5.3.5 Move authenticated terminals between ports

This section describes how the port status and authentication status are affected when you move a terminal that has undergone Layer 2 authentication to a different port.

The figure below depicts the four scenarios for moving an authenticated terminal between ports.

Figure 5-6: Example of moving authenticated terminals between ports

When using a MAC VLAN, scenario 1 and scenario 2 work as follows:

Case 1:

The terminal will retain the same VLAN membership if either of the following conditions is applied at the destination port:

The same VLAN ID is configured in the switchport mac vlan configuration command.
The same VLAN ID has already been registered dynamically by a Layer 2 authentication process.

If MAC VLAN IDs are not dynamically registered, the ID of a VLAN to which a terminal belongs is created when the terminal authenticated by Web or MAC authentication moves. For this reason, this is regarded as a move to the same VLAN.

Scenario 2:

The terminal will change VLAN membership if the following conditions are satisfied at the destination port:

A different VLAN ID is configured in the switchport mac vlan configuration command.

If MAC VLAN IDs are not dynamically created and a terminal of IEEE 802.1X moves, it is regarded as a move to another VLAN.

The behavior of the switch in the four scenarios is described below for each type of Layer 2 authentication.

<Structure of this section>

(1) Behavior when moving between ports in IEEE802.1X

The tables below describe, for each authentication mode, what happens in terms of the port status and authentication status when you move an IEEE 802.1X-authenticated terminal to another port.

Table 5-13: Operation when moving from port to port in IEEE802.1X (port-based authentication)
Scenario	Destination port	VLAN	User authentication status	MAC address table of source port	Authentication status of source port	Ability to communicate after movement
1	Authenticating port	Same VLAN	Undergoes re-authentication at destination port	Port information updated	Existing authentication canceled	Cannot communicate until re-authenticated
2	Authenticating port	Different VLAN	Undergoes re-authentication at destination port	Not updated	Authorized status remains	Cannot communicate until re-authenticated
3	Non-authenticating port	Same VLAN	Authorized status remains	Not updated	Authorized status remains	Cannot communicate
4	Non-authenticating port	Different VLAN	Authorized status remains	Not updated	Authorized status remains	Can communicate

Table 5-14: Operation in IEEE802.1X when moving between ports (authentication by VLAN (statically))
Scenario	Destination port	VLAN	User authentication status	MAC address table of source port	Authentication status of source port	Ability to communicate after movement
1	Authenticating port	Same VLAN	Authorization continues	Port information updated	Continues	Can communicate
2	Authenticating port	Different VLAN	Undergoes re-authentication at destination port	Not updated	Authorized status remains	Cannot communicate until re-authenticated
3	Non-authenticating port	Same VLAN	-	-	-	-
4	Non-authenticating port	Different VLAN	Authorized status remains	Not updated	Authorized status remains	Can communicate

Legend: -: Because VLAN based authentication (static) is configured on a per VLAN basis, there are no non-authenticated ports on the same VLAN

Table 5-15: Operation in IEEE802.1X when moving between ports (authentication by VLAN (dynamically))
Scenario	Destination port	VLAN	User authentication status	MAC address table of source port	Authentication status of source port	Ability to communicate after movement
1	Authenticating port	Same VLAN	Authorization continues	Port information updated	Continues	Can communicate
2	Authenticating port	Different VLAN	Undergoes re-authentication at destination port	Deleted	Existing authentication canceled	Cannot communicate until re-authenticated
3	Non-authenticating port	Same VLAN	-	-	-	-
4	Non-authenticating port	Different VLAN	Authorized status remains	Not updated	Authorized status remains	Can communicate

Legend: -: Because VLAN based authentication (dynamic) is configured on a per VLAN basis, there are no ports that are not subject to authentication on the same VLAN

(2) Behavior when Moving between Ports with Web Authorization

The tables below describe, for each authentication mode, what happens in terms of the port status and authentication status when you move a Web-authenticated terminal to another port.

