10.3.3 Deauthorization method

(1) Deauthenticate when maximum connection time is exceeded

When a terminal exceeds the maximum connection time specified by the mac-authentication max-timer configuration command, its MAC-based authentication status is forcibly cleared. This process takes place within a minute of the maximum connection time being exceeded.

If you use the mac-authentication max-timer configuration command to shorten or extend the maximum connection time, the changes do not take effect until the next time the terminal is authenticated. Existing authentication sessions are unaffected.

(2) Authentication canceled by operation command

You can use the clear mac-authentication auth-state operation command to forcibly revoke the authentication status of individual MAC addresses. If the same MAC address is authenticated in more than one VLAN, the switch terminates every authentication session associated with the MAC address.

(3) Authentication is canceled by link-down of the authentication terminal connection port.

When a port to which authenticated terminals are connected goes down, the switch clears the authentication status of terminals connected to that port.

(4) De-authentication by monitoring authenticated terminals without communication

MAC address table is monitored periodically for authenticated terminals to check whether they are accessed from the terminal. If the switch consistently finds that there has been no access by a particular terminal, it forcibly clears the MAC-based authentication status of the terminal, and shifts its membership to the pre-authentication VLAN. However, to prevent the authentication from being canceled due to a disconnection of the line, the authentication status is canceled if there is no access from the terminal with the corresponding MAC address for approximately 60 minutes (monitoring is performed at 60-second intervals) after the access from the terminal disappears. This time can be set in units of one second using mac-authentication auto-logout configuration command. However, this time is monitored at 60-second intervals.

You can disable this functionality by using the no mac-authentication auto-logout configuration command. In this case, terminals are not forcibly logged out, regardless of how long they stay inactive.

(5) Deauthorization by changing VLAN settings

If you use configuration commands to change the configuration of a VLAN that includes authenticated terminals, the switch clears the authentication status of terminals associated with that VLAN.

The following configuration changes trigger a logout:

• Deletion of a VLAN

• Suspension of a VLAN

Note that you must suspend the post-authentication VLAN if you want to deauthorize VLAN in dynamic VLAN.

(6) Deauthorization by switching the authentication method

If you change the authentication method from RADIUS authentication to local authentication or vice-versa, the switch clears the authentication status of all terminals.

(7) Authentication cancellation by switching authentication mode

If the authentication mode is switched by using the configuration command, all terminals are deactivated.

(8) Deactivation by suspending MAC-based authentication

If a configuration command deletes the MAC-based authentication configuration resulting in the suspension of MAC-based authentication, the switch clears the authentication status of all terminals.

(9) Deauthentication by Deleting a Dynamically Registered VLAN

If the switchport mac vlan configuration command is set to an authentication port for which a VLAN is dynamically created, the VLAN ID dynamically created for the port is deleted, and terminals that belonged to the VLAN are unauthenticated.

(10) Deauthenticate by moving to non-authenticated port

If the configuration command authentication auto-logout strayer is set and a packet whose source MAC address is the authenticated MAC address is received on an unauthenticated port, authentication is canceled.