beautypg.com

Limiting the number of authenticated hosts, Filtering dns queries, Forcing re-authentication when ports are down – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 308: Forcing re, Authentication when ports are down

background image

Limiting the number of authenticated hosts

You can limit the number of hosts that are authenticated at any one time by entering a command such
as the following.

device(config-vlan-10-webauth)# host-max-num 300

Syntax: [no] host-max-num number

You can enter 0 - 8192, where 0 means there is no limit to the number of hosts that can be
authenticated. The default is 0. The maximum is 8192 or the maximum number of MAC addresses the
device supports.

When the maximum number of hosts has been reached, the FastIron switch redirects any new host
that has been authenticated successfully to the Maximum Host webpage.

Filtering DNS queries

Many of the Web Authentication solutions allow DNS queries to be forwarded from unauthenticated
hosts. To eliminate the threat of forwarding DNS queries from unauthenticated hosts to unknown or
untrusted servers (also known as domain-casting), you can restrict DNS queries from unauthenticated
hosts to be forwarded explicitly to defined servers by defining DNS filters. Any DNS query from an
unauthenticated host to a server that is not defined in a DNS filter are dropped. Only DNS queries
from unauthenticated hosts are affected by DNS filters; authenticated hosts are not. If the DNS filters
are not defined, then any DNS queries can be made to any server.

You can have up to four DNS filters. Create a filter by entering the following command.

device(config-vlan-10-webauth)# dns-filter 1 10.166.2.44/24

Syntax: [no] dns-filter number [ ip-address subnet-mask | wildcard]

For number , enter a number from 1 to 4 to identify the DNS filter.

Enter the IP address and subnet mask of unauthenticated hosts that will be forwarded to the unknown/
untrusted servers. Use the ip-addresssubnet-mask or ip-address/subnet-mask format.

You can use a wildcard for the filter. The wildcard is in dotted-decimal notation (IP address format). It
is a four-part value, where each part is 8 bits (one byte) separated by dots, and each bit is a one or a
zero. Each part is a number ranging from 0 to 255, for example 0.0.0.255. Zeros in the mask mean the
packet source address must match the IP address. Ones mean any value matches. For example, the
ip-address and subnet-mask values 10.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net
10.157.22.x match the policy.

Forcing re-authentication when ports are down

If all ports on the device go down, you may want to force all authenticated hosts to be re-
authenticated. You can do this by entering the port-down-auth-mac-cleanup command.

device(config-vlan-10-webauth)# port-down-auth-mac-cleanup

Syntax: [no] port-down-auth-mac-cleanup

While this command is enabled, the device checks the link state of all ports that are members of the
Web Authentication VLAN. If the state of all the ports is down, then the device forces all authenticated
hosts to re-authenticate. However, hosts that were authenticated using the add mac command will
remain authenticated; they are not affected by the port-down-auth-mac-cleanup command.

Limiting the number of authenticated hosts

308

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: