When the EAP RADIUS servers are not reachable, Fail Open VLAN provides restricted access to devices, which is separate from the Guest VLAN.
The EAP and NEAP clients are not affected when the RADIUS servers are not reachable.
The port is removed from Guest VLAN if configured, but all other VLAN membership is kept and in addition the port is added to the Fail Open VLAN.
Default VLAN ID is changed to Fail Open VLAN ID.
Traffic from the authenticated EAP and NEAP clients are forwarded as before.
If re-authentication is enabled in Fail Open VLAN mode, then EAP and NEAP clients stop performing re-authentication.
All new MACs seen on the port are considered as potential EAP and NEAP clients and is granted Fail Open VLAN access.
If the EAP RADIUS servers are reachable, then all the authenticated clients have Guest VLAN ID access.
If the EAP RADIUS servers are not reachable, then Guest VLAN must be removed from the port completely. Fail Open VLAN is the new default VLAN. All unauthenticated MACs have Fail Open VLAN access.
EAP port operating in MHSA mode:
Fail Open VLAN has no impact on the Guest VLAN functionality in MHSA mode.