Hey network experts,

I have a very simple problem, but due to my lack of knowledge, I don't know where to start. Now, before I go into the details, let me say that I don't expect a full solution from anyone on the forum, just a sign as to where the next step might be would be greatly appreciated.

Goal
I want to secure access to my network and it's resources (servers, users). Basically, I don't want anyone to get an IP address that I haven't given out (as a result of successful authentication) and I want to drop any traffic from IP addresses that I haven't assigned.

Current Layout
Customers---> APs (which I cannot control, but the users are isolated from each other) ---> Layer 2 unmanageable switches ---> Layer 3 managed switch ---> Internet
It can be assumed that servers to support authentication (RADIUS/TACACS+) are inserted off of the layer 3 switch.

What I've looked at
802.1X authentication. But, from what I understand, 802.1X drops all other traffic from the port while negotiations are taking place, so I don't think that would be practical for my situation, since I have multiple users using a single port. Does that mean that the only possible solution is to get new APs?

Captive portal. But I believe those are inherently insecure, since an attacker could hypothetically spoof your captive portal and redirect customers. Is this the only security risk?

Thank you for your time,
Seanny

Im not sure if you've looked at using 802.1x at the switchport connected to the AP (since the "multiple users using a single port" remark) or at the AP itself? How are the users authenticated in the AP today?

I would definatelly look at some APs you can control and deploy .1x on them as a first step, second there is also 802.1x wired if you have wired users.

Also to secure your DHCP you should deploy DHCP snooping where applicable.

_________________
som om sinnet hade svartnat för evigt.