5.3.4 Deactivating Authentication When Moving an Authenticated Terminal to a Port-to-Port or to an Unauthenticated Port

This section describes how the port status and authentication status are affected when you move a terminal that has undergone Layer 2 authentication to a different port.

The figure below depicts the four scenarios for moving an authenticated terminal between ports.

Figure 5-4: Example of moving authenticated terminals between ports

When using a MAC VLAN, scenario 1 and scenario 2 work as follows:

Case 1:

The terminal will retain the same VLAN membership if either of the following conditions is applied at the destination port:

The same VLAN ID is configured in the switchport mac vlan configuration command.
The same VLAN ID has already been registered dynamically by a Layer 2 authentication process.

Also, if VLAN ID of MAC VLAN is not registered dynamically, VLAN ID to which the terminal belongs is created when the terminal authenticated with Layer 2 authentication moves, so it is considered to be moved to the same VLAN.

Scenario 2:

The terminal will change VLAN membership if the following conditions are satisfied at the destination port:

A different VLAN ID is configured in the switchport mac vlan configuration command.

These four cases describe the operation of port movement for Layer 2 authentication and multi-step authentication. For Web authentication and MAC authentication, you can cancel the authentication status of an authenticated terminal when a move to an unauthenticated port of an authenticated terminal is detected.

<Structure of this section>

(1) Behavior when moving between ports in IEEE802.1X

The tables below describe, for each authentication mode, what happens in terms of the port status and authentication status when you move an IEEE 802.1X-authenticated terminal to another port.

Table 5-11 Operation during port-to-port movement in IEEE 802.1X (fixed VLAN mode)
Scenario	Destination port	VLAN	Authentication status	Ability to communicate after movement
1	Authenticating port	Same VLAN	The authentication status of the pre-migration port is released.	Cannot communicate until re-authenticated
2	Authenticating port	Different VLAN	The authentication status of the pre-migration port is released.	Cannot communicate until re-authenticated
3	Non-authenticating port	Same VLAN	The authentication status of the pre-move port remains.	Cannot communicate
4	Non-authenticating port	Different VLAN	The authentication status of the pre-move port remains.	Can communicate

Table 5-12 Operation during port-to-port movement in IEEE 802.1X (dynamic VLAN mode)
Scenario	Destination port	VLAN	Authentication status	Ability to communicate after movement
1	Authenticating port	Same VLAN	The authentication status of the pre-migration port is released.	Cannot communicate until re-authenticated
2	Authenticating port	Different VLAN	The authentication status of the pre-migration port is released.	Cannot communicate until re-authenticated
3	Non-authenticating port	Same VLAN	The authentication status of the pre-move port remains.	Cannot communicate
4	Non-authenticating port	Different VLAN	The authentication status of the pre-move port remains.	Cannot communicate

(2) Behavior when Moving between Ports with Web Authorization

The tables below describe, for each authentication mode, what happens in terms of the port status and authentication status when you move a Web-authenticated terminal to another port.

Table 5-13 Moving between ports in Web Authentication (Fixed VLAN mode)
Scenario	Destination port	VLAN	Authentication status	Ability to communicate after movement
1	Authenticating port	Same VLAN	Continue communication at the destination port.	Can communicate
2	Authenticating port	Different VLAN	The authentication status of the pre-move port remains.	Cannot communicate until re-authenticated
3	Non-authenticating port	Same VLAN	The authentication status of the port before moving remains.*1	Communication impossible*2
4	Non-authenticating port	Different VLAN	The authentication status of the port before moving remains.*1	Can communicate

#1: If the configuration command authentication auto-logout strayer is set, authentication status is canceled when a move to an unauthenticated port is detected.

#2: If authentication is canceled by#1, communication is enabled.

Table 5-14 Moving between ports in Web Authentication (Dynamic VLAN mode)
Scenario	Destination port	VLAN	Authentication status	Ability to communicate after movement
1	Authenticating port	Same VLAN	Continue authentication on the destination port	Can communicate
2	Authenticating port	Different VLAN	The authentication status continues at the destination port.*1	Cannot communicate
3	Non-authenticating port	Same VLAN	The authentication status of the port before moving remains.*2	Communication impossible*3
4	Non-authenticating port	Different VLAN	The authentication status of the port before moving remains.*2	Communication impossible*3

#1: Although the authentication status appears to be normal, communications cannot be performed on the destination port.

#2: If the configuration command authentication auto-logout strayer is set, authentication status is canceled when a move to an unauthenticated port is detected.

#3: Communications are enabled when the authentication status is canceled by 2.

