No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


The Critical VLAN Configured on an S5700 Does Not Take Effect

Publication Date:  2019-04-08 Views:  23 Downloads:  0
Issue Description

A critical VLAN is configured on GE1/0/5 of an S5700. A test is performed by interrupting communication between the switch and RADIUS server. During the test, a PC in the critical VLAN cannot obtain the DHCP server address.

The configuration of GigabitEthernet1/0/5 is as follows:

interface GigabitEthernet1/0/5

port link-type hybrid

port hybrid pvid vlan 6

port hybrid untagged vlan 6

dot1x enable

authentication critical-vlan 6

The configuration of the RADIUS server template is as follows:

radius-server template default         

radius-server shared-key cipher *****

radius-server authentication 1812 weight 80

radius-server authentication 1812 weight 40

radius-server accounting 1813 weight 80

radius-server accounting 1813 weight 40


Handling Process

Check the 802.1X configuration. No exception is found.

According to the information collected using the tracert command, when the switch is waiting for a response packet from the RADIUS server, the terminal initiates 802.1X authentication again since it receives no EAP packet from the switch. As a result, the terminal cannot join the critical VLAN.

Note: The information collected using the tracert command contains customer information and therefore is not provided here.

Root Cause

After a terminal initiates 802.1X authentication by an 802.1X client, the terminal waits for an EAP response packet from the switch within a certain period.

If the RADIUS server is Down, the switch cannot receive response packets from the server. By default, the switch retransmits an authentication request to the server for a maximum of three times at an interval of 5 seconds. On the live network, the default settings are used and active and standby servers are deployed. Therefore, the entire period for the switch to wait for a response packet from the server is 30 seconds (3 x 5 x 2).


Change the retransmission count and timeout period in the RADIUS server template.

radius-server retransmit timeout