Port Usage Tab
(Port)

The Port Usage tab displays information related to end user login (authentication) sessions and role-based rate limit usage on a port. To display this tab, select a port in the left-panel Network Elements tab, then click the Port Usage tab in the right panel. You must click Retrieve to display the port information in the tables.

The Port Usage tab provides two sub-tabs to allow you to view the desired information:

• End User Sessions Tab
• Role-Based Rate Limits Tab

End User Sessions Tab

End User Session Settings
This area displays the current authentication state and login statistics for the port. Because this section displays information for a single end user login session, these fields are grayed out for Matrix N-Series devices that support multiple authenticated users per port.

Authentication State

Current state of the port with regard to authentication. If "None," authentication is not enabled on the device.

For web-based authentication:

• Disconnected - There is no end user currently logged in on the port.
• Authenticating - An end user is in the process of logging in and being authenticated.
• Authenticated - An end user is currently logged in and authenticated.
• Held - The port is locked and authentication attempts are not allowed. Occurs when, for example, an end user tries to log in several times with an incorrect password.

For 802.1X authentication:

• Initialize - The port is initializing. One reason for this is that the device has been reset.
• Disconnected - There is no end user currently logged in on the port.
• Connecting - The port is establishing communication with an end user.
• Authenticating - An end user is in the process of logging in and being authenticated.
• Authenticated - An end user is currently logged in and authenticated.
• Aborting - The authentication procedure is being prematurely terminated due to, for example, a re-authentication request or an authentication timeout.
• Held - The port is locked and authentication attempts are not allowed. Occurs when, for example, an end user tries to log in several times with an incorrect password.
• Default Role - An end user has connected and is using the port's default role. Occurs when the port mode is set to Inactive/Default (see Port Mode for more information).
• No Authentication - No end user can be authenticated because the port mode is set to Inactive/Discard (see Port Mode for more information).

	NOTE:	RoamAbout R2 devices always show "Authenticating" as their Authentication State. Because R2 devices can have multiple users authenticated to the same port, "Authenticating" simply denotes that the port is currently open for users to authenticate.

Authentication Server State (802.1X)

For ports using 802.1X authentication, the current status of the authentication server, or the activity in which it is currently engaged.

• Request - A request for authentication has been received by the authentication server.
• Response - The authentication server is in the process of responding to an authentication request.
• Success - Authentication of the end user has succeeded.
• Fail - Authentication of the end user has failed.
• Timeout - The authentication attempt has timed out.
• Idle - The authentication server is ready to accept authentication requests, but no requests are currently being processed.
• Initialize - The authentication server is initializing. One reason for this is because the machine on which the server is located has been reset.

Port Protocol Version (802.1X)

For ports using 802.1X authentication, the protocol version number of the EAPOL (Extensible Authentication Protocol Over LANs) implementation supported by the port.

Failed Login Attempts (total) (Web-Based)

For ports using web-based authentication, the total number of failed login attempts on this port.

Failed Login Attempts (since last success) (Web-Based)

For ports using web-based authentication, the total number of failed login attempts since the last successful login on this port.

Last Login Attempt Result (Web-Based)

For ports using web-based authentication, indicates the result (success/failure) of the last attempt to log in to this port. Possible results are as follows:

• Not logged in since last reset - No login in since reset.
• Authentication accepted - User logged in successfully.
• Authentication rejected
  • Username or password mismatch
  • User misconfiguration (e.g. Deny Remote Permission in Active Directory Users).
  or, when two RADIUS servers are configured in the device:
  • Mismatched Shared Secret in a primary RADIUS server or both RADIUS servers.
  • Unsupported protocol (e.g. CHAP) configured on the device.
• Unknown policy - No policy (Role) defined in the device.
• Unknown authentication server response - When one RADIUS server is configured in the device:
  • Wrong Authentication UDP port number defined.
  • Mismatched Shared Secret.
  • RADIUS server is not contactable, or RADIUS server is down.
  • Unsupported protocol (e.g. CHAP) configured on the device.
• Unknown authentication client error - User enters no username and password.
• Auth client disabled or unavailable - RADIUS server is disabled in the device.
• Port authentication pending - Port is in the process of authenticating.
• Port held for too many failed attempts - User reached the maximum number of failed attempts to log in.
• Port held: Max attempts exceeded - User exceeded the maximum number of failed attempts to log in once the port has been held.
• Authentication server timeout - When two RADIUS servers are configured in the device:
  • Wrong Authentication UDP port number defined in a primary RADIUS server or both RADIUS servers.
  • RADIUS servers are not contactable
  • Unsupported protocol (e.g. CHAP) configured on the device.

