I'd like to get some sugestions/solutions to the following problem:
1. Medium /large educational LAN (~1000 likely not to trust workstations
2. Everybody who is registered should have access to internet, the others should not( they can access the local area network because they have a connected cable n their rooms)
3. At this moment there is some authentication mechanism based on ip/mac matching (iptables), but some useres complains that they see very often a duplicate ip on the network error...so some of them ar trying to pass this filter.( it's very easy to get an valid match from the network, take that host down or wait to be offline...)
I think about transparent proxy, but this isn't a solution for other applications ( like P2P clients).
I think also of some kind ssh-key based authentication to the gateway that if it's succesfull to ad the apropriate iptables rule., or something like this.
So ..does anyone has a suggestion/solution of how it should look this authentication mechamism?
TNX in advance