Examples of Behaviors
Unreachable RADIUS server
A device, such as an IP phone or PC, goes to a RADIUS server and is unable to authentication. The authentication of the device is then applied to a Critical VLAN or a critical user-role.
Stack(config)# show port-ac clients Port Access Client Status Port Client Name MAC Address IPAddress User Role Type VLAN ----- ------------ ------------- ---------- --------- --------- 1/1 b4b0178db6a2 b4b017-8db6a2 n/a critical MAC
Tagged critical role
When a critical-role has tagged VID and configured as voice, the port-connected to the MED device (IP phone) will be a tagged member of the voice VLAN. The switch will only support one tagged VLAN as critical. For clients with auto-VLAN-negotiation capabilities (MED devices), the switch sends the VLAN information in the “TIA TR-41 Committee – Network Policy” of the LLDP packet. If the MED device advertising is using CDP, the switch sends the VLAN information in the "VOIP VLAN Reply" field of CDP. The MED devices will use that VLAN to tag their traffic. To enable this VLAN advertisement in LLDP, we must make the Critical VLAN as ‘voice’ VLAN.
For clients which send tagged traffic, switch can put them in Critical Tagged-VLAN:Create tagged VLAN.
Make the tagged VLAN voice.
Create a user-role.
Make the tagged VLAN a member of the user-role.
Make the user-role a critical user-role with the command
aaa authorization user-role name <CRITICAL-VOICE> vlan-id-tagged <ID>
Stack(config)# show vlan 10 VLAN ID : 10 Name : VLAN10 Status : Port-based Voice : Yes Jumbo : No Private VLAN : none Associated Primary VID : none Associated Secondary VIDs : none Port Information Mode Unknown VLAN Status ---------------- -------- ------------ ---------- 1/1 MACAUTH Learn Up Overridden Port VLAN configuration ------ ------------ 1/1 MACAUTH