Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

• If you are using DHCP addressing, a DHCP server must be in the same broadcast domain as the

host. This DHCP server does not have to be physically connected to the switch. Also, DHCP assist
from a router may be used.

• Web Authentication, 802.1X port security, and multi-device port authentication are not supported

concurrently on the same port.

• Web Authentication is not supported on an MCT VLAN.

The following applies to Web Authentication in the Layer 2 switch image:

• If the management VLAN and Web Authentication VLAN are in different IP networks, make sure

there is at least one routing element in the network topology that can route between these IP
networks.

The following are required for Web Authentication in the base Layer 3 and full Layer 3 images:

• Each Web Authentication VLAN must have a virtual interface (VE).
• The VE must have at least one assigned IPv4 address.

Web Authentication is enabled on a VLAN. That VLAN becomes a Web Authentication VLAN that does
the following:

• Forwards traffic from authenticated hosts, just like a regular VLAN.
• Blocks traffic from unauthenticated hosts except from ARP, DHCP, DNS, HTTP, and HTTPs that are

required to perform Web Authentication.

The Basic topology for web authentication figure shows the basic components of a network topology
where Web Authentication is used. You will need:

• A Brocade FastIron switch running a software release that supports Web Authentication
• DHCP server, if dynamic IP addressing is to be used
• Computer/host with a web browser

Your configuration may also require a RADIUS server with some Trusted Source such as LDAP or
Active Directory.

NOTE
The Web server, RADIUS server, and DHCP server can all be the same server.

FIGURE 14 Basic topology for web authentication

Web Authentication

FastIron Ethernet Switch Security Configuration Guide

293

53-1003088-03