76
Critical VLAN
You configure an 802.1X critical VLAN on a port to accommodate 802.1X users that fail authentication
because none of the RADIUS authentication servers in their ISP domain is reachable (active). Users in the
critical VLAN can access a limit set of network resources depending on your configuration.
The critical VLAN feature takes effect when 802.1X authentication is performed only through RADIUS
servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is not assigned
to the critical VLAN. For more information about RADIUS configuration, see "
."
For more information about VLAN configuration and MAC-based VLAN, see
Layer 2
—
LAN Switching
Configuration Guide
.
The way that the network access device handles VLANs on an 802.1X-enabled port differs by 802.1X
access control mode.
1.
On a port that performs port-based access control
Authentication status
VLAN manipulation
A user that has not been assigned to any
VLAN fails 802.1X authentication because
all the RADIUS servers are unreachable.
Assigns the critical VLAN to the port as the PVID. The 802.1X
user and all subsequent 802.1X users on this port can access
only resources in the critical VLAN.
A user in the 802.1X critical VLAN fails
authentication because all the RADIUS
servers are unreachable.
The critical VLAN is still the PVID of the port, and all 802.1X
users on this port are in this VLAN.
A user in the 802.1X critical VLAN fails
authentication for any other reason than
server unreachable.
If an Auth-Fail VLAN has been configured, the PVID of the port
changes to Auth-Fail VLAN ID, and all 802.1X users on this port
are moved to the Auth-Fail VLAN.
A user in the critical VLAN passes 802.1X
authentication.
•
Assigns the VLAN specified for the user to the port as the
PVID, and removes the port from the critical VLAN. After the
user logs off, the default or user-configured PVID restores.
•
If the authentication server assigns no VLAN, the default or
user-configured PVID applies. The user and all subsequent
802.1X users are assigned to this port VLAN. After the user
logs off, this PVID remains unchanged.
A user in the 802.1X guest VLAN or the
Auth-Fail VLAN fails authentication because
all the RADIUS servers is reachable.
The PVID of the port remains unchanged. All 802.1X users on
this port can access only resources in the guest VLAN or the
Auth-Fail VLAN.
2.
On a port that performs MAC-based access control
To perform the 802.1X critical VLAN function on a port that performs MAC-based access control, you
must make sure that the port is a hybrid port, and enable MAC-based VLAN on the port.
Authentication status
VLAN manipulation
A user that has not been assigned to any
VLAN fails 802.1X authentication because
all the RADIUS servers are unreachable.
Maps the MAC address of the user to the critical VLAN. The
user can access only resources in the critical VLAN.