8.3.4 Logging Out of the Authentication Network
The following table describes the methods a terminal can use to log out of an authentication network.
|
Logout method |
Fixed VLAN mode |
Dynamic VLAN mode |
Legacy mode |
|---|---|---|---|
|
Logout using the Web interface |
OK |
OK |
OK |
|
Logout when maximum connection time is exceeded |
OK |
OK |
OK |
|
Logout of authenticated terminals by the connection monitoring functionality |
OK |
- |
- |
|
Logout of authenticated terminals by MAC address table aging |
- |
OK |
OK |
|
Logout using an operation command |
OK |
OK |
OK |
|
Logout in response to special packets received from authenticated terminals |
OK |
- |
- |
|
Logout of terminals connected to link-down ports |
OK |
- |
- |
|
Logout resulting from changes to the VLAN configuration |
OK |
OK |
OK |
|
Logout resulting from authentication method changes |
OK |
OK |
OK |
|
Logout resulting from authentication mode changes |
OK |
OK |
OK |
|
Logout due to suspension of Web authentication |
OK |
OK |
OK |
|
Logout due to deletion of a dynamically registered VLAN |
- |
OK |
- |
Legend: OK:Support-:Not Applicable
In dynamic VLAN mode and legacy mode, after a terminal logs out in one of these ways, you must change the IP address of a terminal to an address associated with the pre-authentication VLAN. If you are using a DHCP server, you need to direct the terminal to request a new IP address after logging out.
-
If you are using a DHCP server, you need to delete the IP address of the terminal before obtaining a new one from the DHCP server. In Windows, for example, execute ipconfig /release and then ipconfig /renew from the command prompt.
-
If you assign IP addresses manually, change the IP address of the terminal to an address associated with the pre-authentication VLAN.
- <Structure of this section>
(1) Logging out from Web window
When an authenticated terminal accesses the logout URL, a logout page appears on the terminal. When the user completes the logout operation in this page, their Web authentication status is cleared Upon doing so, the user is presented with a logout success page.
(2) Logout when the maximum connection time is exceeded
When a terminal exceeds the maximum connection time specified by the web-authentication max-timer configuration command, its Web authentication status is forcibly cleared and the terminal is prohibited further communication outside the Switch. Clearing of the authentication status takes place within one minute of the maximum connection time being exceeded. The user is not presented with a logout page.
A user can continue to use a terminal after the maximum connection time has elapsed by repeating the login process. Only users who are confirmed to already be authenticated by a combination of user ID, password, and MAC address can extend their connection time, and only in increments of the maximum connection time.
If you use the web-authentication max-timer configuration command to shorten or extend the maximum connection time, the changes do not take effect until the next time the user logs in. Existing authentication sessions are unaffected.
(3) Logout of authenticated terminals using the connection monitoring function
The switch monitors the connection status of authenticated terminals by sending ARP packets at the interval specified by the web-authentication logout polling interval configuration command and monitoring for a response. If it receives no response within the time period defined by the web-authentication logout polling retry-interval and web-authentication logout polling count configuration commands, the switch considers the connection to have timed out and forcibly clears the Web authentication status of the terminal. The user is not presented with a logout page.
You can disable this functionality by using the no web-authentication logout polling enable configuration command.
- Notes
-
In environments with a large number of authenticated users, if you use the default settings for the connection monitoring functionality, there might be a delay of about one minute between the switch recognizing that the terminal has timed out and the authentication status being cleared.
It might take even longer for authentication statuses to clear if the CPU is operating under a heavy load.
(4) Logout of authenticated terminals by MAC address table aging
The switch monitors the MAC address table periodically for entries related to authenticated terminals, and checks for signs of recent access by those terminals. If the switch consistently finds that there has been no access by a particular terminal, it forcibly clears the Web authentication status of the terminal. The user is not presented with a logout page.
To prevent a situation in which a brief network interruption causes a terminal to lose its authentication status, authentication cancellation takes place when there has been no access from a terminal for a 10 minute period after its MAC address is scheduled to be aged out of the MAC address table.
The figure below shows the relationship between the aging time specified for the MAC address table, and the time when the terminal is logged out due to MAC address table aging.
Use the default value for the aging time, or specify a larger value than the default.
|
|
![[Figure Data]](./GRAPHICS/ZU208103.GIF)
If there is no access by a terminal in the 10 minute period after successful authentication, the terminal loses its authentication status immediately without regard to the aging time.
The following figure shows a situation in which a terminal is logged out due to inactivity after successful authentication.
|
|
![[Figure Data]](./GRAPHICS/ZU208107.GIF)
You can disable this functionality by using the no web-authentication auto-logout configuration command. In this case, terminals are not forcibly logged out regardless of how long they remain inactive.
In legacy mode, if a terminal makes no attempt to access the VLAN to which it gains membership after authentication, the switch has no opportunity to learn its MAC address. In this case, the MAC address of the terminal will not appear in the MAC address table, and the terminal will be forcibly logged out. To avoid this situation, make sure that terminals access the VLAN in some way after authentication.
(5) Logout by operation command
You can use the clear web-authentication auth-state operation command to forcibly log out individual users. When you use this command, the switch terminates every authentication session associated with the user ID you specify. The user is not presented with a logout page.
(6) Logout by receiving special packets from authenticated terminals
The switch clears the authentication status of terminals from which it receives a special packet. The user is not presented with a logout page. Special packets are defined as follows:
-
A ping packet sent from an authenticated terminal to the Web authentication IP address
-
A packet having a particular TOS value as specified by the web-authentication logout ping tos-windows configuration command
-
A packet having a particular TTL value as specified by the web-authentication logout ping ttl configuration command
(7) Logout due to link-down of the authentication terminal connection port
When a port with authenticated terminals connected goes down, the switch clears the authentication status of terminals connected to that port. The user is not presented with a logout page.
(8) Logout due to VLAN setting change
If you use configuration commands to change the configuration of a VLAN that includes authenticated terminals, the switch clears the authentication status of terminals associated with that VLAN. The user is not presented with a logout page.
- The following configuration changes trigger a logout:
-
-
Deletion of a VLAN
-
Suspension of a VLAN
-
(9) Logout by switching the authentication method
If you change the authentication method from RADIUS authentication to local authentication or vice-versa, the switch clears the authentication status of all terminals. The user is not presented with a logout page.
(10) Logout by Switching Authentication Mode
If you use the copy command to change the switch configuration in a manner that results in changes to the authentication mode, the switch clears the authentication status of all terminals. The user is not presented with a logout page.
(11) Logout by Stopping Web Authentication
If a configuration command deletes the Web authentication configuration, which results in the suspension of Web authentication, the switch clears the authentication status of all terminals. The user is not presented with a logout page.
(12) Logging Out by Deleting Dynamically Registered VLAN
If the switchport mac vlan configuration command is set to an authentication port for which a VLAN is dynamically created, the VLAN ID dynamically created for the port is deleted, and terminals that belonged to the VLAN are unauthenticated.