Mac Address filtering and internet use control, Do I need some kind of proxy server?

One of our offices is due to have an IT overhaul and we are considering giving visitors a certain amount of access to be able to use the internet through our network and we also plan to have wireless access points in the building.

We would like to have a system where these visitors could connect to the network (probably wirelessly) but would be required to enter a password through a web based system or have their MAC address registered before they can use the internet.  We figure that trying to get them to set the WEP key for our network would be asking too much of them so would like to secure it another way.  We would like also to be able to register the MAC addresses of our company machines so that users of these machines can use the internet without having to enter a password every time.

Any advice as to what software or hardware can be used will be great.
howardsitAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RPPreacherCommented:
We do something similar using 802.1x authentication.

All domain machines have a Microsoft domain machine certificate.
All the switches are configured for 802.1x authentication using Microsoft IAS
The switches put our machines in our VLAN and guest machines (no certificate) in a guest VLAN.

Much easier than registering a ton of MAC addresses.

more detail
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1219ea1/scg/sw8021x.htm
Rant32Commented:
You have to separate your wireless network which is open to visitors from your internal network anyway, so you'll need a proper firewall. Any firewall that has 3 or more network interfaces will be able to give your company network access, while forcing the wireless network through a proxy server (by disallowing outside access except for the proxy server).

If you place the proxy server in a DMZ (which I believe is best practice anyway) then your internal network can profit from it as well.

Maybe have a look at SmoothWall Firewall/Guardian? http://www.smoothwall.net
howardsitAuthor Commented:
It is only for a reasonably small office of 12 - 15 full time network users. They are due to go over to a citrix solution now but we still want to give mobile users wireless access to the internet.

Using the firewall to force wireless through the proxy seems to be a reasonable idea but how do we stop random people in neighbouring offices from using our internet connection (and bandwidth which is needed for our citrix users) and still allow visitors to the company to use it.  They frequently have meetings and presentations at this office.  We don’t want to have to give them a wep key to use as most of them won’t be able to figure out where to insert it.

Can you get proxy server software can recognise our network devices and allow them access but then for unrecognised users display a password box before it will allow any pages through?  I don’t know how well I am explaining that.

Many thanks for your previous fast responses.
Rant32Commented:
For example ISA Server allows users that are already logged on to a Windows domain to use the internet connection transparently (if the rules allow them to do so). Your visitors will not be logged on and will require authentication, so a username/password dialog is displayed.

You can hand them a default username that only allows proxy access and a password that changes every now and then, if required.

If you don't want to buy ISA server, then there are firewalls that can automatically force http(s) to be redirected to a proxy server (for example Sonicwall). Your internal office users then do not use the proxy server, the wireless users are forced through the proxy and must authenticate.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apple Networking

From novice to tech pro — start learning today.