Critical VLAN
You can configure a MAC authentication critical VLAN on a port to accommodate users that fail MAC authentication because no RADIUS authentication server is reachable. Users in a MAC authentication critical VLAN can access a limit set of network resources depending on your configuration.
The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN. For more information about RADIUS configuration, see "Configuring AAA."
Any of the following RADIUS authentication server changes in the ISP domain for MAC authentication users on a port can cause users to be removed from the critical VLAN:
An authentication server is added to the ISP domain and the server is reachable.
A response from a RADIUS authentication server is received.
The RADIUS server probing function detects that a RADIUS authentication server is reachable.