Table 5-16: Operation when moving Web authentication between ports (fixed VLAN)
Scenario	Destination port	VLAN	User authentication status	MAC address table of source port	Authentication status of source port	Ability to communicate after movement
1	Authenticating port	Same VLAN	Authorization continues	Port information updated	Continues	Can communicate
2	Authenticating port	Different VLAN	Authorized status remains	Not updated	Authorized status remains	Cannot communicate until re-authenticated
3	Non-authenticating port	Same VLAN	Authorized status remains	Not updated	Authorized status remains	Cannot communicate
4	Non-authenticating port	Different VLAN	Authorized status remains	Not updated	Authorized status remains	Can communicate

Table 5-17 Behavior when moving between ports with Web authentication (dynamic VLAN)
Scenario	Destination port	VLAN	User authentication status	MAC address table of source port	Authentication status of source port	Ability to communicate after movement
1	Authenticating port	Same VLAN	Authorization continues	Port information updated	Continues	Can communicate
2	Authenticating port	Different VLAN	Authorized status remains	Not updated	Authorized status remains	Cannot communicate
3	Non-authenticating port	Same VLAN	Authorized status remains	Not updated	Authorized status remains	Cannot communicate
4	Non-authenticating port	Different VLAN	Authorized status remains	Not updated	Authorized status remains	Can communicate

Table 5-18: Behavior on Port-to-Port with Web Authentication (Legacy Mode)
Scenario	Destination port	VLAN	User authentication status	MAC address table of source port	Authentication status of source port	Ability to communicate after movement
1	Authenticating port	Same VLAN	Authorization continues	Port information updated	Continues	Can communicate
2	Authenticating port	Different VLAN	Authorized status remains	Not updated	Authorized status remains	Cannot communicate
3	Non-authenticating port	Same VLAN	-	-	-	-
4	Non-authenticating port	Different VLAN	Authorized status remains	Not updated	Authorized status remains	Can communicate

Legend: -: Because Web authentication (legacy mode) is configured on a per VLAN basis, there are no non-authenticated ports on the same VLAN

(3) Behavior when Moving between Ports with MAC Authorization

The tables below describe, for each authentication mode, what happens in terms of the port status and authentication status when you move a MAC-authenticated terminal to another port.

Table 5-19: Operation when moving MAC authentication between ports (fixed VLAN)
Scenario	Destination port	VLAN	User authentication status	MAC address table of source port	Authentication status of source port	Ability to communicate after movement
1	Authenticating port	Same VLAN	Authorization continues	Port information updated	Continues	Can communicate
2	Authenticating port	Different VLAN	Undergoes re-authentication^#	Deleted^#	Existing authentication canceled^#	Cannot communicate until re-authenticated^#
3	Non-authenticating port	Same VLAN	Authorized status remains	Not updated	Authorized status remains	Cannot communicate
4	Non-authenticating port	Different VLAN	Authorized status remains	Not updated	Authorized status remains	Can communicate

#: This operation is performed when broadcast ARP packets are sent after a port is moved from an authenticated terminal. The authenticated status remains without being canceled for packets other than the broadcast ARP packets.

Table 5-20: Behavior when moving between ports with MAC authentication (dynamic VLAN)
Scenario	Destination port	VLAN	User authentication status	MAC address table of source port	Authentication status of source port	Ability to communicate after movement
1	Authenticating port	Same VLAN	Authorization continues	Port information updated	Continues	Can communicate
2	Authenticating port	Different VLAN	Deactivate Authentication*	Deleted^#	Existing authentication canceled^#	Cannot communicate until re-authenticated^#
3	Non-authenticating port	Same VLAN	Authorized status remains	Not updated	Authorized status remains	Cannot communicate
4	Non-authenticating port	Different VLAN	Authorized status remains	Not updated	Authorized status remains	Can communicate

#: This operation is performed when broadcast ARP packets are sent after a port is moved from an authenticated terminal. The authenticated status remains without being canceled for packets other than the broadcast ARP packets.