Sunday, July 21, 2013

How to filter MAC address in windows (DHCP)

 

This is a feature I have been waiting for way too long. Up until today if you wanted to
have some control over who is entitled to receive an IP address from your DHCP you
either had to configure reservations (for each of your systems) or had to use some lower
level device to filter out unwanted systems.Finally that is over now.

The Microsoft DHCP team has posted a new DLL called "DHCP Server Callout DLL" on their blog.
This DLL can be used on Windows 2003 and Windows 2008 DHCP servers to limit the scope of
systems entitled to receive an IP address from the server based on their MAC address.

To install it you need to download the installer and run it.
image

Once the installation completes you will have to new files in your %windir%\system32 directory:

image

The first file provides documentation (installation and usage) while the second file is the DLL needed
to enable the functionality.

Installation and Configuration

  • Create a new directory ,basically anywhere but I would recommend to create under the DHCP
    service directory: %windir%\system32\DHCP . Give it an informative name such as MACFilter.
  • Copy both files to the new directory (Once copied, you can safely remove the application using
    Programs and Features).
  • Create a new text file under the new directory called: "MACList.txt"
    image
  • Add the following Registry keys to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters:
    image
  • Please note, that you have to specify a full path for the log files including filenames (they will be create
    automatically when the DHCP service is started).
  • Before you start using the feature make sure to edit the MACFilter.txt file using the following format which is
    self explanatory:
    image
  • Basically when choosing the ALLOW action, the server will provide IP addresses only to the systems that have their
    MAC addresses listed,while the DENY action will prevent the listed systems from getting an address. The MAC addresses
    should be listed without a delimiter and all lower case.
    image
  • To enable the feature you have to restart the DHCP service. If successfully started the following event(1033) will be logged:
    image

Operation

Once it is started you don't need to meddle with it. the following screenshot shows you what happens networking-wise
when a specific host is denied:
image

Which is basically nothing- The DHCP server simply doesn't respond.

As for the logs, they will help you determine what is happening. If you would like to archive your logs you will need to
provide a mechanism as at every restart the logs are recreated.
Operations:
image

Errors:
image

 

Download

Posted by at
Labels:

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )