Let me preface this by saying that I have a bit of a strange network.
LAN 1 router: 10.0.0.254/24, Internet via DSL on 10.0.0.254. LAN 2 router: 172.16.2.254/24, default gateway: 10.0.0.254 (LAN 2 is a private link to another location, which uses our feed for Internet)
The router at LAN 2 unfortunately NAT's all traffic from 172.16.2.0/24. I can't change this router - NAT cannot be disabled.
Assuming the only router I have control over is LAN 1 (it's a linux box): How can I log usage (destination IP+Port) against a user? I used to associate users by MAC address, but with this other router now the original MAC will be obscured - likewise the original IP is lost.
I haven't seen any evidence that 802.1X authentication works on anything but the network layer, so that also appears to be out.
The only option that appears left to me is to use a SOCKS proxy and require all clients configure themselves to use that, however that too has its pitfalls (limited client support, only handles TCP and UDP, increases CPU utilization on the router).
Is there anything I have missed? How can I approach this problem?
This is a tricky problem.
The best solution would be to replace the LAN2 Router with something that you actually have a degree of management control over. If you can't disable NAT there are probably other places this router falls short. However, my hunch is that you cannot replace this router with something more appropriate for political reasons (otherwise you already would've done it...).
My first suggestion would be to put a Squid proxy in somewhere and use that log to per user internet access. The best place to put it would be on LAN1, but then all of web traffic from clients on LAN2 will appear to originating from the LAN2 Router courtesy of NAT. You could place it downstream of the LAN2 router, but then you'll have to port fowrard through its NAT so the clients from LAN1 can reach it. Doing this is kind of ugly.
Another idea would be to rely on something like Netflow, SFlow or RMON if your switching infrastrucutre on LAN2 (and LAN1) supports it. Just forward the appropriate ports through your LAN2 router and place your flow collector on LAN1. Unfortunately, flow analysis is largely Layer-7 unaware so while you will be able to measure traffic, usage and counter statistics you won't get the HTTP-centric details that a web proxy would provide. Still it might be better than nothing.
It does appear that typical network tools will not work in this scenario. Even websense uses a DC agent to map an IP to a user account for transparency. Without a unique identifier (mac or IP)for each client I think you're on track that you will have to make them authenticate via proxy.