> Basing security policies on something as easily changable as a MAC > address (and as public as a MAC address) is stupid. Thanks for the complement.
Although this might seem (or actually BE) stupid in environments publicly accessible, but for a closed environment like our company LAN, this is good enough. Here I don't want to protect the LAN against the extreme hacker, but against our legitimate guests who come to visit someone or take part in some meeting, and simply open their laptop and connect the NIC to the nearest free LAN socket. This could be because they want to download the latest PowerPoint file for their presentation! Our policy is to provide Internet Access to our guests (of course while logging every activity), but we need to first distinguish them in order to provide them with at least an initial AUP (Acceptable User Policy), or even scan the machine for vulnerabilities and the like. > Rethink your approach. Other approaches like 802.1x is also known to me. But our need is more modest. Regards, Amir
