Hi All,

I was given the task to implement a system similar to NetReg, but have run into some trouble and need to be enlightened. (Why not use NetReg? Idk, but my boss whats me to develop our own.)

Goal:
Users who connect to our network (wired or wireless) must register their computer and agree to our AUP before being able to connect to the Internet.

Test Env Setup:

LAN <==> eth1 [ GATEWAY BOX (CentOS 5.8) ] eth0 <==> Internet


What I have so far:
1) MySQL, Apache, DHCP and DNS server running on the gateway box. (MySQL and Apache is for the front-end, i.e. registering new computers/devices)
2) Registered computers are added to /etc/dhcpd.conf and given a static IP in the 192.168.1.X/24 subnet. All non-registered computers are assigned an IP in a different subnet (192.168.2.X/24)
3) Forwarding is enabled and all users from 192.168.2.X/24 are redirected to my registration page.

Problem:
I am unable to block "Rogue" users. That is if I assign myself an IP address, gateway and DNS, I can bypass the registration page and use the Internet as I like. My thought to resolve this was to block forwarding to the internet for all and then only allow forwarding to registered IP address in iptables. But this seems cumbersome. Is there a more practical way to do this?

Thanks in advance!

Ken

This has been sitting for a day so I'll guess an answer.

I might be tempted to send a proxy.pac. A smart user could figure out how to get past that so maybe I'd authenticate the user based on their logon and use that to allow access. As to how to dot that exactly I have never done it. Windows uses a similar way to authenticate against AD.

Okay, thanks jefro! I think I might implement both proxy and net filtering and see where I get.