In a Symantec Network Access Control (SNAC) LAN Enforcer configuration using Cisco switches, how can I redirect machines to a particular vlan in case the LAN Enforcer becomes unavailable?
The dot1x critical and dot1x critical vlan options on the Cisco switch is the correct way to configure this functionality.
For further information, please refer to the Configuring 802.1X with Inaccessible Authentication Bypass section in the Cisco documentation for your switch model.
With the dot1x critical option enabled, the switch will assign the dot1x enabled port to a particular vlan when the RADIUS server configured on the switch (the Symantec LAN Enforcer) becomes unavailable.
An example configuration for one port on the switch could be;
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x critical vlan 3
dot1x critical recovery action reinitialize
A common mistake is to configure the dot1x critical vlan x option, which sets the vlan, but not include the dot1x critical option, which enables the feature.