Use the following commands to configure session timeout and idle timeout locally. These commands take effect if RADIUS access-accept has not returned any session timeout/idle timeout:
Note
If you want to scale to 65,000 authenticated users, use a session timeout value of at least 300 minutes.configure netlogin idle-timeout {convergence-endpoint | dot1x | mac | web-based} timeout
These commands appear in show configuration {module-name} {detail} for "policy" rather than "netlogin," since they are specific to ONEPolicy mode.
# show netlogin session Multiple authentication session entries --------------------------------------- Port : 1:1 Station address : 00:00:03:00:00:00 Auth status : success Last attempt : Tue May 23 08:24:17 2017 Agent type : mac Session applied : true Server type : radius VLAN-Tunnel-Attr : None Policy index : 1 Policy name : Extreme (active) Session timeout : 40 Session duration : 0:00:02 Idle timeout : 20 Idle time : 0:00:00 Auth-Override : enabled Termination time: Not Terminated
# show netlogin port 1:1 Port : 1:1 Authentication : mac-based Port State : Enabled Authentication Mode : Required (Policy Enabled only) Max Supported Users : 1024 (Policy Enabled only) Allowed Users : 1024 (Policy Enabled only) Current Users : 2 (Policy Enabled only) ------------------------------------------------ MAC Mode Port Configuration ------------------------------------------------ Re-authentication period : 3600 Re-authentication : Off Authentication Delay : 0 seconds (Default) ------------------------------------------------ Netlogin Clients ------------------------------------------------ MAC IP address Authenticated Type ReAuth-Timer User 00:00:03:00:00:00 0.0.0.0 Yes, Radius MAC 0 000003000000 00:00:03:00:00:01 0.0.0.0 Yes, Radius MAC 0 000003000001 ----------------------------------------------- (B) - Client entry Blackholed in FDB Number of Clients Authenticated : 2
When idle timeout is configured and if the FDB is removed, the show netlogin session and show netlogin port / mac/dot1x/web-based commands show the NetLogin authenticated entries untill the idle timer expires. NetLogin session and NetLogin MAC/dot1x/web table is cleared only after the idle timer expires.