User Sessions (Devices)

---

The device User Sessions panel displays information related to end user login sessions for a device. 

This tab can be accessed in a variety of ways:

1. Select a device in the left-panel Devices tab, then select the User Sessions tab in the right panel.
2. Select the My Network navigation tree in the left panel, select a device in the Devices list, and right-click the device or open the tools menu and select View > User Sessions.
3. Open the Control > Policy tab, select Devices in the left panel, and select the User Sessions tab in the right panel.

User Sessions Tab

This tab displays information about each login session for the ports on the device, including the current values being collected for a session still in progress, or the final values for the last valid session when there is no session currently active.

Checking the Show Only Active Sessions checkbox displays only your active sessions. Deselect the checkbox to display all entries. Active sessions applied to traffic are listed in blue text. Active sessions not being applied are listed in green text.

Some devices support multiple authentication sessions simultaneously per interface. This enables a single user to authenticate via 802.1X, Web-Based, MAC, and CEP all at the same time. However, only one authentication type per interface can be applied at a single time. The multi-user authentication type precedence (configured on the device Authentication tab) determines which type is applied. The applied session is the one that provides the role and traffic classification information. The remaining non-applied sessions will only be used if the currently applied session is terminated. For example, if a user authenticates on a port that has multi-user authentication enabled (802.1X, Web-Based, and MAC) the active/applied session will be displayed in blue text and the other two sessions will be in green text. Another example would be if the user authenticates using the MAC authentication type but MAC authentication is disabled on the port, the session would be listed in green text. For devices that do not support multi-authentication, by definition the active session is also applied.

	NOTE:	Devices configured for multi-user authentication always list only active sessions even if the Show Only Active Session checkbox is deselected.

Session entries are collected up to the maximum permitted. When the maximum is reached, the oldest session entries are replaced with newer ones. The exception to this is the RoamAbout R2, where older session data is not kept.

For devices that support one authenticated user per port, only one user/current role per port appears in the table. For devices that support multiple authenticated users per port, all users authenticated on its ports are listed in the table, along with the roles under which they are authenticated.

Session Status

The status of the device.

Switch IP

The IP address or name of the device.

Switch Port

A description of the port.

Switch Alias

The alias (ifAlias) for the interface, is one is assigned.

Type

The authentication type of this login session: Web-Based, 802.1X, MAC, CEP, Quarantine, Auto Tracking, or Role Override. If Role Override is displayed, it signifies that a rule has been applied to the port, overriding the user's current role with a different role.

• Role Override (MAC) signifies that a MAC address rule has been applied to the port, overriding the Default role or any authenticated role assigned to the end user.
• Role Override (IP) signifies that an IP address rule has been applied to the port, overriding the Default role or any authenticated role assigned to an end user authenticated with Single User 802.1X. An IP Address rule will not override the authenticated role for any authentication type other than Single User 802.1X.

MAC Address

The MAC address of the remote user of this login session.

IP Address

For web-based authentication sessions, this column displays the IP address of the remote user of this login session.

Hostname

The hostname of the remote user of this login session. To determine the hostname, the Policy tab takes the IP address (when available) and uses the hostname cache on the ExtremeCloud IQ Site Engine server. The hostname cache must be explicitly enabled by selecting the Enable Name Resolution checkbox in the Administration > Options > Name Resolution tab (by default, this option is disabled).

Role

The role under which the user authenticated on the port. If the user authenticated via RFC 3580 VLAN Authorization, this column displays the role the VLAN is mapped to (configured through Authentication-based VLAN to Role Mapping). If VLAN to Role mapping has not been configured, the port's Default role is displayed (if there is one); otherwise, the column displays "N/A."

Default VID Source

When traffic received on a port doesn't match any rules, it is assigned the default VLAN ID. This column indicates the source for the default VLAN ID:

• Policy Default Access Control - The role assigned to the session defines the default VLAN ID via its Default Access Control.
• PVID - If the role assigned to the session has no Default Access Control specified, then the 802.1Q PVID for the port is assigned to the traffic.

Default VID

Displays the VLAN ID that comes from the source listed in the Default VLAN ID Source column: Permit (4095), Deny (VLAN ID #), or Contain (VLAN ID #).

RFC3580 VID

If the user authenticated via RFC 3580 VLAN Authorization, this is the VLAN ID that was returned from the RADIUS server. A VLAN ID value of 0 indicates that no VLAN was assigned. If VLAN authentication is not supported on the device, this column will display "N/A."

VLAN Oper Egress

The modification that will be made to the VLAN egress list for the VLAN ID returned by the RADIUS server, if the user authenticated via RFC 3580 VLAN Authorization.

• None - No modification to the VLAN egress list will be made.
• Tagged - The port will be added to the list with the egress state set to Tagged (frames will be forwarded as tagged).
• Untagged - The port will be added to the list with the egress state set to Untagged (frames will be forwarded as untagged).
• Dynamic - The port will use information returned in the RADIUS response to modify the VLAN egress list.

If VLAN authentication is not supported on the device, this column will display "N/A."

Start Time

The time and date when the login session started.

Duration

The duration of the user's login session, in the format D + HH:MM:SS.

Auth Status

The authentication status of the login session. Possible values are:

• Authentication Successful
• Authentication Failed
• Authentication in Progress
• Authentication Server Timeout
• Authentication Terminated

Terminate Cause

The reason the login session terminated. For web-based authentication, the possible values are:

• Administratively Terminated
• Authorization Revoked
• Link Down
• Not Applicable
• Port Disabled
• Unknown Termination Cause
• User Logged Out

For 802.1X authentication, the possible values are:

• Authorization Revoked
• Client Restarted
• Link Down (or Lost Carrier)
• Not Applicable
• Port Disabled
• Port Reinitialized
• Reauthentication Failed
• Unknown Termination Cause
• User Logged Out

Authentication Server

The RADIUS server that authenticated the session.

---

Related Information

For information on related help topics:

• MAC Locking
• Getting Started with Class of Service
• Defining Rate Limits
• General Tab (Rate Limit)