denying access to mac addresses in isa 2000

We have an isa server 2000 box on our network and we want to prevent students from accessing it with their wireless laptops.  Their laptops are authenticated on our network by IAS server acting as a RADIUS server through EAP-TLS certificate based authentication.  I set the students laptops up myself and used a DHCP reservation to ensure their IP address was within a certain range.  I then denied access to addresses within this range to the proxy server.  

The problem is one of the kids got smart and discovered that if they change their IP address to a static address outside of the denied range they can access the internet.  We have an ISA 2004 box which allows us to restrict based on windows groups but the ISA 2000 box does not seem to do this.  I initially thought about editing IAS server to ensure that only a given IP address range could be authenticated but then realised that of course authentication occurs before a network address is given.

Is there perhaps a way of blocking MAC addresses if they do not have a specific IP address on the network.  All servers run Windows 2003.

Any help would be appreciated.
swinfieldAsked:
Who is Participating?
 
Keith AlabasterEnterprise ArchitectCommented:
http://www.microsoft.com/technet/prodtechnol/isa/2000/deploy/isafaqin.mspx

OK, the very first couple of lines confirms that ISA 2000 needs the fw client to make use of the AD for groups etc.

I cannot find a way of doing this which is ridiculous. For my own clients that are on ISA2000 we use group policy to lock the IE proxy settings and the network control panel so that they cannot 'misbehave'. however, if this is the students own equipment, this would be impossible to enforce.

The fact that they are already authenticated as valid users is a real stumbling block.
0
 
Keith AlabasterEnterprise ArchitectCommented:
In ISA2000, you need the ISA firewall client installed to use user/group based policies.
The standard client set is based on ip address but does not associate a MAC with that IP
0
 
swinfieldAuthor Commented:
Thanks Keith.  I assumed that it may be something like that to pick up the usergroups but wasn't 100% sure.  

Do you know of any other way I can fix this problem as the students would likely uninstall the client to get around it.  I am looking more for something server side.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Keith AlabasterEnterprise ArchitectCommented:
Haven't left you; just reading a couple of articles.
0
 
swinfieldAuthor Commented:
Many thanks for your efforts Keith.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thank you :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.