8.3.4 Logging Out of the Authentication Network
The following table describes the methods a terminal can use to log out of an authentication network.
|
Logout method |
Fixed VLAN mode |
Dynamic VLAN mode |
|---|---|---|
|
Logout using the Web interface |
OK |
OK |
|
Logout when maximum connection time is exceeded |
OK |
OK |
|
Logout of authenticated terminals by the connection monitoring functionality |
OK |
- |
|
Logout by monitoring authenticated terminals without communication |
- |
OK |
|
Logout using an operation command |
OK |
OK |
|
Logout in response to special packets received from authenticated terminals |
OK |
- |
|
Logout of terminals connected to link-down ports |
OK |
- |
|
Logout resulting from changes to the VLAN configuration |
OK |
OK |
|
Logout resulting from authentication method changes |
OK |
OK |
|
Logout due to suspension of Web authentication |
OK |
OK |
|
Logout due to deletion of a dynamically registered VLAN |
- |
OK |
|
Logging Out by Moving to an Unauthenticated Port |
OK |
OK |
Legend: OK:Support-:Not Applicable
In dynamic VLAN, after logging out as described above, change IP address of the terminal to the pre-authentication IP address. If you are using a DHCP server, you need to direct the terminal to request a new IP address after logging out.
-
If you are using a DHCP server, you need to delete the IP address of the terminal before obtaining a new one from the DHCP server. In Windows, for example, execute ipconfig /release and then ipconfig /renew from the command prompt.
-
If you assign IP addresses manually, change the IP address of the terminal to an address associated with the pre-authentication VLAN.
- <Structure of this section>
(1) Logging out from Web window
When an authenticated terminal accesses the logout URL, a logout page appears on the terminal. When the user completes the logout operation in this page, their Web authentication status is cleared Upon doing so, the user is presented with a logout success page.
(2) Logout when the maximum connection time is exceeded
When a terminal exceeds the maximum connection time specified by the web-authentication max-timer configuration command, its Web authentication status is forcibly cleared and the terminal is prohibited further communication outside the Switch. Clearing of the authentication status takes place within one minute of the maximum connection time being exceeded. The user is not presented with a logout page.
A user can continue to use a terminal after the maximum connection time has elapsed by repeating the login process. Only users who are confirmed to already be authenticated by a combination of user ID, password, and MAC address can extend their connection time, and only in increments of the maximum connection time.
If you use the web-authentication max-timer configuration command to shorten or extend the maximum connection time, the changes do not take effect until the next time the user logs in. Existing authentication sessions are unaffected.
(3) Logout of authenticated terminals using the connection monitoring function
The switch monitors the connection status of authenticated terminals by sending ARP packets at the interval specified by the web-authentication logout polling interval configuration command and monitoring for a response. If it receives no response within the time period defined by the web-authentication logout polling retry-interval and web-authentication logout polling count configuration commands, the switch considers the connection to have timed out and forcibly clears the Web authentication status of the terminal. The user is not presented with a logout page.
You can disable this functionality by using the no web-authentication logout polling enable configuration command.
- Notes
-
In environments with a large number of authenticated users, if you use the default settings for the connection monitoring functionality, there might be a delay of about one minute between the switch recognizing that the terminal has timed out and the authentication status being cleared.
It might take even longer for authentication statuses to clear if the CPU is operating under a heavy load.
(4) Logout by monitoring authenticated terminals without communication
MAC address table is monitored periodically for authenticated terminals to check whether they are accessed from the terminal. If the switch consistently finds that there has been no access by a particular terminal, it forcibly clears the Web authentication status of the terminal. The user is not presented with a logout page.
However, to prevent the authentication from being canceled due to a disconnection of the line, the authentication status is canceled if there is no access from the terminal with the corresponding MAC address for approximately 10 minutes (monitoring is performed at 60-second intervals) after the access from the terminal disappears.
You can disable this functionality by using the no web-authentication auto-logout configuration command. In this case, terminals are not forcibly logged out regardless of how long they remain inactive.
(5) Logout by operation command
You can use the clear web-authentication auth-state operation command to forcibly log out individual users. When you use this command, the switch terminates every authentication session associated with the user ID you specify. The user is not presented with a logout page.
(6) Logout by receiving special packets from authenticated terminals
The switch clears the authentication status of terminals from which it receives a special packet. The user is not presented with a logout page. Special packets are defined as follows:
-
Ping packets sent from authenticated terminals to Web authentication-only IP addresses
-
A packet having a particular TOS value as specified by the web-authentication logout ping tos-windows configuration command
-
A packet having a particular TTL value as specified by the web-authentication logout ping ttl configuration command
(7) Logout due to link-down of the authentication terminal connection port
When a port with authenticated terminals connected goes down, the switch clears the authentication status of terminals connected to that port. The user is not presented with a logout page.
(8) Logout due to VLAN setting change
If you use configuration commands to change the configuration of a VLAN that includes authenticated terminals, the switch clears the authentication status of terminals associated with that VLAN. The user is not presented with a logout page.
- The following configuration changes trigger a logout:
-
-
Deletion of a VLAN
-
Suspension of a VLAN
-
(9) Logout by switching the authentication method
If you change the authentication method from RADIUS authentication to local authentication or vice-versa, the switch clears the authentication status of all terminals. The user is not presented with a logout page.
(10) Logout by Stopping Web Authentication
If a configuration command deletes the Web authentication configuration, which results in the suspension of Web authentication, the switch clears the authentication status of all terminals. The user is not presented with a logout page.
(11) Logging Out by Deleting Dynamically Registered VLAN
If the switchport mac vlan configuration command is set to an authentication port for which a VLAN is dynamically created, the VLAN ID dynamically created for the port is deleted, and terminals that belonged to the VLAN are unauthenticated.
(12) Logging Out by Moving to an Unauthenticated Port
If the configuration command authentication auto-logout strayer is set and a packet whose source MAC address is the authenticated MAC address is received on an unauthenticated port, authentication is canceled.