Configures authentication service-unavailable VLAN on NetLogin-enabled ports.
|vlan_name||Specifies the name of the service-unavailable VLAN.|
|port_list||Specifies one or more ports or slots and ports. If the ports keyword is not used, the command applies to all ports.|
|add||Add service-unavailable VLAN to ports (default).|
|tagged||Configure port as tagged to the service-unavailable VLAN.|
|untagged||Configure port as untagged to the service-unavailable VLAN (default).|
|delete||Delete existing service-unavailable VLAN from ports.|
If a port is not specified, all NetLogin-enabled ports are applied.
If not specified, the command adds service-unavailable VLAN to ports by default.
If not specified, the ports are configured as untagged to the service-unavailable VLAN by default.
This command configures authentication service-unavailable VLAN(s) on the specified NetLogin-enabled ports. Authentication service-unavailable VLAN is configured on all the NetLogin-enabled ports, if no port is specifically selected. When an authentication service is not available to authenticate the NetLogin clients, they are moved to the authentication service-unavailable VLAN(s) and are given limited access until the authentication service is available through RADIUS.
Starting with ExtremeXOS 30.2, you can specify up to 10 service-unavailable VLANs per port.
As of ExtremeXOS 16.1, the functionality of this command is more consistent with management authentications. If RADIUS responds with a reject, then that reject is honored.
The service unavailable VLAN is used only when authentication order is "RADIUS". The authentication failure VLAN is used for all other modes (local; RADIUS, local; local, RADIUS).
For example, when the Netlogin MAC authentication database order is local, RADIUS, if the authentication of a MAC client fails through a local database, RADIUS is used for authentication. If RADIUS also fails authentication, the client is moved to the authentication failure VLAN.
If web is enabled on a port where Dot1x or MAC is also enabled, the authentication failure/service-unavailable VLAN configuration is not applicable to those clients where Dot1x or MAC clients that fail authentication or where authentication service is not available.
The following example adds the service-unavailable VLAN "v1" on tagged ports 1 and 2:
# configure netlogin authentication service-unavailable add vlan v1 ports 1,2 tagged
This command was first available in ExtremeXOS 12.1.
The ability to configure multiple service-unavailable VLANs was added in ExtremeXOS 30.2.
This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, and X695 series switches.