Security

For wired vlan ,

we have the cppm deployed geographically all over the world - 1 publisher and 5 subscribe.remote locations will be using the nearest subsrciber when we roll out  nac . in case of wan link issues or delays , is it ok to deploy critical vlan on cisco switches and hpe switches , is critical vlan supported on hpe switches ? do you have any sample config 

Yes, there is critical on HPE (Aruba) switches

For Aruba you can use:

aaa port-access <port> critical-auth data-vlan <ID>

For HPE Comware you can use this per port:

mac-authentication critical vlan <ID>

dot1x critical vlan <ID>

Can we use the data vlan as the critical vlan ?

We dont want to deploy or create another separate critical vlan

---

@cppmadmin wrote:

Can we use the data vlan as the critical vlan ?

 

We dont want to deploy or create another separate critical vlan

---

Yes, it is name of function ;)

Ok Thanks for your feedback.

I have one more point .

Suppose our data vlan configured is vlan 10 on the access port .

What if we don’t define the critical vlan command  Dot1x critical vlan 10 And same time RADIUS Servers become unreachable .

Does it put the port into data vlan ( as it is configured statically on the port) ?? or will it put the port into the default vlan configured on the switch ( which in most cases is vlan 1 ) ?

The Point is what is the default behaviour of access port configured with data vlan without critical vlan configuration in case Radius becomes unreachable?

The use of critical vlan is to prevent a radius reject when the radius server becomes unavailble.

When the client is rejected, it is denied access, so won't fallback to any other configured vlan.

The default (untagged) vlan of the port is only applied when the radius server sends a radius-accept without any vlan attribute.