Manualshelf

Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron
1961196219631964196519661967196819691970
FastIron Configuration Guide 1905
53-1002494-02
Web authentication options configuration
Brocade(config-vlan-10-webauth)#host-max-num 300
Syntax: [no] host-max-num <number>
You can enter 0 – 8192, where 0 means there is no limit to the number of hosts that can be
authenticated. The default is 0. The maximum is 8192 or the maximum number of MAC addresses
the device supports.
When the maximum number of hosts has been reached, the FastIron switch redirects any new host
that has been authenticated successfully to the Maximum Host webpage.
Filtering DNS queries
Many of the Web Authentication solutions allow DNS queries to be forwarded from unauthenticated
hosts. To eliminate the threat of forwarding DNS queries from unauthenticated hosts to unknown or
untrusted servers (also known as domain-casting), you can restrict DNS queries from
unauthenticated hosts to be forwarded explicitly to defined servers by defining DNS filters. Any DNS
query from an unauthenticated host to a server that is not defined in a DNS filter are dropped. Only
DNS queries from unauthenticated hosts are affected by DNS filters; authenticated hosts are not. If
the DNS filters are not defined, then any DNS queries can be made to any server.
You can have up to four DNS filters. Create a filter by entering the following command.
Brocade(config-vlan-10-webauth)#dns-filter 1 191.166.2.44/24
Syntax: [no] dns-filter <number> <ip-address> <subnet-mask> | <wildcard>
For <number>, enter a number from 1 to 4 to identify the DNS filter.
Enter the IP address and subnet mask of unauthenticated hosts that will be forwarded to the
unknown/untrusted servers. Use the <ip-address> <subnet-mask> or
<ip-address>/<subnet-mask> format.
You can use a <wildcard> for the filter. The <wildcard> is in dotted-decimal notation (IP address
format). It is a four-part value, where each part is 8 bits (one byte) separated by dots, and each bit
is a one or a zero. Each part is a number ranging from 0 to 255, for example 0.0.0.255. Zeros in
the mask mean the packet source address must match the IP address. Ones mean any value
matches. For example, the <ip-address> and <subnet-mask> values 209.157.22.26 0.0.0.255
mean that all hosts in the Class C sub-net 209.157.22.x match the policy.
Forcing re-authentication when ports are down
If all ports on the device go down, you may want to force all authenticated hosts to be
re-authenticated. You can do this by entering the port-down-auth-mac-cleanup command.
Brocade(config-vlan-10-webauth)#port-down-auth-mac-cleanup
Syntax: [no] port-down-auth-mac-cleanup
While this command is enabled, the device checks the link state of all ports that are members of
the Web Authentication VLAN. If the state of all the ports is down, then the device forces all
authenticated hosts to re-authenticate. However, hosts that were authenticated using the add mac
command will remain authenticated; they are not affected by the port-down-auth-mac-cleanup
command.