"waste of time"


"It is too much trouble for us to keep the kids from throwing trash
  out the dorm windows, so we'll just let the public pay for cleaning
  up our mess every morning."

No - go back and re-read what he said. He specifically stated that since we
already *know* what port of what switch the user is on, and we know that the
other end of the wire is in a specific dorm room, there's no real additional
gain in making them authenticate. So a better analogy is "We don't need
to go knock on every door on the floor, because we already know the trash
is coming out the 3rd window from the end...."

If it's not a waste of time in that case, it's not a waste of time to do the
same thing for *every* user, even if we "already know" what office the cable
terminates in.

Just out of curiosity, does your site policy require you to authenticate on
your office port before you can get out to the rest of the world? (I don't
know about your wiring, but our average dorm room wiring is more physically
secure (being inside walls and all that) than the cat5 that runs to the docking
station I'm on - at least the last 40 feet or so is semi-exposed and easily
accessible in the cabling chase at the bottom of the cubicle walls)...

(For the record, our general policy is that if we already know where the other end
of the wire is, we don't require authentication, but things like the modem
pool require a userid/password, and the wireless won't DCHP unless you've
registered your MAC address. Yes, I know they're spoofable. Yes, we recognize
the issues.. :slight_smile:

Now re-run the whole cost-benefit ratio, and consider that the *biggest* issue
for security is *legitimate users* who happen to have acquired some sort of
malware on their machine......