Good Evening Everyone! Background: In my environment we currently assign all IP addresses manually because we are required to maintain a list of all ip addresses and what computers they go to. My Question: Is there a way to enable and configure DHCP to automatically recognize certain host names and automatically assign then a certain IP address that will never change. If the host name is not recognized I would like it to not assign the computer an ip address. Thank you in Advance!
asked Oct 1, 2014 at 10:00 101 1 1 silver badge 2 2 bronze badgesThis is easily done in pfSense: in DHCP Server settings, add clients that you want to allow obtaining IPs from the server, then ticking the Deny unknown clients option.
Commented Oct 1, 2014 at 10:08It is called Reservations under Windows 2008. See the following link for detailed instructions.
answered Oct 1, 2014 at 10:11 user3767013 user3767013 1,437 1 1 gold badge 10 10 silver badges 6 6 bronze badgesI do not know of any way to do it by host name, but most routers can do it by mac address with a mac allow list.
answered Oct 1, 2014 at 10:03 adgelbfish adgelbfish 704 6 6 silver badges 12 12 bronze badgesDepends on the capabilities of your DHCP server. Microsoft Windows cannot do this, most DHCP servers cannot do this, all you can do is put in a "reservation" that maps a specific MAC address to an IP address.
With ISC's DHCP server, which is freeware and included in most Linux distributions, you can create a setup with a filter list that allows only clients sending specific option 12 values (hostname option) and denies the rest. However, there is absolutely no security around this. Anybody who finds out what hostname's are allowed can rename their host and get in, potentially stomping on another host's name-to-IP address mapping in DNS (if you've configured that).
What you probably really want is something more divorced from this low-level mechanism and is secure. Consider deploying 802.1x, which is relatively easy to setup and most clients support these days. It requires user/password authentication to connect to the network, akin to how WPA works with wireless, but happens before the DHCP request is even done. It uses a RADIUS server for the authentication which can then use Active Directory on the backend for the authentication if you have AD already. (You can also use RAS for 802.1x authentication if you have that.)