The device Port Usage tab displays information related to end user login (authentication) sessions, rate limit violations, and CEP (Convergence End Point) connections on a device. To display this tab, select a device in the left-panel Network Elements tab, then click the Port Usage tab in the right panel. You must click Retrieve to display the port information in the tables.
The Port Usage tab provides three sub-tabs to allow you to view the desired information:
End User Sessions Tab
This tab displays information about each login session for the ports on the device, including the current values being collected for a session still in progress, or the final values for the last valid session when there is no session currently active. You must click Retrieve to display the port information in the table.
By default the Show Only Active Sessions checkbox is checked, and only your active sessions are displayed. Deselect the checkbox to display all entries. Active sessions that are being applied to traffic are listed in blue text. Active sessions that are not being applied are listed in green text.
Some devices support multiple authentication sessions simultaneously per interface. This allows a single user to authenticate via 802.1X, Web-Based, MAC, and CEP all at the same time. However, only one authentication type per interface can be applied at a single time. The multi-user authentication type precedence (configured on the device Authentication tab) determines which type will be applied. The applied session is the one that provides the role and traffic classification information. The remaining non-applied sessions will only be used if the currently applied session is terminated. For example, if a user authenticates on a port that has multi-user authentication enabled (802.1X, Web-Based, and MAC,) the active/applied session will be displayed in blue text and the other two sessions will be in green text. Another example would be if the user authenticates using the MAC authentication type but MAC authentication is disabled on the port, the session would be listed in green text. For devices that do not support multi-authentication, by definition the active session is also applied.
| NOTE: | Devices configured for multi-user authentication always list
only active sessions even if the Show Only Active Session checkbox is
deselected. |
|---|
Session entries are collected up to the maximum allowed. When the maximum is reached, the oldest session entries are replaced with newer ones. The exception to this is the RoamAbout R2, where older session data is not kept.
For devices that support one authenticated user per port, only one user/current role per port will show up in the table. For devices that support multiple authenticated users per port, all users authenticated on its ports will be listed in the table, along with the roles under which they are authenticated.
Click the graphic for more information.
- Type
- The authentication type of this login session: Web-Based, 802.1X, MAC, CEP, Quarantine, Auto Tracking, or
Role Override. If Role Override
is displayed, it signifies that a rule has been applied to the port,
overriding the user's current role with a different role. An example of this
would be if the Automated Security Manager has detected a threat on the
port, and used a MAC address rule to apply the Quarantine role to the end user.
- Role Override (MAC) signifies that a MAC address rule has been applied to the port, overriding the Default role or any authenticated role assigned to the end user.
- Role Override (IP) signifies that an IP address rule has been applied to the port, overriding the Default role or any authenticated role assigned to an end user authenticated with Single User 802.1X. An IP Address rule will not override the authenticated role for any authentication type other than Single User 802.1X.
- IP Address
- For web-based authentication sessions, this column displays the IP address of the remote user of this login session. If Anti-Spoofing is enabled and configured, this column displays IP addresses found in the Anti-Spoofing MAC-to-IP address binding table. For more information, see How to Configure Anti-Spoofing.
- Hostname
- The hostname of the remote user of this login session. To determine the hostname, Policy Manager takes the IP address (when available) and uses the hostname cache on the NetSight server. The hostname cache must be explicitly enabled by selecting the "Enable Name Resolution" option in the Tools > Options > Suite Options > Name Resolution panel (by default, this option is disabled). Once the hostname cache is enabled, name resolution must be enabled for Port Usage tabs using the Tools > Options > Policy Manager > Name Resolution (PM) panel.
- Current Role
- The role under which the user authenticated on the port. If a session displays "Invalid Role" in this column, check the Invalid Role Action setting on the device Role/Rule tab to see the action that was configured in the event a user is assigned an unknown or invalid role. If the user authenticated via RFC 3580 VLAN Authorization, this column will display the role the VLAN is mapped to (configured through Authentication-based VLAN to Role Mapping). If VLAN to Role mapping has not been configured, the port's Default role will be displayed (if there is one); otherwise, the column will display "N/A."
- Default VLAN ID Source
- When traffic received on a port doesn't match any rules, it is assigned
the default VLAN ID. This column indicates the source for the default VLAN ID:
- Policy Default Access Control - The role assigned to the session defines the default VLAN ID via its Default Access Control.
- PVID - If the role assigned to the session has no Default Access Control specified, then the 802.1Q PVID for the port is assigned to the traffic.
- Default VLAN ID
- Displays the VLAN ID that comes from the source listed in the Default VLAN ID Source column: Permit (4095), Deny (VLAN ID #), or Contain (VLAN ID #).
