5.3.4 Deactivating Authentication When Moving an Authenticated Terminal to a Port-to-Port or to an Unauthenticated Port
This section describes how the port status and authentication status are affected when you move a terminal that has undergone Layer 2 authentication to a different port.
The figure below depicts the four scenarios for moving an authenticated terminal between ports.
|
When using a MAC VLAN, scenario 1 and scenario 2 work as follows:
- Case 1:
-
The terminal will retain the same VLAN membership if either of the following conditions is applied at the destination port:
-
The same VLAN ID is configured in the switchport mac vlan configuration command.
-
The same VLAN ID has already been registered dynamically by a Layer 2 authentication process.
Also, if VLAN ID of MAC VLAN is not registered dynamically, VLAN ID to which the terminal belongs is created when the terminal authenticated with Layer 2 authentication moves, so it is considered to be moved to the same VLAN.
-
- Scenario 2:
-
The terminal will change VLAN membership if the following conditions are satisfied at the destination port:
-
A different VLAN ID is configured in the switchport mac vlan configuration command.
-
These four cases describe the operation of port movement for Layer 2 authentication and multi-step authentication. For Web authentication and MAC authentication, you can cancel the authentication status of an authenticated terminal when a move to an unauthenticated port of an authenticated terminal is detected.
- <Structure of this section>
(1) Behavior when moving between ports in IEEE802.1X
The tables below describe, for each authentication mode, what happens in terms of the port status and authentication status when you move an IEEE 802.1X-authenticated terminal to another port.
Scenario |
Destination port |
VLAN |
Authentication status |
Ability to communicate after movement |
---|---|---|---|---|
1 |
Authenticating port |
Same VLAN |
The authentication status of the pre-migration port is released. |
Cannot communicate until re-authenticated |
2 |
Authenticating port |
Different VLAN |
The authentication status of the pre-migration port is released. |
Cannot communicate until re-authenticated |
3 |
Non-authenticating port |
Same VLAN |
The authentication status of the pre-move port remains. |
Cannot communicate |
4 |
Non-authenticating port |
Different VLAN |
The authentication status of the pre-move port remains. |
Can communicate |
Scenario |
Destination port |
VLAN |
Authentication status |
Ability to communicate after movement |
---|---|---|---|---|
1 |
Authenticating port |
Same VLAN |
The authentication status of the pre-migration port is released. |
Cannot communicate until re-authenticated |
2 |
Authenticating port |
Different VLAN |
The authentication status of the pre-migration port is released. |
Cannot communicate until re-authenticated |
3 |
Non-authenticating port |
Same VLAN |
The authentication status of the pre-move port remains. |
Cannot communicate |
4 |
Non-authenticating port |
Different VLAN |
The authentication status of the pre-move port remains. |
Cannot communicate |
(2) Behavior when Moving between Ports with Web Authorization
The tables below describe, for each authentication mode, what happens in terms of the port status and authentication status when you move a Web-authenticated terminal to another port.
Scenario |
Destination port |
VLAN |
Authentication status |
Ability to communicate after movement |
---|---|---|---|---|
1 |
Authenticating port |
Same VLAN |
Continue communication at the destination port. |
Can communicate |
2 |
Authenticating port |
Different VLAN |
The authentication status of the pre-move port remains. |
Cannot communicate until re-authenticated |
3 |
Non-authenticating port |
Same VLAN |
The authentication status of the port before moving remains.*1 |
Communication impossible*2 |
4 |
Non-authenticating port |
Different VLAN |
The authentication status of the port before moving remains.*1 |
Can communicate |
#1: If the configuration command authentication auto-logout strayer is set, authentication status is canceled when a move to an unauthenticated port is detected.
#2: If authentication is canceled by#1, communication is enabled.
Scenario |
Destination port |
VLAN |
Authentication status |
Ability to communicate after movement |
---|---|---|---|---|
1 |
Authenticating port |
Same VLAN |
Continue authentication on the destination port |
Can communicate |
2 |
Authenticating port |
Different VLAN |
The authentication status continues at the destination port.*1 |
Cannot communicate |
3 |
Non-authenticating port |
Same VLAN |
The authentication status of the port before moving remains.*2 |
Communication impossible*3 |
4 |
Non-authenticating port |
Different VLAN |
The authentication status of the port before moving remains.*2 |
Communication impossible*3 |
#1: Although the authentication status appears to be normal, communications cannot be performed on the destination port.
#2: If the configuration command authentication auto-logout strayer is set, authentication status is canceled when a move to an unauthenticated port is detected.
