Home » Cisco Manuals » Bridges & Routers » Cisco WS-C2960-24TC-S » Manual Viewer

Cisco WS-C2960-24TC-S Software Guide - Page 193

Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass

View all Cisco WS-C2960-24TC-S manuals

Add to My Manuals
Save this manual to your list of manuals

Page 193 highlights

Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass In Cisco IOS Release 12.2(25)SEE and later, when the switch cannot reach the configured RADIUS servers and hosts cannot be authenticated, you can configure the switch to allow network access to the hosts connected to critical ports. A critical port is enabled for the inaccessible authentication bypass feature, also referred to as critical authentication or the AAA fail policy. When this feature is enabled, the switch checks the status of the configured RADIUS servers whenever the switch tries to authenticate a host connected to a critical port. If a server is available, the switch can authenticate the host. However, if all the RADIUS servers are unavailable, the switch grants network access to the host and puts the port in the critical-authentication state, which is a special case of the authentication state. The behavior of the inaccessible authentication bypass feature depends on the authorization state of the port: • If the port is unauthorized when a host connected to a critical port tries to authenticate and all servers are unavailable, the switch puts the port in the critical-authentication state in the RADIUS-configured or user-specified access VLAN. • If the port is already authorized and re-authentication occurs, the switch puts the critical port in the critical-authentication state in the current VLAN, which might be the one previously assigned by the RADIUS server. • If the RADIUS server becomes unavailable during an authentication exchange, the current exchanges times out, and the switch puts the critical port in the critical-authentication state during the next authentication attempt. When a RADIUS server that can authenticate the host is available, all critical ports in the critical-authentication state are automatically re-authenticated. Inaccessible authentication bypass interacts with these features: • Guest VLAN-Inaccessible authentication bypass is compatible with guest VLAN. When a guest VLAN is enabled on IEEE 8021.x port, the features interact as follows: - If at least one RADIUS server is available, the switch assigns a client to a guest VLAN when the switch does not receive a response to its EAP request/identity frame or when EAPOL packets are not sent by the client. - If all the RADIUS servers are not available and the client is connected to a critical port, the switch authenticates the client and puts the critical port in the critical-authentication state in the RADIUS-configured or user-specified access VLAN. - If all the RADIUS servers are not available and the client is not connected to a critical port, the switch might not assign clients to the guest VLAN if one is configured. - If all the RADIUS servers are not available and if a client is connected to a critical port and was previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN. OL-8603-04 Catalyst 2960 Switch Software Configuration Guide 9-13

