NetLogin Session Timeout and Idle Timeout

Use the following commands to configure session timeout and idle timeout locally. These commands take effect if RADIUS access-accept has not returned any session timeout/idle timeout:

configure netlogin session-timeout {dot1x | mac | web-based | convergence-endpoint} timeout
Note

Note

If you want to scale to 65,000 authenticated users, use a session timeout value of at least 300 minutes.

configure netlogin idle-timeout {convergence-endpoint | dot1x | mac | web-based} timeout

These commands appear in show configuration {module-name} {detail} for "policy" rather than "netlogin," since they are specific to ONEPolicy mode.

The command show netlogin session {all | summary} {mac-address mac_address} {ports ports} {agent [convergence-endpointdot1x | mac | web-based]} shows the session timeout and idle timeout, and show netlogin mac does not show any reauth/session timeout values.
# show netlogin session
 Multiple authentication session entries
 ---------------------------------------

 Port            : 1:1         Station address   : 00:00:03:00:00:00
 Auth status     : success     Last attempt      : Tue May 23 08:24:17 2017
 Agent type      : mac         Session applied   : true
 Server type     : radius      VLAN-Tunnel-Attr  : None
 Policy index    : 1           Policy name       : Extreme (active)
 Session timeout : 40          Session duration  : 0:00:02
 Idle timeout    : 20          Idle time         : 0:00:00
 Auth-Override   : enabled     Termination time: Not Terminated
# show netlogin port 1:1
 Port                          : 1:1
 Authentication                : mac-based
 Port State                    : Enabled
 Authentication Mode           : Required (Policy Enabled only)
 Max Supported Users           : 1024 (Policy Enabled only)
 Allowed Users                 : 1024 (Policy Enabled only)
 Current Users                 : 2 (Policy Enabled only)
 ------------------------------------------------
         MAC Mode Port Configuration
 ------------------------------------------------
 Re-authentication period      : 3600
 Re-authentication             : Off
 Authentication Delay          : 0 seconds (Default)
 ------------------------------------------------
         Netlogin Clients
 ------------------------------------------------

 MAC                IP address       Authenticated     Type    ReAuth-Timer   User
 00:00:03:00:00:00  0.0.0.0          Yes, Radius       MAC     0              000003000000
 00:00:03:00:00:01  0.0.0.0          Yes, Radius       MAC     0              000003000001
 -----------------------------------------------
 (B) - Client entry Blackholed in FDB


 Number of Clients Authenticated  : 2

When idle timeout is configured and if the FDB is removed, the show netlogin session and show netlogin port / mac/dot1x/web-based commands show the NetLogin authenticated entries untill the idle timer expires. NetLogin session and NetLogin MAC/dot1x/web table is cleared only after the idle timer expires.