Examples of Behaviors

Unreachable RADIUS server

A device, such as an IP phone or PC, goes to a RADIUS server and is unable to authentication. The authentication of the device is then applied to a Critical VLAN or a critical user-role.

Stack(config)# show port-ac clients

 Port Access Client Status

 Port 	Client Name 	MAC Address 		IPAddress 	User Role Type VLAN
 ----- ------------ ------------- ---------- --------- --------- 
 1/1 		b4b0178db6a2 b4b017-8db6a2			n/a       critical   MAC

Tagged critical role

When a critical-role has tagged VID and configured as voice, the port-connected to the MED device (IP phone) will be a tagged member of the voice VLAN. The switch will only support one tagged VLAN as critical. For clients with auto-VLAN-negotiation capabilities (MED devices), the switch sends the VLAN information in the “TIA TR-41 Committee – Network Policy” of the LLDP packet. If the MED device advertising is using CDP, the switch sends the VLAN information in the "VOIP VLAN Reply" field of CDP. The MED devices will use that VLAN to tag their traffic. To enable this VLAN advertisement in LLDP, we must make the Critical VLAN as ‘voice’ VLAN.

For clients which send tagged traffic, switch can put them in Critical Tagged-VLAN:
  1. Create tagged VLAN.

  2. Make the tagged VLAN voice.

  3. Create a user-role.

  4. Make the tagged VLAN a member of the user-role.

  5. Make the user-role a critical user-role with the command aaa authorization user-role name <CRITICAL-VOICE> vlan-id-tagged <ID>

  Stack(config)# show vlan 10
		VLAN ID : 10     
  Name : VLAN10                          
  Status : Port-based
  Voice : Yes
  Jumbo : No 
  Private VLAN : none     
  Associated Primary VID : none      
  Associated Secondary VIDs : none                                

  Port Information Mode     Unknown VLAN Status    
  ---------------- -------- ------------ ----------
  1/1              MACAUTH  Learn        Up        
  Overridden Port VLAN configuration

  ------ ------------
  1/1    MACAUTH