Section	Page
Catalyst 2960 Switch SoftwareConfiguration Guide	1
Contents	3
Preface	29
Audience	29
Purpose	29
Conventions	30
Related Publications	30
Obtaining Documentation, Obtaining Support, and Security Guidelines	32
Overview	33
Features	33
Ease-of-Deployment and Ease-of-Use Features	33
Performance Features	34
Management Options	35
Manageability Features	36
Availability and Redundancy Features	38
VLAN Features	39
Security Features	39
QoS and CoS Features	41
Monitoring Features	42
Default Settings After Initial Switch Configuration	42
Network Configuration Examples	44
Design Concepts for Using the Switch	44
Small to Medium-Sized Network Using Catalyst 2960 Switches	48
Long-Distance, High-Bandwidth Transport Configuration	49
Where to Go Next	50
Using the Command-Line Interface	51
Understanding Command Modes	51
Understanding the Help System	53
Understanding Abbreviated Commands	54
Understanding no and default Forms of Commands	54
Understanding CLI Error Messages	55
Using Configuration Logging	55
Using Command History	56
Changing the Command History Buffer Size	56
Recalling Commands	56
Disabling the Command History Feature	57
Using Editing Features	57
Enabling and Disabling Editing Features	57
Editing Commands through Keystrokes	57
Editing Command Lines that Wrap	59
Searching and Filtering Output of show and more Commands	60
Accessing the CLI	60
Accessing the CLI through a Console Connection or through Telnet	60
Assigning the Switch IP Address and Default Gateway	61
Understanding the Boot Process	61
Assigning Switch Information	62
Default Switch Information	63
Understanding DHCP-Based Autoconfiguration	63
DHCP Client Request Process	64
Configuring DHCP-Based Autoconfiguration	65
DHCP Server Configuration Guidelines	65
Configuring the TFTP Server	66
Configuring the DNS	66
Configuring the Relay Device	66
Obtaining Configuration Files	67
Example Configuration	68
Manually Assigning IP Information	70
Checking and Saving the Running Configuration	70
Modifying the Startup Configuration	71
Default Boot Configuration	72
Automatically Downloading a Configuration File	72
Specifying the Filename to Read and Write the System Configuration	72
Booting Manually	73
Booting a Specific Software Image	74
Controlling Environment Variables	74
Scheduling a Reload of the Software Image	76
Configuring a Scheduled Reload	76
Displaying Scheduled Reload Information	77
Configuring Cisco IOS CNS Agents	79
Understanding Cisco Configuration Engine Software	79
Configuration Service	80
Event Service	81
NameSpace Mapper	81
What You Should Know About the CNS IDs and Device Hostnames	81
ConfigID	81
DeviceID	82
Hostname and DeviceID	82
Using Hostname, DeviceID, and ConfigID	82
Understanding Cisco IOS Agents	83
Initial Configuration	83
Incremental (Partial) Configuration	84
Synchronized Configuration	84
Configuring Cisco IOS Agents	84
Enabling Automated CNS Configuration	84
Enabling the CNS Event Agent	86
Enabling the Cisco IOS CNS Agent	87
Enabling an Initial Configuration	87
Enabling a Partial Configuration	89
Displaying CNS Configuration	90
Clustering Switches	91
Understanding Switch Clusters	91
Cluster Command Switch Characteristics	93
Standby Cluster Command Switch Characteristics	93
Candidate Switch and Cluster Member Switch Characteristics	93
Planning a Switch Cluster	94
Automatic Discovery of Cluster Candidates and Members	94
Discovery Through CDP Hops	95
Discovery Through Non-CDP-Capable and Noncluster-Capable Devices	96
Discovery Through Different VLANs	96
Discovery Through Different Management VLANs	97
Discovery of Newly Installed Switches	98
HSRP and Standby Cluster Command Switches	99
Virtual IP Addresses	100
Other Considerations for Cluster Standby Groups	100
Automatic Recovery of Cluster Configuration	101
IP Addresses	102
Hostnames	102
Passwords	103
SNMP Community Strings	103
TACACS+ and RADIUS	104
LRE Profiles	104
Using the CLI to Manage Switch Clusters	104
Catalyst1900 and Catalyst2820 CLI Considerations	104
Using SNMP to Manage Switch Clusters	105
Administering the Switch	107
Managing the System Time and Date	107
Understanding the System Clock	107
Understanding Network Time Protocol	108
Configuring NTP	109
Default NTP Configuration	110
Configuring NTP Authentication	110
Configuring NTP Associations	111
Configuring NTP Broadcast Service	112
Configuring NTP Access Restrictions	114
Configuring the Source IP Address for NTP Packets	116
Displaying the NTP Configuration	117
Configuring Time and Date Manually	117
Setting the System Clock	117
Displaying the Time and Date Configuration	118
Configuring the Time Zone	118
Configuring Summer Time (Daylight Saving Time)	119
