How-to: Managing DHCP Deny Policies for Individual Clients in UCS

Knowledge Base Community
, , , , ,
1

Howto: Managing DHCP Deny Policies for Individual Clients in UCS

Overview

In certain environments, administrators may want to deny specific devices (based on their MAC addresses) from receiving an IP address via DHCP.
Univention Corporate Server (UCS) provides this functionality through DHCP Deny Policies, which can be assigned directly to DHCP host objects.

This article describes how to configure, assign, and remove DHCP Deny Policies using both the Univention Directory Manager (UDM) command line and the Univention Management Console (UMC).

Background

In UCS, DHCP host objects represent individual clients that receive IP addresses via DHCP.
Each host object includes the device’s MAC address, enabling granular control over DHCP assignments.

By applying a DHCP Deny Policy to a specific host object, UCS will instruct the DHCP service to refuse lease assignments for that device.

Prerequisites

  • A running DHCP service managed by UCS.
  • Administrative privileges on the UCS system.
  • Either UDM (command-line) or UMC (web interface) access.

Option 1: Univention Management Console (UMC)

  1. Log in to the Univention Management Console (UMC) with administrative credentials.

  2. Navigate to
    Domain → DHCP → [Your DHCP Service] → DHCP Host Object.

  3. Select the host object corresponding to the device you wish to deny.

  4. Open the Policies tab.

  5. Under Policy: DHCP Allow/Deny, select the desired Deny Policy (for example, Deny Policy).

  6. Save the configuration.

  7. Optionally, restart the DHCP service to immediately apply changes:

    systemctl restart isc-dhcp-server.service

Screenshot from 2025-10-10 14-57-14
Screenshot from 2025-10-10 14-57-141286×767 81.7 KB

Once the policy is attached, the specified MAC address will no longer receive a DHCP lease from the UCS-managed DHCP server.

Option 2: Univention Directory Manager (UDM CLI)

Step 1: Verify Existing DHCP Host Object

List the DHCP host object to confirm that the MAC address is correctly registered.

udm dhcp/host list --filter cn=win10-client-02

Example Output:

cn=win10-client-02
DN: cn=win10-client-02,cn=mejneschool2,cn=dhcp,ou=mejneschool2,dc=ucs5schoolhejne,dc=intranet
  fixedaddress: 10.200.30.32
  host: win10-client-02
  hwaddress: ethernet 52:54:00:57:11:63

Step 2: Identify or Create a DHCP Deny Policy

List existing DHCP scope policies to check for a Deny Policy:

udm policies/dhcp_scope list

Example Output:

DN: cn=Deny Policy,cn=scope,cn=dhcp,cn=policies,dc=ucs5schoolhejne,dc=intranet
  booting: deny
  bootp: deny
  declines: deny
  duplicates: deny
  ldapFilter: None
  name: Deny Policy
  scopeUnknownClients: deny

If no such policy exists, create one:

udm policies/dhcp_scope create \
  --position "cn=scope,cn=dhcp,cn=policies,dc=ucs5schoolhejne,dc=intranet" \
  --set name="Deny Policy" \
  --set booting=deny \
  --set bootp=deny \
  --set declines=deny \
  --set duplicates=deny \
  --set scopeUnknownClients=deny

Step 3: Assign the Deny Policy to the DHCP Host Object

Attach the Deny Policy to the host object using its DN:

udm dhcp/host modify \
  --dn "cn=win10-client-02,cn=mejneschool2,cn=dhcp,ou=mejneschool2,dc=ucs5schoolhejne,dc=intranet" \
  --policy-reference="cn=Deny Policy,cn=scope,cn=dhcp,cn=policies,dc=ucs5schoolhejne,dc=intranet"

Expected Output:

Object modified: cn=win10-client-02,cn=mejneschool2,cn=dhcp,ou=mejneschool2,dc=ucs5schoolhejne,dc=intranet

Verify:

udm dhcp/host list --filter cn=win10-client-02

Example Output:

cn=win10-client-02
DN: cn=win10-client-02,cn=mejneschool2,cn=dhcp,ou=mejneschool2,dc=ucs5schoolhejne,dc=intranet
  fixedaddress: 10.200.30.32
  host: win10-client-02
  hwaddress: ethernet 52:54:00:57:11:63
  univentionPolicyReference: cn=Deny Policy,cn=scope,cn=dhcp,cn=policies,dc=ucs5schoolhejne,dc=intranet

Step 4: Remove the Deny Policy (if needed)

To remove the policy and allow DHCP access again:

udm dhcp/host modify \
  --dn "cn=win10-client-02,cn=mejneschool2,cn=dhcp,ou=mejneschool2,dc=ucs5schoolhejne,dc=intranet" \
  --policy-dereference="cn=Deny Policy,cn=scope,cn=dhcp,cn=policies,dc=ucs5schoolhejne,dc=intranet"

Expected Output:

Object modified: cn=win10-client-02,cn=mejneschool2,cn=dhcp,ou=mejneschool2,dc=ucs5schoolhejne,dc=intranet

Verification

Restart the DHCP service to ensure the configuration is applied:

systemctl restart isc-dhcp-server.service

Attempt to obtain a lease from the denied MAC address.
If the policy is active, the DHCP request will be rejected.

Summary

Action Method Command / Location
List DHCP host object CLI udm dhcp/host list --filter cn=<hostname>
Assign Deny Policy CLI --policy-reference=<policy DN>
Remove Deny Policy CLI --policy-dereference=<policy DN>
Apply Policy UMC Domain → DHCP → DHCP-Service → DHCP Host Object → Policies → Policy: DHCP Allow/Deny

By using DHCP Deny Policies, UCS administrators can selectively block DHCP assignments for specific MAC addresses without modifying subnet-wide settings.