Critical VSI
The 802.1X critical VSI on a port accommodates 802.1X users that have failed authentication because none of the RADIUS servers in their ISP domain are reachable. Users in the critical VSI can access a limited set of network resources in the VXLAN associated with this VSI.
The critical VSI feature takes effect when 802.1X authentication is performed only through RADIUS servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is not assigned to the critical VSI. For more information about the authentication methods, see "Configuring AAA."
The VTEP handles VSIs on an 802.1X-enabled port based on its 802.1X access control method.
For port-based access control
The following table shows how the VTEP handles VSIs on an 802.1X-enabled port that performs port-based access control:
Authentication status | VSI manipulation |
---|---|
A user accesses the port and fails 802.1X authentication because all the RADIUS servers are unreachable. | The VTEP assigns the port to the critical VSI. The 802.1X user and all subsequent 802.1X users from the same VLAN on this port can access only resources in the VXLAN associated with the critical VSI. |
A user in the 802.1X critical VSI fails authentication because all the RADIUS servers are unreachable. | The port is still in the critical VSI, and all 802.1X users from the same VLAN on this port are in the critical VSI. |
A user in the 802.1X critical VSI fails authentication for any reason other than unreachable servers. | If an 802.1X Auth-Fail VSI has been configured for the port, the VTEP removes the port to the 802.1X Auth-Fail VSI. If no 802.1X Auth-Fail VSI is configured for the port, the VTEP logs off the user. |
A user in the 802.1X critical VSI passes 802.1X authentication. | The VTEP removes the port from the 802.1X critical VSI and assigns the port to the authorization VSI. After the user logs off, the port is removed from the authorization VSI. If the port has been configured with the 802.1X guest VSI, the VTEP assigns the port to the guest VSI. |
A user in the 802.1X Auth-Fail VSI fails authentication because all the RADIUS servers are unreachable. | The PVID of the port remains unchanged. All 802.1X users on this port can access only resources in the VXLAN associated with the 802.1X Auth-Fail VSI. |
A user that has passed authentication fails reauthentication because all the RADIUS servers are unreachable, and the user is logged out of the device. | The VTEP assigns the port to the critical VSI. |
For MAC-based access control
The following table shows how the VTEP handles VSIs on an 802.1X-enabled port that performs MAC-based access control:
Authentication status | VSI manipulation |
---|---|
A user accesses the port and fails 802.1X authentication because all the RADIUS servers are unreachable. | The VTEP maps the user's MAC address and access VLAN to the 802.1X critical VSI on the port. The user can access only resources in the VXLAN associated with the critical VSI. |
A user in the 802.1X critical VSI fails authentication because all the RADIUS servers are unreachable. | The user is still in the critical VSI. |
A user in the 802.1X critical VSI fails 802.1X authentication for any reason other than unreachable servers. | If an 802.1X Auth-Fail VSI has been configured on the port, the VTEP remaps the user's MAC address and access VLAN to the Auth-Fail VSI. If no 802.1X Auth-Fail VSI has been configured on the port, the VTEP logs off the user. |
A user in the 802.1X critical VSI passes 802.1X authentication. | The VTEP remaps the user's MAC address and access VLAN to the authorization VSI. |
A user in the 802.1X Auth-Fail VSI fails authentication because all the RADIUS servers are unreachable. | The user remains in the 802.1X Auth-Fail VSI. |