Q: Controlling access at the Ethernet level
Adrian Penisoara
ady at freebsd.ady.ro
Sun Apr 4 11:22:57 PDT 2004
Hi,
I am searching for a solution that will enable me to control the
access of clients to a Ethernet network that spans over about an entire
quorter; most of the connected stations are running MS Windows.
We are facing service theft through impersonation, either solely IP
or both IP and Ethernet MAC address. Securing IP access was solved
using a static ARP scheme (we used "staticarp" for the internal gateway
interface and tied to it a fixed list of IP/MAC tuples), but some of
the clients learnt how to change both the IP and the MAC.
We have thought about using static MAC entries per port on managed
switches installed at the client endpoints, but that would require a
overwhelming budget. We are also thinking about L2TP and PPPoE, but I
am uncertain about compatibility.
What would you recommand ? Are there any other elegant solutions ?
I also heard about 802.1x technology and seems to be an interesting
and professional alternative; I just don't know how well supported is
on the server side, namely FreeBSD.
Thank you.
--
Ady (@freebsd.ady.ro)
More information about the freebsd-isp
mailing list