Configuring a System Name and Prompt	120
Default System Name and Prompt Configuration	121
Configuring a System Name	121
Understanding DNS	121
Default DNS Configuration	122
Setting Up DNS	122
Displaying the DNS Configuration	123
Creating a Banner	123
Default Banner Configuration	123
Configuring a Message-of-the-Day Login Banner	124
Configuring a Login Banner	125
Managing the MAC Address Table	125
Building the Address Table	126
MAC Addresses and VLANs	126
Default MAC Address Table Configuration	127
Changing the Address Aging Time	127
Removing Dynamic Address Entries	128
Configuring MAC Address Notification Traps	128
Adding and Removing Static Address Entries	130
Configuring Unicast MAC Address Filtering	131
Displaying Address Table Entries	132
Managing the ARP Table	132
Configuring SDM Templates	133
Understanding the SDM Templates	133
Configuring the Switch SDM Template	134
Default SDM Template	134
SDM Template Configuration Guidelines	134
Setting the SDM Template	134
.Displaying the SDM Templates	135
Configuring Switch-Based Authentication	137
Preventing Unauthorized Access to Your Switch	137
Protecting Access to Privileged EXEC Commands	138
Default Password and Privilege Level Configuration	138
Setting or Changing a Static Enable Password	139
Protecting Enable and Enable Secret Passwords with Encryption	139
Disabling Password Recovery	141
Setting a Telnet Password for a Terminal Line	142
Configuring Username and Password Pairs	142
Configuring Multiple Privilege Levels	143
Setting the Privilege Level for a Command	144
Changing the Default Privilege Level for Lines	145
Logging into and Exiting a Privilege Level	145
Controlling Switch Access with TACACS+	146
Understanding TACACS+	146
TACACS+ Operation	148
Configuring TACACS+	148
Default TACACS+ Configuration	149
Identifying the TACACS+ Server Host and Setting the Authentication Key	149
Configuring TACACS+ Login Authentication	150
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	152
Starting TACACS+ Accounting	153
Displaying the TACACS+ Configuration	153
Controlling Switch Access with RADIUS	153
Understanding RADIUS	154
RADIUS Operation	155
Configuring RADIUS	155
Default RADIUS Configuration	156
Identifying the RADIUS Server Host	156
Configuring RADIUS Login Authentication	159
Defining AAA Server Groups	161
Configuring RADIUS Authorization for User Privileged Access and Network Services	163
Starting RADIUS Accounting	164
Configuring Settings for All RADIUS Servers	165
Configuring the Switch to Use Vendor-Specific RADIUS Attributes	165
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication	167
Displaying the RADIUS Configuration	167
Configuring the Switch for Local Authentication and Authorization	168
Configuring the Switch for Secure Shell	169
Understanding SSH	169
SSH Servers, Integrated Clients, and Supported Versions	169
Limitations	170
Configuring SSH	170
Configuration Guidelines	170
Setting Up the Switch to Run SSH	171
Configuring the SSH Server	172
Displaying the SSH Configuration and Status	173
Configuring the Switch for Secure Socket Layer HTTP	173
Understanding Secure HTTP Servers and Clients	173
Certificate Authority Trustpoints	174
CipherSuites	175
Configuring Secure HTTP Servers and Clients	176
Default SSL Configuration	176
SSL Configuration Guidelines	176
Configuring a CA Trustpoint	176
Configuring the Secure HTTP Server	177
Configuring the Secure HTTP Client	179
Displaying Secure HTTP Server and Client Status	179
Configuring the Switch for Secure Copy Protocol	179
Information About Secure Copy	180
Configuring IEEE 802.1x Port-Based Authentication	181
Understanding IEEE 802.1x Port-Based Authentication	181
Device Roles	182
Authentication Process	183
Authentication Initiation and Message Exchange	185
Ports in Authorized and Unauthorized States	187
IEEE 802.1x Host Mode	187
IEEE 802.1x Accounting	188
IEEE 802.1x Accounting Attribute-Value Pairs	188
Using IEEE 802.1x Authentication with VLAN Assignment	189
Using IEEE 802.1x Authentication with Guest VLAN	191
Using IEEE 802.1x Authentication with Restricted VLAN	192
Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass	193
Using IEEE 802.1x Authentication with Voice VLAN Ports	194
Using IEEE 802.1x Authentication with Port Security	194
Using IEEE 802.1x Authentication with Wake-on-LAN	195
Using IEEE 802.1x Authentication with MAC Authentication Bypass	196
Using Network Admission Control Layer 2 IEEE 802.1x Validation	197
Using Web Authentication	197
Web Authentication with Automatic MAC Check	198
Configuring IEEE 802.1x Authentication	198
Default IEEE 802.1x Authentication Configuration	199
IEEE 802.1x Authentication Configuration Guidelines	200
