Critical VLAN

You can configure a MAC authentication critical VLAN on a port to accommodate users that fail MAC authentication because no RADIUS authentication server is reachable. Users in a MAC authentication critical VLAN can access a limit set of network resources depending on your configuration.

The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN. For more information about RADIUS configuration, see "Configuring AAA."

Any of the following RADIUS authentication server changes in the ISP domain for MAC authentication users on a port can cause users to be removed from the critical VLAN:

• An authentication server is reconfigured, added, or removed.

• The status of any RADIUS authentication server automatically changes to active or is administratively set to active.

• The RADIUS server probing function detects that a RADIUS authentication server is reachable and sets its state to active.