10.3.3 Deauthorization method

(1) Deauthenticate when maximum connection time is exceeded

When a terminal exceeds the maximum connection time specified by the mac-authentication max-timer configuration command, its MAC-based authentication status is forcibly cleared. This process takes place within a minute of the maximum connection time being exceeded.

If you use the mac-authentication max-timer configuration command to shorten or extend the maximum connection time, the changes do not take effect until the next time the terminal is authenticated. Existing authentication sessions are unaffected.

(2) Authentication canceled by operation command

You can use the clear mac-authentication auth-state operation command to forcibly revoke the authentication status of individual MAC addresses. If the same MAC address is authenticated in more than one VLAN, the switch terminates every authentication session associated with the MAC address.

(3) Authentication is canceled by link-down of the authentication terminal connection port.

When a port to which authenticated terminals are connected goes down, the switch clears the authentication status of terminals connected to that port.

(4) Deauthenticate authenticated terminals by MAC address table aging

The switch monitors the MAC address table periodically for entries related to authenticated terminals, and checks for signs of recent access by those terminals. If the switch consistently finds that there has been no access by a particular terminal, it forcibly clears the MAC-based authentication status of the terminal, and shifts its membership to the pre-authentication VLAN. To prevent a situation in which a brief network interruption causes a terminal to lose its authentication status, authentication cancellation takes place when there has been no access from a terminal for a 10 minute period after its MAC address is scheduled to be aged out of the MAC address table.

The figure below shows the relationship between the aging time specified for the MAC address table, and the time when the terminal is logged out due to MAC address table aging.

Use the default value for the aging time, or specify a larger value than the default.

If there is no access by a terminal in the 10 minute period after successful authentication, the terminal loses its authentication status immediately without regard to the aging time.

The following figure shows a situation in which a terminal is logged out due to inactivity after successful authentication.

You can disable this functionality by using the no mac-authentication auto-logout configuration command. In this case, terminals are not forcibly logged out, regardless of how long they stay inactive.

(5) Deauthorization by changing VLAN settings

If you use configuration commands to change the configuration of a VLAN that includes authenticated terminals, the switch clears the authentication status of terminals associated with that VLAN.

The following configuration changes trigger a logout:

• Deletion of a VLAN

• Suspension of a VLAN

(6) Deauthorization by switching the authentication method

If you change the authentication method from RADIUS authentication to local authentication or vice-versa, the switch clears the authentication status of all terminals.

(7) Authentication cancellation by switching authentication mode

If you use the copy command to change the switch configuration in a manner that results in changes to the authentication mode, the switch clears the authentication status of all terminals.

(8) Deactivation by suspending MAC-based authentication

If a configuration command deletes the MAC-based authentication configuration resulting in the suspension of MAC-based authentication, the switch clears the authentication status of all terminals.

(9) Logging Out by Deleting Dynamically Registered VLAN

If the switchport mac vlan configuration command is set to an authentication port for which a VLAN is dynamically created, the VLAN ID dynamically created for the port is deleted, and terminals that belonged to the VLAN are unauthenticated.