Web authentication configuration considerations – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual
Page 292
The Brocade Web authentication method provides an ideal port-based authentication alternative to
multi-device port authentication without the complexities and cost of 802.1x authentication. Hosts gain
access to the network by opening a Web browser and entering a valid URL address using HTTP or
HTTPS services. Instead of being routed to the URL, the host browser is directed to an authentication
Web page on the FastIron switch. The Web page prompts the host to enter a user ID and password or
a passcode. The credentials a host enters are used by a trusted source to authenticate the host MAC
address. (Multiple MAC addresses can be authenticated with the same user name and password.)
If the authentication is unsuccessful, the appropriate page is displayed on the host browser. The host
is asked to try again or call for assistance, depending on what message is configured on the Web
page. If the host MAC address is authenticated by the trusted source, a Web page is displayed with a
hyperlink to the URL the host originally entered. If the user clicks on the link, a new window is opened
and the the user is directed to the requested URL.
While a MAC address is in the authenticated state, the host can forward data through the FastIron
switch. The MAC address remains authenticated until one of the following events occurs:
• The host MAC address is removed from a list of MAC addresses that are automatically
Specifying hosts that are permanently authenticated
on page 305).
• The re-authentication timer expires and the host is required to re-authenticate (Refer to
on page 306).
• The host has remained inactive for a period of time and the inactive period timer has expired. (Refer
Forcing re-authentication after an inactive period
on page 309.)
• All the ports on the VLAN on which Web Authentication has been configured are in a down state. All
MAC addresses that are currently authenticated are de-authenticated (Refer to
authentication when ports are down
• The authenticated client is cleared from the Web Authentication table. (Refer to
authenticated hosts from the webauthentication table
on page 307).
The FastIron switch can be configured to automatically authenticate a host MAC address. The host will
not be required to login or re-authenticate (depending on the re-authentication period) once the MAC
address passes authentication.
A host that is logged in and authenticated remains logged in indefinitely, unless a re-authentication
period is configured. When the re-authentication period ends, the host is logged out. A host can log
out at any time by pressing the Logout button in the Web Authentication Success page.
NOTE
The host can log out as long as the Logout window (Success page) is visible. If the window is
accidentally closed, the host cannot log out unless the re-authentication period ends or the host is
manually cleared from the Web Authentication table.
Web authentication configuration considerations
Web Authentication is modeled after other RADIUS-based authentication methods currently available
on Brocade edge switches. However, Web Authentication requires a Layer 3 protocol (TCP/IP)
between the host and the authenticator. Therefore, to implement Web Authentication, you must
consider the following configuration and topology configuration requirements:
• Web authentication works only when both the HTTP and HTTPS servers are enabled on the device.
• Web Authentication works only on the default HTTP or HTTPS port.
• The host must have an IP address prior to Web Authentication. This IP address can be configured
statically on the host; however, DHCP addressing is also supported.
Web authentication configuration considerations
292
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03