Statement introduced in Junos OS Release 9.3 for EX Series switches.
Statement introduced in Junos OS Release 14.1X53-D30 for the QFX Series.
Configure authentication fallback options to specify how end devices connected to a switch are supported if the RADIUS authentication server becomes unavailable. Server fail fallback is triggered most often during reauthentication when the already configured and in-use RADIUS server becomes inaccessible. However, server fail fallback can also be triggered by a supplicant’s initial attempt at authentication through the RADIUS server.
When you configure the server fail fallback feature you must specify an action that the switch applies to end devices when the authentication servers are unavailable. The switch can accept or deny access to supplicants or maintain the access already granted to supplicants before the RADIUS timeout occurred. You can also configure the switch to move the supplicants to a specific VLAN. The VLAN must already be configured on the switch.
The server-fail statement is specifically for data traffic. For VoIP tagged traffic, use the server-fail-voip statement. The same interface can have a server-fail VLAN and a server-fail-voip VLAN configured.
If the server-fail statement is not configured, in the event that the RADIUS authentication server becomes unavailable, the end device is not authenticated and is denied access to the network.
deny—Force fail the supplicant authentication. No traffic will flow through the interface.
permit—Force succeed the supplicant authentication. Traffic will flow through the interface as if it were successfully authenticated by the RADIUS server.
use-cache—Force succeed the supplicant authentication only if it was previously authenticated successfully. This action ensures that already authenticated supplicants are not affected.
vlan-id—Move supplicant on the interface to the VLAN specified by this numeric identifier. This action is allowed only if it is the first supplicant connecting to the interface. If an authenticated supplicant is already connected, then the supplicant is not moved to the VLAN and is not authenticated. The VLAN must already be configured on the switch.
vlan-name—Move supplicant on the interface to the VLAN specified by this name. This action is allowed only if it is the first supplicant connecting to an interface. If an authenticated supplicant is already connected, then the supplicant is not moved to the VLAN and is not authenticated. The VLAN must already be configured on the switch.
Required Privilege Level
routing—To view this statement in the
routing-control—To add this statement to the configuration.