12.1.5 Managing and deactivating authenticated terminals

The following describes how to manage authenticated terminals.

<Structure of this section>

(1) Managing Multistep Authentication Terminal

The management of the multi-step authentication terminal is managed by the last authenticated function. When a terminal authenticated by terminal authentication is authorized by user authentication, user authentication is managed. When the multi-step authentication port completes authentication with single authentication, the terminal is managed with the applicable authentication function.

(2) Deauthenticating Multi-Step Authentication Terminal

Deauthenticating a multi-step authentication terminal is subject to the deauthorization condition of the authentication function used for user authentication. When a EAPOL-Start frame is received on the terminal authentication dot1x option port, the terminal authenticated by user authentication (Web authentication) is deauthorized regardless of whether the terminal authentication is IEEE802.1X,MAC. However, if IEEE802.1X authentication configuration is not set on the applicable port, the authentication is not canceled. If authentication is completed using single authentication for a multi-step authentication port, the authentication is canceled according to the conditions for canceling the applicable authentication function.

(3) Non-communication monitoring of multi-step authentication terminals

The multi-step authentication port monitors terminal inactivity depending on the authentication status. The following table shows the correspondence between the authenticated state of the terminal and the no-communication monitoring method.

Table 12-3: Correspondence between terminal authentication status and the no-communication monitoring method
Terminal status	Authentication status	MAC-based Authentication	IEEE 802.1X authentication	Web Authentication
Authentication completed	Multi-step authentication completed (user authentication completed)	-	-	Non-communication monitoring of authenticated terminals*1
Authentication completed	Single authentication completed	Non-communication monitoring of authenticated terminals	-	Non-communication monitoring of authenticated terminals*1
Hold (during authentication)	Successful terminal authentication	Non-communication monitoring of authenticated terminals*2	-	-
Failed authentication	Failed authentication	Monitor the time until the next authentication is executed after MAC authentication fails*3	Unauthenticated state hold time is monitored*4	Immediate entry deletion

Legend:-: Not applicable

#1: In dynamic VLAN mode.
#2: Terminal authentication is successful and is waiting for a user authentication request. MAC address of the target terminal in this status is managed as a dynamic entry in MAC address table. The non-communication monitoring time for dynamic entries is the time set in the configuration command mac-authentication auto-logout delay-time plus the time for the aging timeout of MAC address.
#3: This is the setting of the configuration command mac-authentication auth-interval-timer.
#4: This is the setting of the configuration command dot1x timeout quiet-period.