IEEE 802.1x Authentication	200
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass	201
MAC Authentication Bypass	202
Upgrading from a Previous Software Release	202
Configuring IEEE 802.1x Authentication	202
Configuring the Switch-to-RADIUS-Server Communication	204
Configuring the Host Mode	205
Configuring Periodic Re-Authentication	205
Manually Re-Authenticating a Client Connected to a Port	206
Changing the Quiet Period	206
Changing the Switch-to-Client Retransmission Time	207
Setting the Switch-to-Client Frame-Retransmission Number	208
Setting the Re-Authentication Number	208
Configuring IEEE 802.1x Accounting	209
Configuring a Guest VLAN	210
Configuring a Restricted VLAN	211
Configuring the Inaccessible Authentication Bypass Feature	213
Configuring IEEE 802.1x Authentication with WoL	215
Configuring MAC Authentication Bypass	216
Configuring NAC Layer 2 IEEE 802.1x Validation	217
Configuring Web Authentication	218
Disabling IEEE 802.1x Authentication on the Port	220
Resetting the IEEE 802.1x Authentication Configuration to the Default Values	221
Displaying IEEE 802.1x Statistics and Status	221
Configuring Interface Characteristics	223
Understanding Interface Types	223
Port-Based VLANs	224
Switch Ports	224
Access Ports	224
Trunk Ports	225
EtherChannel Port Groups	225
Dual-Purpose Uplink Ports	226
Connecting Interfaces	226
Using Interface Configuration Mode	226
Procedures for Configuring Interfaces	227
Configuring a Range of Interfaces	228
Configuring and Using Interface Range Macros	229
Configuring Ethernet Interfaces	231
Default Ethernet Interface Configuration	231
Setting the Type of a Dual-Purpose Uplink Port	232
Configuring Interface Speed and Duplex Mode	234
Speed and Duplex Configuration Guidelines	234
Setting the Interface Speed and Duplex Parameters	235
Configuring IEEE 802.3x Flow Control	236
Configuring Auto-MDIX on an Interface	237
Adding a Description for an Interface	238
Configuring the System MTU	238
Monitoring and Maintaining the Interfaces	240
Monitoring Interface Status	240
Clearing and Resetting Interfaces and Counters	241
Shutting Down and Restarting the Interface	241
Configuring Smartports Macros	243
Understanding Smartports Macros	243
Configuring Smartports Macros	244
Default Smartports Macro Configuration	244
Smartports Macro Configuration Guidelines	244
Creating Smartports Macros	246
Applying Smartports Macros	247
Applying Cisco-Default Smartports Macros	248
Displaying Smartports Macros	250
Configuring VLANs	251
Understanding VLANs	251
Supported VLANs	252
VLAN Port Membership Modes	253
Configuring Normal-Range VLANs	254
Token Ring VLANs	255
Normal-Range VLAN Configuration Guidelines	255
VLAN Configuration Mode Options	256
VLAN Configuration in config-vlan Mode	256
VLAN Configuration in VLAN Database Configuration Mode	256
Saving VLAN Configuration	256
Default Ethernet VLAN Configuration	257
Creating or Modifying an Ethernet VLAN	258
Deleting a VLAN	259
Assigning Static-Access Ports to a VLAN	260
Configuring Extended-Range VLANs	261
Default VLAN Configuration	261
Extended-Range VLAN Configuration Guidelines	262
Creating an Extended-Range VLAN	262
Displaying VLANs	263
Configuring VLAN Trunks	264
Trunking Overview	264
IEEE 802.1Q Configuration Considerations	265
Default Layer 2 Ethernet Interface VLAN Configuration	266
Configuring an Ethernet Interface as a Trunk Port	266
Interaction with Other Features	266
Configuring a Trunk Port	267
Defining the Allowed VLANs on a Trunk	268
Changing the Pruning-Eligible List	269
Configuring the Native VLAN for Untagged Traffic	269
Configuring Trunk Ports for Load Sharing	270
Load Sharing Using STP Port Priorities	270
Load Sharing Using STP Path Cost	272
Configuring VMPS	273
Understanding VMPS	274
Dynamic-Access Port VLAN Membership	274
Default VMPS Client Configuration	275
VMPS Configuration Guidelines	275
Configuring the VMPS Client	275
Entering the IP Address of the VMPS	276
Configuring Dynamic-Access Ports on VMPS Clients	276
Reconfirming VLAN Memberships	277
Changing the Reconfirmation Interval	277
Changing the Retry Count	278
Monitoring the VMPS	278
Troubleshooting Dynamic-Access Port VLAN Membership	279
VMPS Configuration Example	279
Configuring VTP	281
Understanding VTP	281
The VTP Domain	282
VTP Modes	283
VTP Advertisements	283
VTP Version 2	284
VTP Pruning	284
Configuring VTP	286
Default VTP Configuration	286
VTP Configuration Options	287
VTP Configuration in Global Configuration Mode	287
VTP Configuration in VLAN Database Configuration Mode	287
VTP Configuration Guidelines	288
Domain Names	288
Passwords	288
VTP Version	288
Configuration Requirements	289
Configuring a VTP Server	289
Configuring a VTP Client	291
