Fail Open VLAN provides network connectivity when the switch cannot connect to a RADIUS server. If an authentication failure occurs that is based on a RADIUS timeout, the port immediately transitions to the Fail Open VLAN.
Note
Prior to releases that support Continuity Mode, transition to the Fail Open VLAN is based on interval-based RADIUS server reachability checks. If the RADIUS server is reachable, the switch continues to check the reachability at a default interval of three minutes. This interval-based check can lead to a transition delay of up to three minutes, from the moment when the RADIUS Server becomes unreachable until the port moves to the Fail Open VLAN.
If the switch cannot connect to the primary and secondary RADIUS servers, then after a specified number of attempts to restore connectivity, the switch declares the RADIUS servers unreachable.
Fail Open VLAN provides the below functionality:
When the EAP RADIUS servers are not reachable, Fail Open VLAN provides restricted access to devices, which is separate from the Guest VLAN.
The EAP and NEAP clients are not affected when the RADIUS servers are not reachable.
To use Fail Open VLAN:
Fail Open VLAN is a per-port configuration.
Enable Fail Open VLAN by configuring a valid Fail Open VLAN ID and configure the selected VLAN ID on the switch.
Use only port-based VLANs as Fail Open VLANs.
When you configure Fail Open VLAN on a port and the RADIUS servers are not reachable, then the Fail Open VLAN provides the following functionality:
The port is removed from Guest VLAN, if configured, but all other VLAN membership is kept and the port is added to the Fail Open VLAN.
The default VLAN ID is changed to the Fail Open VLAN ID.
Traffic from the authenticated EAP and NEAP clients are forwarded as before.
If re-authentication is enabled in Fail Open VLAN mode, then EAP and NEAP clients stop performing re-authentication.
All new MACs seen on the port are considered as potential EAP and NEAP clients and are granted Fail Open VLAN access.
When at least one RADIUS server recovers, all EAP-enabled ports are removed from the Fail Open VLAN. All unauthenticated MACs are flushed to give the MACs an opportunity to authenticate.
When an EAP port is configured with both Fail Open VLAN and Guest VLAN, consider the following scenarios:
If the EAP RADIUS servers are reachable, then all the authenticated clients have Guest VLAN ID access.
If the EAP RADIUS servers are not reachable, then Guest VLAN must be removed from the port completely. The Fail Open VLAN is the new default VLAN. All unauthenticated MACs have Fail Open VLAN access.
EAP port operating in MHSA mode:
Fail Open VLAN has no impact on the Guest VLAN functionality in MHSA mode.