Fail Open VLAN with Continuity Mode

Fail Open VLAN provides network connectivity when the switch cannot connect to a RADIUS server. If an authentication failure occurs that is based on a RADIUS timeout, the port immediately transitions to the Fail Open VLAN.

Note

Note

Prior to releases that support Continuity Mode, transition to the Fail Open VLAN is based on interval-based RADIUS server reachability checks. If the RADIUS server is reachable, the switch continues to check the reachability at a default interval of three minutes. This interval-based check can lead to a transition delay of up to three minutes, from the moment when the RADIUS Server becomes unreachable until the port moves to the Fail Open VLAN.

If the switch cannot connect to the primary and secondary RADIUS servers, then after a specified number of attempts to restore connectivity, the switch declares the RADIUS servers unreachable.

Fail Open VLAN provides the following functionality:

To use Fail Open VLAN:

When you configure Fail Open VLAN on a port and the RADIUS servers are not reachable, then the Fail Open VLAN provides the following functionality:

When at least one RADIUS server recovers, all EAP-enabled ports are removed from the Fail Open VLAN. All unauthenticated MACs are flushed to give the MACs an opportunity to authenticate.

Fail Open VLAN with Guest VLAN scenarios

When an EAP port is configured with both Fail Open VLAN and Guest VLAN, consider the following scenarios:

  1. EAP port operating in MHMV mode:
    • If the EAP RADIUS servers are reachable, then all the authenticated clients have Guest VLAN ID access.

    • If the EAP RADIUS servers are not reachable, then Guest VLAN must be removed from the port completely. The Fail Open VLAN is the new default VLAN. All unauthenticated MACs have Fail Open VLAN access.

  2. EAP port operating in MHSA mode:

    • Fail Open VLAN has no impact on the Guest VLAN functionality in MHSA mode.