LAN Enforcer and Cisco switch - how to redirect to a particular vlan in case the Enforcer is unavailable

Article:TECH166196  |  Created: 2011-08-02  |  Updated: 2012-04-02  |  Article URL http://www.symantec.com/docs/TECH166196
Article Type
Technical Solution


Issue



In a Symantec Network Access Control (SNAC) LAN Enforcer configuration using Cisco switches, how can I redirect machines to a particular vlan in case the LAN Enforcer becomes unavailable?

 


Solution



The dot1x critical and dot1x critical vlan options on the Cisco switch is the correct way to configure this functionality.

For further information, please refer to the Configuring 802.1X with Inaccessible Authentication Bypass section in the Cisco documentation for your switch model.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/dot1x.html#wp1203805

 

With the dot1x critical option enabled, the switch will assign the dot1x enabled port to a particular vlan when the RADIUS server configured on the switch (the Symantec LAN Enforcer) becomes unavailable.

An example configuration for one port on the switch could be;

interface FastEthernet1/0/18
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x critical
dot1x critical vlan 3   
dot1x critical recovery action reinitialize

 

A common mistake is to configure the dot1x critical vlan x option, which sets the vlan, but not include the dot1x critical option, which enables the feature.

 





Article URL http://www.symantec.com/docs/TECH166196


Terms of use for this information are found in Legal Notices