6.2.6 Deauthorization method

(1) Authentication canceled by operation command

You can use the operation command clear dot1x auth-state to forcibly deauthorize a port or MAC by address. If the same MAC address is authenticated in more than one VLAN, the switch terminates every authentication session associated with the MAC address.

(2) Authentication is canceled by link-down of the authentication terminal connection port.

When a port to which authenticated terminals are connected goes down, the switch clears the authentication status of terminals connected to that port.

(3) Deauthorization by changing VLAN settings

If you use configuration commands to change the configuration of a VLAN that includes authenticated terminals, the switch clears the authentication status of terminals associated with that VLAN.

The following configuration changes trigger a logout:

• Deletion of a VLAN

• Suspension of a VLAN

(4) Authentication cancellation by switching authentication mode

If the authentication mode is switched by using the configuration command, all terminals are deactivated.

(5) Deactivation by Suspending IEEE802.1X

If IEEE802.1X is deleted by the configuration command and IEEE802.1X is stopped, all terminals are deauthorized.

(6) Logging Out by Deleting Dynamically Registered VLAN

If the switchport mac vlan configuration command is set to an authentication port for which a VLAN is dynamically created, the VLAN ID dynamically created for the port is deleted, and terminals that belonged to the VLAN are unauthenticated.