I'd like to get some sugestions/solutions to the following problem:

1. Medium /large educational LAN (~1000 likely not to trust workstations )
2. Everybody who is registered should have access to internet, the others should not( they can access the local area network because they have a connected cable n their rooms)
3. At this moment there is some authentication mechanism based on ip/mac matching (iptables), but some useres complains that they see very often a duplicate ip on the network error...so some of them ar trying to pass this filter.( it's very easy to get an valid match from the network, take that host down or wait to be offline...)

I think about transparent proxy, but this isn't a solution for other applications ( like P2P clients).
I think also of some kind ssh-key based authentication to the gateway that if it's succesfull to ad the apropriate iptables rule., or something like this.

So ..does anyone has a suggestion/solution of how it should look this authentication mechamism?

TNX in advance

your users can bypass -m --mac-source matches?

If the pair IP/MAC is not valid they can't. The problem is that a valid pair can be obtained from network( another host) with little effort and this is the way they can pass the filter( wating the legimitate host to shut-down or take it down)

Hi,

I think an answer could be 802.1X, here's the way it works :
You set up a radius server
You enable 802.1X on the interfaces of your switches.

Then, when someone plugs in a 802.1X interface, he is requested for a username password.
If the username/password doesn't match an entry in the radius, the interface stays disabled, if it matches, the interface goes up...

I see 2 problems in your case :
1/ unregistered users won't access local ressources anymore (maybe that's not a problem)
2/ 802.1X enabled switches are quite expensive (cisco boxes or so) and you've got to deploy them everywhere on your network.