Contractors on Company Networks - Network segregation

[William Kupersanin <kuper () glue umd edu>]

We have been struggling with the problem of how to safely allow
contractors onto our network while keeping them from sensitive corporate
resources. One of the models that we have been looking at is one seen in
some hotels and internet cafes where a user is initially brought up on a
network that provides access to only a dhcp server and a web server where
that person can then register for additional access. After registration
the user is then able to freely access Internet resources. 

I am wondering if anyone on the list has implemented, or thought about
implementing, such a system and how it might be done. 

Some thoughts that occur to me is setting the network up behind a firewall
that initially shuns all ip addresses until a provisioning process
(triggered by the registration) causes the firewall to "unshun" the
device for some specified period of time.

Another thought that occurred to me is that a user could come
up on a limited VLAN and then change their VLAN membership after
registration. My only problem with this is that I don't know how to safely
get the commands from the web server/provisioner to the switch in order to
change the VLAN.

If anyone has any ideas or comments, or can point me towards any resources
that discuss this issue, I would greatly appreciate it.

-- Willie