Last Failure Cause (MAC)

For ports using MAC authentication, the reason for the last authentication failure on the port.

By default the Show Only Active Sessions checkbox is checked, and only your active sessions (listed in blue text) are displayed. Deselect the checkbox to display all entries. Sessions listed in green text are active sessions that are not applied. For example, if a user authenticates on a port that has multi-user authentication enabled (802.1X, Web-Based, and MAC,) the active session will be displayed in blue text and the other two sessions will be in green text. Another example would be if the user authenticates using the MAC authentication type but MAC rules are disabled on the port, the session would be listed in green text.

Session entries are collected up to the maximum allowed. When the maximum is reached, the oldest session entries are replaced with newer ones. The exception to this is the RoamAbout R2, where older session data is not kept.

For devices that support one authenticated user per port, only one user/current role per port will show up in the table. For devices that support multiple authenticated users per port (such as the RoamAbout R2 and the Matrix N-Series Platinum devices), all users authenticated on the port will be listed in the table, along with the roles under which they are authenticated.

Device

The IP address or name of the device where the port is located.

Interface Name

A description of the port.

Index

The index value assigned to the port interface.

Current Role

The role under which the user authenticated on the port. If a session displays "Invalid Role" in this column, check the Invalid Role Action setting on the device Role/Rule tab to see the action that was configured in the event a user is assigned an unknown or invalid role. If the user authenticated via RFC 3580 VLAN Authorization, this column will display the role the VLAN is mapped to (configured through Authentication-based VLAN to Role Mapping). If VLAN to Role mapping has not been configured, the port's Default role will be displayed (if there is one); otherwise, the column will display "N/A."

VLAN ID

If the user authenticated via RFC 3580 VLAN Authorization, this is the VLAN ID that was returned from the RADIUS server. A VLAN ID value of 0 indicates that no VLAN was assigned. If VLAN authentication is not supported on the device, this column will display "N/A."

VLAN Oper Egress

The modification that will be made to the VLAN egress list for the VLAN ID returned by the RADIUS server, if the user authenticated via RFC 3580 VLAN Authorization.

• None - No modification to the VLAN egress list will be made.
• Tagged - The port will be added to the list with the egress state set to Tagged (frames will be forwarded as tagged.)
• Untagged - The port will be added to the list with the egress state set to Untagged (frames will be forwarded as untagged.).

If VLAN authentication is not supported on the device, this column will display "N/A." Use the port Authentication Configuration tab to change these settings, if desired.

Type

The authentication type of this login session: Web-Based, 802.1X, MAC, or Role Override (Matrix N-Series Platinum devices only). If Role Override is displayed, it signifies that a rule has been applied to the port, overriding the user's current role with a different role. An example of this would be if the Automated Security Manager has detected a threat on the port, and used a MAC address rule to apply the Quarantine role to the end user.

• Role Override (MAC) signifies that a MAC address rule has been applied to the port, overriding the Default role or any authenticated role assigned to the end user.
• Role Override (IP) signifies that an IP address rule has been applied to the port, overriding the Default role or any authenticated role assigned to an end user authenticated with Single User 802.1X. An IP Address rule will not override the authenticated role for any authentication type other than Single User 802.1X.

IP Address

The IP address of the remote user of this login session.