- RFC3580 VLAN ID
- If the user authenticated via RFC 3580 VLAN Authorization, this is the VLAN ID that was returned from the RADIUS server. A VLAN ID value of 0 indicates that no VLAN was assigned. If VLAN authentication is not supported on the device, this column will display "N/A."
- VLAN Oper Egress
- The modification that will be made to the VLAN egress list for the VLAN
ID returned by the RADIUS server, if the user authenticated via
RFC 3580 VLAN Authorization.
- None - No modification to the VLAN egress list will be made.
- Tagged - The port will be added to the list with the egress state set to Tagged (frames will be forwarded as tagged).
- Untagged - The port will be added to the list with the egress state set to Untagged (frames will be forwarded as untagged).
- Dynamic - The port will use information returned in the RADIUS response to modify the VLAN egress list.
- If VLAN authentication is not supported on the device, this column will display "N/A." Use the Port Properties Authentication Configuration tab to change these settings, if desired.
- Start Time
- The time and date when the login session started.
- Duration
- The duration of the user's login session, in the format D + HH:MM:SS.
- Authentication Status
- The authentication status of the login session. Possible values are:
- Authentication Successful
- Authentication Failed
- Authentication in Progress
- Authentication Server Timeout
- Authentication Terminated
- Terminate Cause
- The reason the login session terminated. For web-based authentication,
the possible values are:
- Administratively Terminated
- Authorization Revoked
- Link Down
- Not Applicable
- Port Disabled
- Unknown Termination Cause
- User Logged Out
- For 802.1X authentication, the possible values are:
- Authorization Revoked
- Client Restarted
- Link Down (or Lost Carrier)
- Not Applicable
- Port Disabled
- Port Reinitialized
- Reauthentication Failed
- Unknown Termination Cause
- User Logged Out
- Authentication Server
- The RADIUS server that authenticated the session.
- Session ID
- A unique identifier for the session. For devices that support multiple authenticated users per port, each user on the port will have a different session ID. Sessions with an authentication type of MAC or Role Override will display "N/A."
- User Name
- The user name provided by the end user at login (authentication).
- Received Bytes
- The number of bytes received in user data frames on this port during this session. Devices must be created using SNMPv3 in order to see this value. Devices using SNMPv1 will display "N/A."
- Transmitted Bytes
- The number of bytes transmitted in user data frames on this port during this session. Devices must be created using SNMPv3 in order to see this value. Devices using SNMPv1 will display "N/A."
- Received Frames
- The number of user data frames received on this port during this session.
- Transmitted Frames
- The number of user data frames transmitted on this port during this session.
- Terminate Button
- Select an active session and click Terminate to end the session. If multiple sessions are selected, only active sessions will be terminated. You cannot terminate sessions on frozen ports and you cannot terminate Role Override (IP) or Role Override (MAC) sessions that were created through the CLI (command line interface). See Terminating a Session for more information.
- Lock MAC Address Button
- Enables MAC Locking on the selected port(s) (static MAC locking). MAC locking must be enabled on the device in order for it to be enabled on a port.
- Show Only Active Sessions Checkbox
- Select this checkbox to display only active sessions (listed in blue text) in the table.
Rate Limit Violations Tab
This tab displays information about the rate limit violations for the ports on the device, including the current data being collected for sessions in progress and data from previous sessions. You must click Retrieve to display the port information in the tables. For more information, see Defining Rate Limits.
Click the graphic for more information.
- Generated System Log
- Indicates whether a syslog message was generated when the rate limit was first exceeded. You can specify this action on a per-rate limit basis in the rate limit General tab.
- Generated Trap
- Indicates whether an audit trap was generated when the rate limit was first exceeded. You can specify this action on a per-rate limit basis in the rate limit General tab.
- Port Disabled
- Indicates whether the port was disabled when the rate limit was first exceeded. You can specify this action on a per-rate limit basis in the rate limit General tab.
- Retrieve Button
- Retrieves the most recent rate limit violations information for the ports on the device.
- Clear Button
- Clears the violations table. If port traffic continues to exceed the rate limit, the violations will reappear in the table.
CEP Usage Tab
This tab displays information about each CEP connection for the ports on the device, including the date and time the connection was made. For devices that support one CEP connection per port, a connection entry remains in the table until a new connection is made on that port or the system is rebooted.
Refer to the device Authentication tab (CEP sub-tab) for information on enabling and configuring CEP on devices that support it.
Click the graphic for more information.
- Current Role
- The assigned role for the CEP connection. Each CEP product type has a role mapped to it. When a CEP connects to the network, the device identifies the CEP type and applies the assigned role. You can map a role for a CEP using the device Authentication tab (CEP sub-tab).
- MAC Address
- The MAC address of the CEP connecting to the port.
- Start Time
- The date and time the connection was made.
For information on related concepts:
For information on related tasks:
For information on related windows: