Hey network experts,
I have a very simple problem, but due to my lack of knowledge, I don't know where to start. Now, before I go into the details, let me say that I don't expect a full solution from anyone on the forum, just a sign as to where the next step might be would be greatly appreciated.
I want to secure access to my network and it's resources (servers, users). Basically, I don't want anyone to get an IP address that I haven't given out (as a result of successful authentication) and I want to drop any traffic from IP addresses that I haven't assigned.
Customers---> APs (which I cannot control, but the users are isolated from each other) ---> Layer 2 unmanageable switches ---> Layer 3 managed switch ---> Internet
It can be assumed that servers to support authentication (RADIUS/TACACS+) are inserted off of the layer 3 switch.
What I've looked at
802.1X authentication. But, from what I understand, 802.1X drops all other traffic from the port while negotiations are taking place, so I don't think that would be practical for my situation, since I have multiple users using a single port. Does that mean that the only possible solution is to get new APs?
Captive portal. But I believe those are inherently insecure, since an attacker could hypothetically spoof your captive portal and redirect customers. Is this the only security risk?
Thank you for your time,