MAC Address

The MAC address of the remote user of this login session.

Authentication Status

On Matrix N-Series Platinum devices, the authentication status of the login session. All other devices will display "N/A." Possible values are:

• Authentication Successful
• Authentication Failed
• Authentication in Progress
• Authentication Server Timeout
• Authentication Terminated

Terminate Cause

The reason the login session terminated. For web-based authentication, the possible values are:

• Administratively Terminated
• Authorization Revoked
• Link Down
• Not Applicable
• Port Disabled
• Unknown Termination Cause
• User Logged Out

For 802.1X authentication, the possible values are:

• Authorization Revoked
• Client Restarted
• Link Down (or Lost Carrier)
• Not Applicable
• Port Disabled
• Port Reinitialized
• Reauthentication Failed
• Unknown Termination Cause
• User Logged Out

Session ID

A unique identifier for the session. For devices that support multiple authenticated users per port, each user on the port will have a different session ID. Sessions with an authentication type of MAC or Role Override will display "N/A."

User Name

The user name provided by the end user at login (authentication).

Received Bytes

The number of bytes received in user data frames on this port during this session. Matrix N-Series devices must be created using SNMPv3 in order to see this value. N-Series devices using SNMPv1 will display "N/A."

Transmitted Bytes

The number of bytes transmitted in user data frames on this port during this session. Matrix N-Series devices must be created using SNMPv3 in order to see this value. N-Series devices using SNMPv1 will display "N/A."

Received Frames

The number of user data frames received on this port during this session.

Transmitted Frames

The number of user data frames transmitted on this port during this session.

Start Time

The time and date when the login session started.

Duration

The duration of the user's login session, in the format D + HH:MM:SS.

Retrieve Button

Displays the latest information for the port.

Terminate Button

Select an active session and click Terminate to end the session. If multiple sessions are selected, only active sessions will be terminated. You cannot terminate a session on a frozen port and you cannot terminate Role Override (IP) or Role Override (MAC) sessions that were created through the CLI (command line interface).

Lock MAC Address Button

Enables MAC Locking on the selected port(s) (static MAC locking). MAC locking must be enabled on the device in order for it to be enabled on a port.

Show Only Active Sessions Checkbox

Select this checkbox to display only active sessions (listed in blue text) in the table.

Role-Based Rate Limits Tab

Role-based rate limit functionality is available only on certain devices such as the Matrix N-Series Gold and Platinum devices (refer to the Firmware Feature Support tables in the release notes for specific device/firmware rate limit support.) For more information, see Defining Role Based Rate Limits.

Violations Table
This table lists rate limit violation information for the port.

Name

The port interface name.

Index

The port index number.

Rate Limit

The rate limit that has been violated (exceeded).

Generated System Log

Indicates whether a syslog message was generated when the rate limit was first exceeded. You can specify this action on a per-rate limit basis in the rate limit General tab.

Generated Trap

Indicates whether an audit trap was generated when the rate limit was first exceeded. You can specify this action on a per-rate limit basis in the rate limit General tab.

Port Disabled

Indicates whether the port was disabled when the rate limit was first exceeded. You can specify this action on a per-rate limit basis in the rate limit General tab.

Retrieve

Retrieves the most recent rate limit violations information for the port.

Clear

Clears the violations table. If port traffic continues to exceed the rate limit, the violations will reappear in the table.

Counters Table
This table lists rate limit count information for the port.

Name

The port interface name.

Index

The port index number.

Rate Limit

The rate limit in effect on the port.

Count

The total number of the defined rate limit units (packets or bytes) received on the port.

Retrieve

Retrieves the most recent port count information.

Clear

Clears the port counters table.

Related Information

• Authentication
• MAC Locking
• Getting Started with Class of Service

• How to Configure Ports
• Authentication Configuration Guide
• Defining Role-Based Rate Limits

• Authentication Configuration Tab
• General Tab (Port)
• General Tab (Rate Limit)