Critical authentication

Critical authentication provides alternative VLAN authentication for a client when the remote authentication server is not reachable. When remote authentication is not available, the client is placed in Critical VLAN instead of being blocked from access. A Critical VLAN can be configured per-port for both voice and data traffic and can be applied to Mac-based or 802.1x authentication. A critical user-role is configured which accepts the client when authentication fails due to an unreachable authentication server.

Critical voice (tagged) VLAN

When the remote authentication server is not reachable, clients sending tagged traffic will be placed in a Critical (tagged) VLAN.

When a client is sending a MED device advertisement (such as an IP phone) using CDP, the switch sends the VLAN information in the "TIA TR-41 Committee - Network Policy" of the LLDP packet with auto-VLAN-negotiation capability. The MED device uses the VLAN to tag traffic. A Critical VLAN can be tagged, untagged or a combination of both. To enable this VLAN advertisement in LLDP, the Critical VLAN must be a voice VLAN. A Critical (tagged) VLAN is called a Critical voice VLAN.

There are two ways to configure a Critical voice VLAN:

  • Directly assign the VLAN.

  • Assign a user-role containing the tagged VLAN as a critical-role.

Critical data (untagged) VLAN

For clients sending untagged traffic, if the RADIUS server is unreachable, the client is placed in a Critical VLAN.

There are two ways to configure a Critical Data VLAN:

  1. Directly assigning the VLAN using the command aaa port-access <port> critical-auth data-vlan <VLAN-ID>.

  2. Assign a user-role containing untagged VLAN as critical-role using the command aaa port-access <port> critical-auth user-role <ROLE-NAME>.

Restrictions

  • Aruba switches will only support one Critical VLAN per port.
  • Either a Critical VLAN or a Critical user-role can be configured for a port. However, both VLAN and user-role cannot coexist for a port.

  • This feature is configurable per-port and only applies to RADIUS-based authentication mechanisms.
  • Web-based authentication is applicable to web-aware clients. However, if the port connected to the client (either phone or PC behind phone) has web-based authentication enabled, the switch will initiate web-based authentication for all devices.