You are using Symantec Network Access Control (SNAC) in a LAN Enforcer environment, in a basic mode configuration where user authentication is verified against a Radius server.
You are looking for a way to treat a Radius server non-response different from a Reject response.
Symantec Network Access Control Enforcer 11.0 RU6 MP2 adds the no-radius-rsp command to the Enforcer configuration.
In the Enforcer command line interface (CLI), type the following:
- no-radius-rsp and one of the following:
- eap-failed (default) - set the EAP result to FAILED when the radius server does not reply.
- eap-unavailable - set the EAP result to UNAVAILABLE when the radius server does not reply.
- no-action - the Enforcer will not send a response back to the switch when the radius server does not reply to the Enforcer.
After setting the configuration option to for example eap-unavailable you can use the Enforcer Group switch configuration in the Symantec Endpoint Protection Manager (SEPM) console to configure an action to take when the Radius server becomes unavailable.
In the SEPM console:
- Go to the Admin tab and select Servers
- Select the LAN Enforcer Group and click Edit Group Properties
- Go to the Switch tab, select the switch configuration and click Edit
- On the Action tab you can now use the User Authentication: Unavailable setting to assign clients to a particular VLAN in case the Radius server becomes uncontactable.