Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding Authentication Session Timeout on MX Series Routers

Starting with Junos OS Release 14.2, you can specify authentication session timeout values for captive portal authentication sessions and 802.1X and MAC RADIUS authentication sessions.

For captive portal authentication, the length of the session depends on the value configured for the session-expiry statement. The remainder of this topic pertains only to 802.1X and MAC RADIUS authentication sessions.

For 802.1X and MAC RADIUS authentication sessions, the timeout of the session depends on the value of reauthentication interval for dot1x authentication. The authentication session might also end when the MAC table aging time expires because, unless you configure it not to, the session is removed from the authentication session table when the MAC address is removed from the Ethernet switching table.

Information about each 802.1X and MAC RADIUS authentication session—including the associated interfaces and VLANs for each MAC address that is authenticated by 802.1X authentication or MAC RADIUS authentication—is stored in the authentication session table. The authentication session table is tied to the Ethernet switching table (also called the MAC table). Each time the switch detects traffic from a MAC address, it updates the timestamp for that network node in the Ethernet switching table. A timer on the switch periodically checks the timestamp and if its value exceeds the user-configured mac-table-aging-time value, the switch removes the MAC address from the Ethernet switching table. When a MAC address ages out of the Ethernet switching table, the entry for that MAC address is also removed from the authentication database, with the result that the session ends.

You can control variables affecting timeout of authentication sessions in the following ways:

  • Set the authentication session timeout on all interfaces or on selected interfaces using the reauthentication statement.

  • Disassociate the authentication session table from the Ethernet switching table using the no-mac-table-binding statement. This setting prevents the termination of the authentication session when the associated MAC address ages out of the Ethernet switching table.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
14.2
Starting with Junos OS Release 14.2, you can specify authentication session timeout values for captive portal authentication sessions and 802.1X and MAC RADIUS authentication sessions.