#3: Communications are enabled when the authentication status is canceled by 2.
(3) Behavior when Moving between Ports with MAC Authorization
The tables below describe, for each authentication mode, what happens in terms of the port status and authentication status when you move a MAC-authenticated terminal to another port.
Scenario |
Destination port |
VLAN |
Authentication status |
Ability to communicate after movement |
---|---|---|---|---|
1 |
Authenticating port |
Same VLAN |
Continue communication at the destination port. |
Can communicate |
2 |
Authenticating port |
Different VLAN |
The authentication status of the pre-migration port is released. |
Cannot communicate until re-authenticated |
3 |
Non-authenticating port |
Same VLAN |
The authentication status of the port before moving remains.*1 |
Communication impossible*2 |
4 |
Non-authenticating port |
Different VLAN |
The authentication status of the port before moving remains.*1 |
Can communicate |
#1: If the configuration command authentication auto-logout strayer is set, authentication status is canceled when a move to an unauthenticated port is detected.
#2: If authentication is canceled by#1, communication is enabled.
Scenario |
Destination port |
VLAN |
Authentication status |
Ability to communicate after movement |
---|---|---|---|---|
1 |
Authenticating port |
Same VLAN |
Continue communication at the destination port. |
Can communicate |
2 |
Authenticating port |
Different VLAN |
The authentication status of the pre-migration port is released. |
Cannot communicate until re-authenticated |
3 |
Non-authenticating port |
Same VLAN |
The authentication status of the port before moving remains.*1 |
Communication impossible*2 |
4 |
Non-authenticating port |
Different VLAN |
The authentication status of the port before moving remains.*1 |
Communication impossible*2 |
#1: If the configuration command authentication auto-logout strayer is set, authentication status is canceled when a move to an unauthenticated port is detected.
#2: If authentication is canceled by#1, communication is enabled.
(4) Behavior of Moving Ports in Multi-Step Authentication
The following table describes the operation when a terminal authenticated by multi-step authentication moves the port. Because the final authentication function manages the authentication status of terminals that have multi-step authentication, the operation when the port is moved also follows the operation of the final authentication function. Note that a single-authenticated terminal (a terminal that completes authentication with one authentication using the multi-step authentication port) follows the operation of port movement of the authentication function that succeeded in authentication.
Terminal authentication |
User authentication |
Behavior of Port-to-Port Moving |
---|---|---|
MAC-based Authentication |
IEEE802.1X certification |
Behavior when moving between ports in IEEE802.1X is followed. |
Web Authentication |
The operation when moving between ports with Web certification (fixed VLAN mode) is followed. |
|
IEEE802.1X certification |
Web Authentication |
The operation when moving between ports with Web certification (fixed VLAN mode) is followed. |
Terminal authentication |
User authentication |
Behavior of Port-to-Port Moving |
---|---|---|
MAC-based Authentication |
IEEE802.1X certification |
Behavior when moving between ports in IEEE802.1X is followed. |
Web Authentication |
Behavior when moving between ports with Web authenticated (dynamic VLAN). |
|
IEEE802.1X certification |
Web Authentication |
Behavior when moving between ports with Web authenticated (dynamic VLAN). |
[Precautions when moving ports]
-
You cannot move between ports in the following cases:
-
If an authenticated terminal belonging to MAC port VLAN moves to an authenticated port other than MAC port on the same VLAN, the authentication status on the port prior to the move is not released.
-
In the case of Web authentication or port movement between MAC ports of MAC authentication, if VLAN to which the terminal belongs on the previous port and the native VLAN of the destination port are the same, the authentication status of the previous port is not released.
-
If you move a port to an authentication port with a different authentication function or to an unauthenticated port (for example, if you move a port from a IEEE802.1X authentication port to a MAC authentication port), the port before the move might not be unauthenticated.
-
If you move a port on a multi-step authentication port and a single authentication port (for example, if you move a port from a multi-step authentication port to a MAC authentication port (fixed VLAN mode)), the authentication status on the source port may not be released.
In any of the above cases, the authentication status remains on the source port, and the destination port cannot communicate with the target terminal. Therefore, you must use one of the following operation commands to deauthorize the target terminal.
-
IEEE802.1X Authorization: clear dot1x auth-state
-
MAC Authorization: clear mac-authentication auth-state
-
Web Authorization: clear web-authentication auth-state
-
-
When moving a port between multi-step authentication ports to another port on the same VLAN, if the configuration settings for Layer 2 authentication and multi-step authentication differ between the port before and after the move, the authentication status is canceled when the port is moved.