domain PCs from domain ones (hopefully they do, but that's not sure), and it would not work with BYOD.

It would require the config to be copied (and changed) on all access switches as well, which could be a pain in the ass.

 

You can use access lists if you want, but why use the clunky method when we have a standard designed for this?

I somehow was thinking just WLAN this whole time with a separate guest SSID that you could block with a single ACL line.

For LAN only access or more secure WLAN and LAN based access, I agree on the 802.1x method.