Filter
Top Products
1324 PowerConnect B-Series FCX Configuration Guide
53-1002266-01
Configuring web authentication options
37
Enter 0 – 128000 for <seconds>. The default is the current value of block duration command.
Entering a value of "0" means the MAC address is blocked permanently.
Entering no block mac <mac-address> duration <seconds> resets duration to its default value.
You can unblock a host by entering the no block mac <mac-address> command.
Limiting the number of authenticated hosts
You can limit the number of hosts that are authenticated at any one time by entering a command
such as the following.
PowerConnect(config-vlan-10-webauth)#host-max-num 300
Syntax: [no] host-max-num <number>
You can enter 0 – 8192, where 0 means there is no limit to the number of hosts that can be
authenticated. The default is 0. The maximum is 8192 or the maximum number of MAC addresses
the device supports.
When the maximum number of hosts has been reached, the PowerConnect switch redirects any
new host that has been authenticated successfully to the Maximum Host webpage.
Filtering DNS queries
Many of the Web Authentication solutions allow DNS queries to be forwarded from unauthenticated
hosts. To eliminate the threat of forwarding DNS queries from unauthenticated hosts to unknown or
untrusted servers (also known as domain-casting), you can restrict DNS queries from
unauthenticated hosts to be forwarded explicitly to defined servers by defining DNS filters. Any DNS
query from an unauthenticated host to a server that is not defined in a DNS filter are dropped. Only
DNS queries from unauthenticated hosts are affected by DNS filters; authenticated hosts are not. If
the DNS filters are not defined, then any DNS queries can be made to any server.
You can have up to four DNS filters. Create a filter by entering the following command.
PowerConnect(config-vlan-10-webauth)#dns-filter 1 191.166.2.44/24
Syntax: [no] dns-filter <number> <ip-address> <subnet-mask> | <wildcard>
For <number>, enter a number from 1 to 4 to identify the DNS filter.
Enter the IP address and subnet mask of unauthenticated hosts that will be forwarded to the
unknown/untrusted servers. Use the <ip-address> <subnet-mask> or
<ip-address>/<subnet-mask> format.
You can use a <wildcard> for the filter. The <wildcard> is in dotted-decimal notation (IP address
format). It is a four-part value, where each part is 8 bits (one byte) separated by dots, and each bit
is a one or a zero. Each part is a number ranging from 0 to 255, for example 0.0.0.255. Zeros in
the mask mean the packet source address must match the IP address. Ones mean any value
matches. For example, the <ip-address> and <subnet-mask> values 209.157.22.26 0.0.0.255
mean that all hosts in the Class C sub-net 209.157.22.x match the policy.
Forcing re-authentication when ports are down
If all ports on the device go down, you may want to force all authenticated hosts to be
re-authenticated. You can do this by entering the following command.