In version 33.2.1, the fallback VLAN functionality provided with Netlogin with Policy disabled can also be achieved with Policy enabled by using Policy admin rules. A policy profile is assigned to a port (or port/mac address combination). The profile has a default pvid specified and pvid-status enabled. Authentication mode "optional" must be enabled for both Netlogin MAC and dot1x enabled ports in order to handle first authentication failure due to service unavailability. If authentication fails or the RADIUS server is unavailable, the user will be placed in the VLAN specified as the profile's default pvid (the show netlogin session command will display the entries as "Auth Failed".
Windows dot1x clients must be set with "Fallback to unauthorized network access". In this case, because the authentication has failed, the session is marked as such but the traffic is handled by the admin profile as long as the authentication mode is set as "optional".
An enhancement is added to version 33.2.1 that applies to existing Netlogin sessions that fail to re-authenticate because of service unavailable. This enhancement works with both authentication modes: "optional" and "required." However, "optional" is required for the admin-profile to allow traffic to flow. The user can specify an option to retain the Netlogin session, including the original VLAN assignment in this case.
This feature only works on re-authentication, because the unavailability or failure of the first authentication is handled by the existing administration rule Policy feature.
You can active this enhancement by enabling the following command options:
configure netlogin mac authentication database-order radius (only required for MAC-auth and not dot1x)
configure netlogin keep-session-reauth-svc-unavail on
configure radius netlogin keep-alive interval 78
configure radius netlogin keep-alive on
The following are limitations for this enhancement:
All platforms.