A Cisco ISE MAB fallback that won't lock you out
A critical-auth VLAN so a dead RADIUS server doesn't take a whole floor offline.
802.1X is great until ISE is unreachable and suddenly nobody on the floor can get an IP. The fix isn’t to weaken authentication — it’s to fail gracefully.
Critical authentication VLAN
Tell the switch what to do when every RADIUS server is dead: drop authenticating devices onto a limited “critical” VLAN instead of denying them outright.
dot1x critical eapol
authentication event server dead action authorize vlan 99
authentication event server dead action authorize voice
authentication event server alive action reinitializeWhen ISE comes back (server alive), ports reinitialise and re-authenticate properly — no manual bouncing.
Keep an emergency way in
Pair it with a local fallback so you’re never fully dependent on the network you’re trying to fix:
- A local privileged account on the switch (not just TACACS/RADIUS-backed).
- An out-of-band path — console or a management port on a separate VLAN.
The point of NAC isn’t to be strict for its own sake. It’s to be strict and survivable. Design the failure mode on purpose, or the network will design it for you — usually at 4 p.m. on a Friday.