(3) Behavior when Moving between Ports with MAC Authorization

The tables below describe, for each authentication mode, what happens in terms of the port status and authentication status when you move a MAC-authenticated terminal to another port.

Table 5-15 Operation during port-to-port movement in MAC authentication (fixed VLAN mode)
Scenario	Destination port	VLAN	Authentication status	Ability to communicate after movement
1	Authenticating port	Same VLAN	Continue communication at the destination port.	Can communicate
2	Authenticating port	Different VLAN	The authentication status of the pre-migration port is released.	Cannot communicate until re-authenticated
3	Non-authenticating port	Same VLAN	The authentication status of the port before moving remains.*1	Communication impossible*2
4	Non-authenticating port	Different VLAN	The authentication status of the port before moving remains.*1	Can communicate

#1: If the configuration command authentication auto-logout strayer is set, authentication status is canceled when a move to an unauthenticated port is detected.

#2: If authentication is canceled by#1, communication is enabled.

Table 5-16 Operation during port-to-port movement in MAC authentication (dynamic VLAN mode)
Scenario	Destination port	VLAN	Authentication status	Ability to communicate after movement
1	Authenticating port	Same VLAN	Continue communication at the destination port.	Can communicate
2	Authenticating port	Different VLAN	The authentication status of the pre-migration port is released.	Cannot communicate until re-authenticated
3	Non-authenticating port	Same VLAN	The authentication status of the port before moving remains.*1	Communication impossible*2
4	Non-authenticating port	Different VLAN	The authentication status of the port before moving remains.*1	Communication impossible*2

#1: If the configuration command authentication auto-logout strayer is set, authentication status is canceled when a move to an unauthenticated port is detected.

#2: If authentication is canceled by#1, communication is enabled.

(4) Behavior of Moving Ports in Multi-Step Authentication

The following table describes the operation when a terminal authenticated by multi-step authentication moves the port. Because the final authentication function manages the authentication status of terminals that have multi-step authentication, the operation when the port is moved also follows the operation of the final authentication function. Note that a single-authenticated terminal (a terminal that completes authentication with one authentication using the multi-step authentication port) follows the operation of port movement of the authentication function that succeeded in authentication.

Table 5-17: Operation when moving between ports in multi-step authentication (fixed VLAN mode)
Terminal authentication	User authentication	Behavior of Port-to-Port Moving
MAC-based Authentication	IEEE802.1X certification	Behavior when moving between ports in IEEE802.1X is followed.
MAC-based Authentication	Web Authentication	The operation when moving between ports with Web certification (fixed VLAN mode) is followed.
IEEE802.1X certification	Web Authentication	The operation when moving between ports with Web certification (fixed VLAN mode) is followed.

Table 5-18: Operation when moving between ports in multi-step authentication (dynamic VLAN mode)
Terminal authentication	User authentication	Behavior of Port-to-Port Moving
MAC-based Authentication	IEEE802.1X certification	Behavior when moving between ports in IEEE802.1X is followed.
MAC-based Authentication	Web Authentication	Behavior when moving between ports with Web authenticated (dynamic VLAN).
IEEE802.1X certification	Web Authentication	Behavior when moving between ports with Web authenticated (dynamic VLAN).

[Precautions when moving ports]

You cannot move between ports in the following cases:
- If an authenticated terminal belonging to MAC port VLAN moves to an authenticated port other than MAC port on the same VLAN, the authentication status on the port prior to the move is not released.
- In the case of Web authentication or port movement between MAC ports of MAC authentication, if VLAN to which the terminal belongs on the previous port and the native VLAN of the destination port are the same, the authentication status of the previous port is not released.
- If you move a port to an authentication port with a different authentication function or to an unauthenticated port (for example, if you move a port from a IEEE802.1X authentication port to a MAC authentication port), the port before the move might not be unauthenticated.
- If you move a port on a multi-step authentication port and a single authentication port (for example, if you move a port from a multi-step authentication port to a MAC authentication port (fixed VLAN mode)), the authentication status on the source port may not be released.
In any of the above cases, the authentication status remains on the source port, and the destination port cannot communicate with the target terminal. Therefore, you must use one of the following operation commands to deauthorize the target terminal.
- IEEE802.1X Authorization: clear dot1x auth-state
- MAC Authorization: clear mac-authentication auth-state
- Web Authorization: clear web-authentication auth-state
When moving a port between multi-step authentication ports to another port on the same VLAN, if the configuration settings for Layer 2 authentication and multi-step authentication differ between the port before and after the move, the authentication status is canceled when the port is moved.