On Wednesday, February 1, "Badbanchi Hossein" wrote: > > Basing security policies on something as easily changable as a MAC > > address (and as public as a MAC address) is stupid. > > Thanks for the complement.
You're welcome. Honestly though, what would you call it? > Although this might seem (or actually BE) stupid in environments > publicly accessible, but for a closed environment like our company > LAN, this is good enough. Here I don't want to protect the LAN > against the extreme hacker, but against our legitimate guests who come > to visit someone or take part in some meeting, and simply open their > laptop and connect the NIC to the nearest free LAN socket. This > could be because they want to download the latest PowerPoint file for > their presentation! > > Our policy is to provide Internet Access to our guests (of course > while logging every activity), but we need to first distinguish them > in order to provide them with at least an initial AUP (Acceptable > User Policy), or even scan the machine for vulnerabilities and the > like. And who's to say they actually read the AUP? Personally I'd do it slightly different. 1) Mac-lock the switch ports of the machines that are supposed to be connected permanently. (Yes, not perfect, but what can you do...) 2) vlan the ports that are plug-and-play to their own vlan 3) Use authpf to authenticate them, at least then you can ply them with your AUP before they accept (type a password). It will be a lot less implied, but an active action taken on their part. > > Rethink your approach. > > Other approaches like 802.1x is also known to me. But our need is more > modest . Have a look at authpf. It's not the end-all be-all, but it does solve a lot of problems in a very elegant fashion. --Toby.