But with most network software, it's child's play these days to change your MAC address. The only way you can gain the level of control that you want on your LAN is with a managed switch; or have everybody running just IPsec on the network stacks of their workstations...
If you configured an additional interface just to feed the dormatory Ethernet hubs, with all traffic out to the Internet blocket on it, but with PPTP tunnel access available, then you can give the dorm students individual RoadWarrior access accounts and passwords when they do need Internet access. However, you would have to change the accounts and passwords frequently, since it is very likely that the students would start passing this PPTP access account info around among themselves.
ASL will allow more than one machine at a time to open a PPTP connection using the same ID and password, so this approach has its shortcomings. The students would also require PCs with the newer versions of Windows installed, such as Win2K or WinXP, in order to have the VPN client for the PPTP tunnel available to them.
If you configured an additional interface just to feed the dormatory Ethernet hubs, with all traffic out to the Internet blocket on it, but with PPTP tunnel access available, then you can give the dorm students individual RoadWarrior access accounts and passwords when they do need Internet access. However, you would have to change the accounts and passwords frequently, since it is very likely that the students would start passing this PPTP access account info around among themselves.
ASL will allow more than one machine at a time to open a PPTP connection using the same ID and password, so this approach has its shortcomings. The students would also require PCs with the newer versions of Windows installed, such as Win2K or WinXP, in order to have the VPN client for the PPTP tunnel available to them.
youre best bet is to put in a switch with 802.1x authentication and a radius server...
with some switches (HP Procurve, for example) you can even make it so that certain users get put onto a certain VLAN - and unauthenitcated users get put onto a VLAN with no gateway...