Disabling VTP (VTP Transparent Mode)	292
Enabling VTP Version 2	293
Enabling VTP Pruning	294
Adding a VTP Client Switch to a VTP Domain	294
Monitoring VTP	296
Configuring Voice VLAN	297
Understanding Voice VLAN	297
Cisco IP Phone Voice Traffic	298
Cisco IP Phone Data Traffic	298
Configuring Voice VLAN	299
Default Voice VLAN Configuration	299
Voice VLAN Configuration Guidelines	299
Configuring a Port Connected to a Cisco7960 IP Phone	300
Configuring Cisco IP Phone Voice Traffic	300
Configuring the Priority of Incoming Data Frames	302
Displaying Voice VLAN	302
Configuring STP	303
Understanding Spanning-Tree Features	303
STP Overview	304
Spanning-Tree Topology and BPDUs	305
Bridge ID, Switch Priority, and Extended System ID	306
Spanning-Tree Interface States	306
Blocking State	308
Listening State	308
Learning State	308
Forwarding State	308
Disabled State	309
How a Switch or Port Becomes the Root Switch or Root Port	309
Spanning Tree and Redundant Connectivity	310
Spanning-Tree Address Management	310
Accelerated Aging to Retain Connectivity	310
Spanning-Tree Modes and Protocols	311
Supported Spanning-Tree Instances	311
Spanning-Tree Interoperability and Backward Compatibility	312
STP and IEEE 802.1Q Trunks	312
Configuring Spanning-Tree Features	312
Default Spanning-Tree Configuration	313
Spanning-Tree Configuration Guidelines	314
Changing the Spanning-Tree Mode.	315
Disabling Spanning Tree	316
Configuring the Root Switch	316
Configuring a Secondary Root Switch	318
Configuring Port Priority	318
Configuring Path Cost	320
Configuring the Switch Priority of a VLAN	321
Configuring Spanning-Tree Timers	322
Configuring the Hello Time	322
Configuring the Forwarding-Delay Time for a VLAN	323
Configuring the Maximum-Aging Time for a VLAN	323
Configuring the Transmit Hold-Count	324
Displaying the Spanning-Tree Status	324
Configuring MSTP	325
Understanding MSTP	326
Multiple Spanning-Tree Regions	326
IST, CIST, and CST	327
Operations Within an MST Region	327
Operations Between MST Regions	328
IEEE 802.1s Terminology	329
Hop Count	329
Boundary Ports	330
IEEE 802.1s Implementation	330
Port Role Naming Change	331
Interoperation Between Legacy and Standard Switches	331
Detecting Unidirectional Link Failure	332
Interoperability with IEEE 802.1D STP	332
Understanding RSTP	332
Port Roles and the Active Topology	333
Rapid Convergence	334
Synchronization of Port Roles	335
Bridge Protocol Data Unit Format and Processing	336
Processing Superior BPDU Information	337
Processing Inferior BPDU Information	337
Topology Changes	337
Configuring MSTP Features	338
Default MSTP Configuration	338
MSTP Configuration Guidelines	339
Specifying the MST Region Configuration and Enabling MSTP	340
Configuring the Root Switch	341
Configuring a Secondary Root Switch	342
Configuring Port Priority	343
Configuring Path Cost	344
Configuring the Switch Priority	345
Configuring the Hello Time	346
Configuring the Forwarding-Delay Time	347
Configuring the Maximum-Aging Time	347
Configuring the Maximum-Hop Count	348
Specifying the Link Type to Ensure Rapid Transitions	348
Designating the Neighbor Type	349
Restarting the Protocol Migration Process	349
Displaying the MST Configuration and Status	350
Configuring Optional Spanning-Tree Features	351
Understanding Optional Spanning-Tree Features	351
Understanding Port Fast	352
Understanding BPDU Guard	352
Understanding BPDU Filtering	353
Understanding UplinkFast	353
Understanding BackboneFast	355
Understanding EtherChannel Guard	357
Understanding Root Guard	358
Understanding Loop Guard	359
Configuring Optional Spanning-Tree Features	359
Default Optional Spanning-Tree Configuration	359
Optional Spanning-Tree Configuration Guidelines	360
Enabling Port Fast	360
Enabling BPDU Guard	361
Enabling BPDU Filtering	362
Enabling UplinkFast for Use with Redundant Links	363
Enabling BackboneFast	363
Enabling EtherChannel Guard	364
Enabling Root Guard	365
Enabling Loop Guard	365
Displaying the Spanning-Tree Status	366
Configuring IGMP Snooping and MVR	367
Understanding IGMP Snooping	367
IGMP Versions	368
Joining a Multicast Group	369
Leaving a Multicast Group	371
Immediate Leave	371
IGMP Configurable-Leave Timer	371
IGMP Report Suppression	372
Configuring IGMP Snooping	372
Default IGMP Snooping Configuration	372
Enabling or Disabling IGMP Snooping	373
Setting the Snooping Method	374
Configuring a Multicast Router Port	375
Configuring a Host Statically to Join a Group	376
Enabling IGMP Immediate Leave	376
Configuring the IGMP Leave Timer	377
Configuring TCN-Related Commands	378
Controlling the Multicast Flooding Time After a TCN Event	378
Recovering from Flood Mode	378

