configure netlogin authentication service-unavailable vlan
Description
Configures authentication service-unavailable VLAN on NetLogin-enabled ports.
Syntax Description
vlan_name | Specifies the name of the service-unavailable VLAN. |
port_list | Specifies one or more ports or slots and ports. If the ports keyword is not used, the command applies to all ports. |
add | Add service-unavailable VLAN to ports (default). |
tagged | Configure port as tagged to the service-unavailable VLAN. |
untagged | Configure port as untagged to the service-unavailable VLAN (default). |
delete | Delete existing service-unavailable VLAN from ports. |
Default
If a port is not specified, all NetLogin-enabled ports are applied.
If not specified, the command adds service-unavailable VLAN to ports by default.
If not specified, the ports are configured as untagged to the service-unavailable VLAN by default.
Usage Guidelines
This command configures authentication service-unavailable VLAN(s) on the specified NetLogin-enabled ports. Authentication service-unavailable VLAN is configured on all the NetLogin-enabled ports, if no port is specifically selected. When an authentication service is not available to authenticate the NetLogin clients, they are moved to the authentication service-unavailable VLAN(s) and are given limited access until the authentication service is available through RADIUS.
Starting with ExtremeXOS 30.2, you can specify up to 10 service-unavailable VLANs per port.
As of ExtremeXOS 16.1, the functionality of this command is more consistent with management authentications. If RADIUS responds with a reject, then that reject is honored.
- RADIUS
- Local
- RADIUS, local
- Local, RADIUS
The service unavailable VLAN is used only when authentication order is "RADIUS". The authentication failure VLAN is used for all other modes (local; RADIUS, local; local, RADIUS).
For example, when the Netlogin MAC authentication database order is local, RADIUS, if the authentication of a MAC client fails through a local database, RADIUS is used for authentication. If RADIUS also fails authentication, the client is moved to the authentication failure VLAN.
- RADIUS server is not running.
- RADIUS server is not configured on the switch.
- RADIUS server is configured
but not enabled on the switch.
Note
If web is enabled on a port where Dot1x or MAC is also enabled, the authentication failure/service-unavailable VLAN configuration is not applicable to those clients where Dot1x or MAC clients that fail authentication or where authentication service is not available.
Example
The following example adds the service-unavailable VLAN "v1" on tagged ports 1 and 2:
# configure netlogin authentication service-unavailable add vlan v1 ports 1,2 tagged
History
This command was first available in ExtremeXOS 12.1.
The ability to configure multiple service-unavailable VLANs was added in ExtremeXOS 30.2.
Platform Availability
This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, and X695 series switches.