Wired Intelligent Edge

Environement: Aruba 2920 switches configured for 802.1x/MAB running 16.07. Not using User-Roles as there are restrictions preventing this.

When RADIUS Server fails to respond, I would like it to fallback to the VLANs already configured on the port. It does not appear there is an option to do so. 

I can configure the UNAUTH VID however this is a Static VLAN. 

The customer uses Static IP on all devices and has hard-coded specific VLANs on all ports. I am certainly working to get them off Static and use DHCP Reservations if statics are indeed needed. Until then, I am having a hard time coming up with a fallback mechanism in case Radius failure. 

I could certainly set the UNAUTH VID to match the untagged VLAN but this would be extrememly combersome and time consuming to do this on every port in the network. 

Hi, 

I think the best option here might be to use cached reauthentication (pg 421 in the Access Security Guide - https://support.hpe.com/hpsc/doc/public/display?docId=a00055677en_us).  If the client is authenticated and the RADIUS server fails, it will stay authenticated until the cached reauth period expires or the RADIUS server comes back and the client reauthenticates after the reauth timer kicks off.

Justin

Not bad, that will get me half way there. Thanks for the tip! New authentications during a down period will just stay down for now until we can get everything off Static IP. 

I appreciate the response.