In my network I run dhcpd3 set up to assign IP addresses only to specific MAC addresses. It works wonderfully, I even integrated it with bind9 to automatically create direct and reverse DNS hostnames with a custom TLD and all.
But one thing I haven't figured out yet: if the user sets up a static IP on his machine he will have access to the network. Using iptables to filter IP addresses not in the range assigned by dhcpd3 also doesn't help much, because if the user with the IP address 192.168.0.20 is not on the office, that IP address would be still on the allowed list. And when he plugs his computer, we would have a lot of trouble with duplicated addresses and such.
A solution where dhcpd3 (or some other DHCP server) runs an external script that calls iptables to unblock the address would be very nice, but I were unable to find a DHCP server that does that.
I considered using 802.1X with RADIUS, but I have some printers and IP phones on the network that doesn't support it, so I would need to tell the switches that some ports wouldn't use 802.1X. That opens a hole where they could add small 8-port switches to the network and plug their machines there. Also, the IP phones have an embedded 2-port switch.
I know there's something called RADA where you allow specific MAC addresses to circunvent the RADIUS authentication, but my switches doesn't support it unfortunely.
I'm really out of ideas on this one. Maybe there's a very simple and elegant solution but I really couldn't find out by myself.
You can't do that at the IP level; if the user configures his computer to have a valid address/mask, it will be able to access your network. The only option here is filtering the access at the MAC level, thus allowing only Ethernet cards belonging to computers (or devices) you trust. 802.1x is really the best solution here.
I guess opening the filter after the system was assigned an IP address opens timing issues. I would start with using arpwatch or something like that to scan for new systems, compare it with the DHCP leases table or list of allowed systems and if you find an unauthorized system, block it at this point. How to block it depends on your network layout and hardware. If you don't use many desktop switches in the offices my idea would be to just deactivate the switch port in question.
Another, easier solution might be to activate 802.1X for the majority of ports but use a list of allowed MACs for the ports where this won't work. This must be supported by your switch models of course.
Some switches can do what you want. For some cisco catalyst switches there is a feature called "ip source guard" that does what you want. (Some other vendors also have similar functionality; just google vendorname and "ip source guard").
From the cisco docs:
See: http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_35_se/configuration/guide/swdhcp82.html for more information about ip source-guard and dhcp snooping on cisco switches.
You may be able to restrict some ports to specific MAC addresses. If you either restrict every port to a specific MAC (say of the printer) or use 802.1X to authenticate its use, then you're probably as safe as you can be and stay sane.
I think some switches offer the ability to down the port if they detect unauthorized MAC addresses, so just attaching a hub in place of the printer would cause the printer to go offline once they connected their computer to the hub.
How secure does it need to be / what are you protecting from? Is this something you could augment with manual checks (just poke your head in to each room looking for strange things attached to ports.)