Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?





Hierarchy Level

Release Information

Statement introduced in Junos OS Releases 14.1X53-D40 and 15.1R4 for EX Series switches.


Configure authentication fallback options to specify how VoIP clients sending voice traffic are supported if the RADIUS authentication server becomes unavailable. Server fail fallback is triggered most often during reauthentication when the already configured and in-use RADIUS server becomes inaccessible. However, server fail fallback can also be triggered by a supplicant’s initial attempt at authentication through the RADIUS server.

When you configure the server fail fallback feature you must specify an action that the switch applies to end devices when the authentication servers are unavailable. The switch can accept or deny access to supplicants or maintain the access already granted to supplicants before the RADIUS timeout occurred. You can also configure the switch to move the supplicants to a specific VLAN. The VLAN must already be configured on the switch.

The server-fail-voip statement is specific to the VoIP-tagged traffic sent by clients. VoIP clients still require that the server-fail statement be configured for the un-tagged traffic that they generate. Therefore, when you configure the server-fail-voip statement you must also configure the server-fail statement.


An option other than server-fail deny must be configured for server-fail-voip to successfully commit.


If the server-fail-voip statement is not configured, in the event that the RADIUS authentication server becomes unavailable, a VoIP client that begins authentication by sending voice traffic is not authenticated, and the voice traffic is dropped.


deny—Force fail the supplicant authentication. No traffic will flow through the interface.

permit—Force succeed the supplicant authentication. Traffic will flow through the interface as if it were successfully authenticated by the RADIUS server.

use-cache—Force succeed the supplicant authentication only if it was previously authenticated successfully. This action ensures that already authenticated supplicants are not affected. This option can be used only for reauthentication.

vlan-name—Move supplicant on the interface to the VLAN specified by this name. This action is allowed only if it is the first supplicant connecting to an interface. If an authenticated supplicant is already connected, then the supplicant is not moved to the VLAN and is not authenticated. The VLAN must already be configured on the switch.

Required Privilege Level

routing—To view this statement in the configuration.

routing-control—To add this statement to the configuration.