We want to limit the users Internet usage on a daily traffic basis but not the local network bandwidth. Our users are on different platforms (Windows, Android, IOS), therefore it is not possible to force any policies by e.g. Active Directory, and if it would be possible, it would limit the whole bandwidth.
The only way that remains is to do the limitation on an IP basis at the edge of the network. This is possible using Mikrotik or other firewalls. But the problem is, that users can change their IPs when the limit is reached, and they can continue using the internet bandwidth.
So the idea was to make sure that users can only pass when their mac address and the IP assigned through our DHCP server match. This should be possible in cisco switches and could be done on the core switch. I think i have read something about the connection between Cisco Switches and the DHCP Server.
The question is how is this possible, or is there any other solution that might be easier and more efficient?
We use APs, Cisco 2960 switches, and a Cisco 4500 as core switch. Our DHCP is FreeBSD but we are willing to change if it is needed. The authentication method for our APs is 802.1x.
EDIT:
We tried a solution using RADIUS server which gave us the possibility to know how much traffic was used by each user (through port 1812/1813), but the problem was the only way to limit the user is to not allow him to connect when his limit was reached. That means, until the user doesn't reconnect, he is able to download without any restriction.
We also thought of a Proxy server as a solution, but we had two problems:
- We had performance issues with squid and installing squid as a transparent proxy is too much work.
- Other proxies also had performance issues, and those who performed well, didn't have the feature to be used as a transparent proxy.
Best Answer
You're better off doing this at layer 7 versus layer 2 or 3.
Devices can have their MAC changed as well as their IP address. (It's harder for a user to change their MAC but it's still possible.) If you've got people changing IP addresses to get around restrictions it's only a matter of time before they'll be changing MAC addresses, too.
There are a couple of solutions I can think of off the top of my head.
A captive portal that requires the user to authenticate using a per-user credential (RADIUS back to your Active Directory, for example) would give you per-user accountability. There a variety of products out there, both commercial and free/open source that can do this.
Force users to connect to a VPN using a per-user credential to get access beyond the wireless subnet.
Both of these methods don't require a tedious IP to MAC cross reference and would scale easily when you add new users / devices.