From owner-freebsd-isp@FreeBSD.ORG  Sun Apr  4 11:22:57 2004
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id B590A16A4CE; Sun,  4 Apr 2004 11:22:57 -0700 (PDT)
Received: from katase.netgrup.ro (netcom.suceava.astral.ro [213.164.255.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 1255143D5A; Sun,  4 Apr 2004 11:22:51 -0700 (PDT)
	(envelope-from ady@freebsd.ady.ro)
Received: from freebsd.ady.ro (ady.obcini.netgrup.ro [192.168.10.206])
	by katase.netgrup.ro (8.12.10/8.12.10) with ESMTP id i34IMWbY056636;
	Sun, 4 Apr 2004 21:22:38 +0300 (EEST)
	(envelope-from ady@freebsd.ady.ro)
Date: Sun, 4 Apr 2004 21:22:33 +0300
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v553)
To: freebsd-security@freebsd.org
From: Adrian Penisoara <ady@freebsd.ady.ro>
Content-Transfer-Encoding: 7bit
Message-Id: <0A87E4EB-8665-11D8-9004-000A95776E22@freebsd.ady.ro>
X-Mailer: Apple Mail (2.553)
cc: freebsd-isp@freebsd.org
Subject: Q: Controlling access at the Ethernet level
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Apr 2004 18:22:57 -0000

Hi,

    I am searching for a solution that will enable me to control the 
access of clients to a Ethernet network that spans over about an entire 
quorter; most of the connected stations are running MS Windows.

    We are facing service theft through impersonation, either solely IP 
or both IP and Ethernet MAC address. Securing IP access was solved 
using a static ARP scheme (we used "staticarp" for the internal gateway 
interface and tied to it a fixed list of IP/MAC tuples), but some of 
the clients learnt how to change both the IP and the MAC.

   We have thought about using static MAC entries per port on managed 
switches installed at the client endpoints, but that would require a 
overwhelming budget. We are also thinking about L2TP and PPPoE, but I 
am uncertain about compatibility.

   What would you recommand ? Are there any other elegant solutions ?

   I also heard about 802.1x technology and seems to be an interesting 
and professional alternative; I just don't know how well supported is 
on the server side, namely FreeBSD.

  Thank you.

--
Ady (@freebsd.ady.ro)