We have an isa server 2000 box on our network and we want to prevent students from accessing it with their wireless laptops. Their laptops are authenticated on our network by IAS server acting as a RADIUS server through EAP-TLS certificate based authentication. I set the students laptops up myself and used a DHCP reservation to ensure their IP address was within a certain range. I then denied access to addresses within this range to the proxy server.
The problem is one of the kids got smart and discovered that if they change their IP address to a static address outside of the denied range they can access the internet. We have an ISA 2004 box which allows us to restrict based on windows groups but the ISA 2000 box does not seem to do this. I initially thought about editing IAS server to ensure that only a given IP address range could be authenticated but then realised that of course authentication occurs before a network address is given.
Is there perhaps a way of blocking MAC addresses if they do not have a specific IP address on the network. All servers run Windows 2003.
Any help would be appreciated.