on the MAC address of the ethernets. However, I could not find any way to determine that each users will get their assigned IP if they set up their IP statically for their W2K. To work this around I'm thinking to deploy identd on every client and periodically check against arping sweep to verifiy MAC addresses with users. Does anyone have a suggestion?
Of course dhcpd can't prevent machines from not asking him for addresses. As for how to prevent use of addresses not issued by DHCP, that's not that easy. You can't prevent their use unless you control the individual workstations, which you do not, apparently. So what you really want to do is make this feat useless. How to achieve this depends on what is interesting and what is deterring to your users. If it's Internet access or connectivity across a firewall, for example, you could allow an IP address through the firewall only if the DHCP server has handed it out (With netfilter, though, this would be easier accomplished by just matching the MAC addresses). Or you could write a userland utility that (hopefully aggressively) claims all IP addresses owned by the local DHCP server and releases them when they are handed out. This would probably be a little difficult, since close interaction with dhcpd is required. Or you could use snort or similar and have it alert on unknown combinations of MAC and IP address and you could take manual or automatic action. Just some ideas. Not sure if any of them are recommendable, though. Tobias