Configures authentication failure VLAN on network login enabled ports.
|vlan_name||Specifies the name of the authentication failure VLAN.|
|port_list||Specifies one or more ports or slots and ports. If the ports keyword is not used, the command applies to all ports.|
By default, authentication failure VLAN is configured on all network login enabled ports if no port is specifically configured.
Use this command to configure authentication failure VLAN on network login enabled ports. When a supplicant fails authentication, it is moved to the authentication failure VLAN and is given limited access until it passes the authentication either through RADIUS or local. Depending on the authentication database order for that particular network login method (MAC, web or dot1x), the other database is used to authenticate the client. If the final result is an authentication failure and if the authentication failure VLAN is configured and enabled on that port, the client is moved to that location.
In each case, you must consider the end result in deciding whether to authenticate the client in authentication failure VLAN or authentication service unavailable VLAN (if configured).
For example, when netlogin mac authentication database order is local, radius, if the authentication of a MAC client fails through a local database, RADIUS is used for authentication. If RADIUS also fails authentication, the client is moved to authentication failure VLAN. The same is true for all authentication database orders (radius,local; local,radius; radius; local).
If authentication through local fails, but passes through RADIUS, the client is moved to the appropriate destination VLAN.
If the local authentication fails and the RADIUS server is not available, the client is not moved to authentication failure VLAN.
This command was first available in ExtremeXOS 12.1.
This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, and X695 series switches.