dot1x critical vlan

Syntax

dot1x critical vlan vlan-id

undo dot1x critical vlan

View

Layer 2 Ethernet interface view

Default level

2: System level

Parameters

vlan-id: Specifies a VLAN ID, in the range of 1 to 4094. Make sure the VLAN has been created.

Description

Use dot1x critical vlan to configure an 802.1X critical VLAN on a port for 802.1X users that have failed authentication because all the RADIUS authentication servers in their ISP domain are unreachable.

Use undo dot1x critical vlan to restore the default.

By default, no 802.1X critical VLAN is configured on a port.

The 802.1X critical VLAN configuration applies to 802.1X users that use only RADIUS authentication servers and have failed authentication because all the servers in their ISP domain become unavailable (inactive), for example, for the loss of network connectivity. If an 802.1X user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN.

You can configure only one 802.1X critical VLAN on a port. The 802.1X critical VLANs on different ports can be different.

Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X critical VLAN on a port, so the port can correctly process VLAN tagged incoming traffic.

To have the 802.1X critical VLAN take effect, complete the following tasks:

When you change the access control method from MAC-based to port-based on the port, the mappings between MAC addresses and the 802.1X critical VLAN are removed. You can use the display mac-vlan command to display MAC-to-VLAN mappings.

When you change the access control method from port-based to MAC-based on a port that is in a critical VLAN, the port is removed from the critical VLAN.

To delete a VLAN that has been configured as an 802.1X critical VLAN, you must remove the 802.1X critical VLAN configuration first.

Related commands: dot1x, dot1x port-method, and dot1x critical recovery-action.

Examples

# Specify VLAN 3 as the 802.1X critical VLAN for port Ethernet 1/0/1.

<Sysname> system-view
[Sysname] interface ethernet 1/0/1
[Sysname-Ethernet1/0/1] dot1x critical vlan 3