LAN Enforcer and Cisco switch - how to redirect to a particular vlan in case the Enforcer is unavailable

Article:TECH166196  |  Created: 2011-08-02  |  Updated: 2012-04-02  |  Article URL
Article Type
Technical Solution


In a Symantec Network Access Control (SNAC) LAN Enforcer configuration using Cisco switches, how can I redirect machines to a particular vlan in case the LAN Enforcer becomes unavailable?



The dot1x critical and dot1x critical vlan options on the Cisco switch is the correct way to configure this functionality.

For further information, please refer to the Configuring 802.1X with Inaccessible Authentication Bypass section in the Cisco documentation for your switch model.


With the dot1x critical option enabled, the switch will assign the dot1x enabled port to a particular vlan when the RADIUS server configured on the switch (the Symantec LAN Enforcer) becomes unavailable.

An example configuration for one port on the switch could be;

interface FastEthernet1/0/18
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x critical
dot1x critical vlan 3   
dot1x critical recovery action reinitialize


A common mistake is to configure the dot1x critical vlan x option, which sets the vlan, but not include the dot1x critical option, which enables the feature.


Article URL

Terms of use for this information are found in Legal Notices