Match case Limit results 1 per page

9-13

Catalyst 2960 Switch Software Configuration Guide

OL-8603-04

Chapter 9

Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass

In Cisco IOS Release 12.2(25)SEE and later, when the switch cannot reach the configured RADIUS

servers and hosts cannot be authenticated, you can configure the switch to allow network access to the

hosts connected to

critical

ports. A critical port is enabled for the inaccessible authentication bypass

feature, also referred to as

critical authentication

or the

AAA fail policy

When this feature is enabled, the switch checks the status of the configured RADIUS servers whenever

the switch tries to authenticate a host connected to a critical port. If a server is available, the switch can

authenticate the host. However, if all the RADIUS servers are unavailable, the switch grants network

access to the host and puts the port in the critical-authentication state, which is a special case of the

authentication state.

The behavior of the inaccessible authentication bypass feature depends on the authorization state of the

port:

•

If the port is unauthorized when a host connected to a critical port tries to authenticate and all servers

are unavailable, the switch puts the port in the critical-authentication state in the

RADIUS-configured or user-specified access VLAN.

•

If the port is already authorized and re-authentication occurs, the switch puts the critical port in the

critical-authentication state in the current VLAN, which might be the one previously assigned by

the RADIUS server.

•

If the RADIUS server becomes unavailable during an authentication exchange, the current

exchanges times out, and the switch puts the critical port in the critical-authentication state during

the next authentication attempt.

When a RADIUS server that can authenticate the host is available, all critical ports in the

critical-authentication state are automatically re-authenticated.

Inaccessible authentication bypass interacts with these features:

•

Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest

VLAN is enabled on IEEE 8021.x port, the features interact as follows:

–

If at least one RADIUS server is available, the switch assigns a client to a guest VLAN when

the switch does not receive a response to its EAP request/identity frame or when EAPOL

packets are not sent by the client.

–

If all the RADIUS servers are not available and the client is connected to a critical port, the

switch authenticates the client and puts the critical port in the critical-authentication state in the

RADIUS-configured or user-specified access VLAN.

–

If all the RADIUS servers are not available and the client is not connected to a critical port, the

switch might not assign clients to the guest VLAN if one is configured.

–

If all the RADIUS servers are not available and if a client is connected to a critical port and was

previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.