MAC address filtering (DHCP)

This is a feature I have been waiting for way too long. Up until today if you wanted to
have some control over who is entitled to receive an IP address from your DHCP you
either had to configure reservations (for each of your systems) or had to use some lower
level device to filter out unwanted systems.Finally that is over now.

The Microsoft DHCP team has posted a new DLL called “DHCP Server Callout DLL” on their blog
This DLL can be used on Windows 2003 and Windows 2008 DHCP servers to limit the scope of
systems entitled to receive an IP address from the server based on their MAC address.

To install it you need to download the installer and run it.

image  

Once the installation completes you will have to new files in your %windir%\system32 directory:

image

The first file provides documentation (installation and usage) while the second file is the DLL needed
to enable the functionality.
 

Installation and Configuration

  • Create a new directory ,basically anywhere but I would recommend to create under the DHCP
    service directory: %windir%\system32\DHCP . Give it an informative name such as MACFilter.
  • Copy both files to the new directory (Once copied, you can safely remove the application using
    Programs and Features).
  • Create a new text file under the new directory called: “MACList.txt”
    image
  • Add the following Registry keys to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters:
    image
  • Please note, that you have to specify a full path for the log files including filenames (they will be create
    automatically when the DHCP service is started).
  • Before you start using the feature make sure to edit the MACFilter.txt file using the following format which is
    self explanatory:
    image
  • Basically when choosing the ALLOW action, the server will provide IP addresses only to the systems that have their
    MAC addresses listed,while the DENY action will prevent the listed systems from getting an address. The MAC addresses
    should be listed without a delimiter and all lower case.
    image
  • To enable the feature you have to restart the DHCP service. If successfully started the following event(1033) will be logged:
    image

Operation

Once it is started you don’t need to meddle with it. the following screenshot shows you what happens networking-wise
when a specific host is denied:
image

Which is basically nothing- The DHCP server simply doesn’t respond.

As for the logs, they will help you determine what is happening. If you would like to archive your logs you will need to
provide a mechanism as at every restart the logs are recreated.

Operations:
image

Errors:
image

Keep in mind that if something is wrong the server will start without enabling this feature.


Conclusions

Nifty yet there are a few issues that I would like to see resolved:

  1. A better installation process (having to manually change the registry isn’t my idea of fun)
  2. A better user interface-one that checks for errors
  3. Logs are ok, but should be integrated with Event Viewer
  4. Every change needs a restart of the service (removing/adding a MAC). Now that isn’t a big deal
    since we are talking about DHCP,but still…

A few more things system admins. need to keep in mind:

  1. Integration with recovery procedures. Keep in mind that you need to manually take care of recovery
    procedure
  2. This isn’t a bulletproof solution, a user or a malicious user may change his MAC address. Although
    unlikely it is a possibility.

 

Don’t get me wrong here (I may have sounded negative) ,this is a great add-on (and a new add-on) that can make
life easier for us, once some of the small issues will be ironed out it will be perfect.

6 thoughts on “MAC address filtering (DHCP)”

  1. Sounds great, but instead of doing this thousands of times and having to restart the service every time:

    MAC_ACTION={ALLOW}
    000b0e1fd600

    Can I do this just once?:

    MAC_ACTION={ALLOW}
    000b0*.*

    We have thousands of devices from one vendor that we want to permit to get DHCP while denying everything else.

    Thanks,

    Curtis

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>