dot1x critical vlan
Syntax
dot1x critical vlan vlan-id
undo dot1x critical vlan
View
Layer 2 Ethernet interface view
Default level
2: System level
Parameters
vlan-id: Specifies a VLAN ID, in the range of 1 to 4094. Make sure the VLAN has been created.
Description
Use dot1x critical vlan to configure an 802.1X critical VLAN on a port for 802.1X users that have failed authentication because all the RADIUS authentication servers in their ISP domain are unreachable.
Use undo dot1x critical vlan to restore the default.
By default, no 802.1X critical VLAN is configured on a port.
The 802.1X critical VLAN configuration applies to 802.1X users that use only RADIUS authentication servers and have failed authentication because all the servers in their ISP domain become unavailable (inactive), for example, for the loss of network connectivity. If an 802.1X user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN.
You can configure only one 802.1X critical VLAN on a port. The 802.1X critical VLANs on different ports can be different.
Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X critical VLAN on a port, so the port can correctly process VLAN tagged incoming traffic.
To have the 802.1X critical VLAN take effect, complete the following tasks:
Enable 802.1X both globally and on the interface.
If the port performs port-based access control, enable the 802.1X multicast trigger function.
If the port performs MAC-based access control, configure the MAC-based VLAN function on the port.
When you change the access control method from MAC-based to port-based on the port, the mappings between MAC addresses and the 802.1X critical VLAN are removed. You can use the display mac-vlan command to display MAC-to-VLAN mappings.
When you change the access control method from port-based to MAC-based on a port that is in a critical VLAN, the port is removed from the critical VLAN.
To delete a VLAN that has been configured as an 802.1X critical VLAN, you must remove the 802.1X critical VLAN configuration first.
Related commands: dot1x, dot1x port-method, and dot1x critical recovery-action.
Examples
# Specify VLAN 3 as the 802.1X critical VLAN for port Ethernet 1/0/1.
<Sysname> system-view [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] dot1x critical vlan 3