214is not assigned to the critical VLAN. For more information about the authentication methods, see"Configuring AAA."Table 11 shows the way that the network access device handles critical VLANs for MACauthentication users.Table 11 VLAN manipulationAuthentication status VLAN manipulationA user fails MAC authentication because all theRADIUS servers are unreachable.The device maps the MAC address of the user to the MACauthentication critical VLAN.The user is still in the MAC authentication critical VLAN ifthe user fails MAC reauthentication because all theRADIUS servers are unreachable.If no MAC authentication critical VLAN is configured, thedevice maps the MAC address of the user to the PVID ofthe port.A user in the MAC authentication critical VLANfails MAC authentication for any reason otherthan server unreachable.If a guest VLAN has been configured, the device maps theMAC address of the user to the guest VLAN.If no guest VLAN is configured, the device maps the MACaddress of the user to the PVID of the port.A user in the MAC authentication critical VLANpasses MAC authentication.The device remaps the MAC address of the user to theauthorization VLAN assigned by the authentication server.If no authorization VLAN is configured for the user on theauthentication server, the device remaps the MACaddress of the user to the PVID of the access port.ACL assignmentYou can specify an authorization ACL in the user account for a MAC authentication user to controlthe user's access to network resources. After the user passes MAC authentication, theauthentication server (local or remote) assigns the authorization ACL to the access port of the user.The ACL will filter traffic for this user. You must configure ACL rules for the authorization ACL on theaccess device for the ACL assignment feature.To ensure a successful ACL assignment, make sure the ACL does not contain rules that matchsource MAC addresses.To change the access control criteria for the user, you can use one of the following methods:• Modify ACL rules on the access device.• Specify another authorization ACL on the authentication server.For more information about ACLs, see ACL and QoS Configuration Guide.User profile assignmentYou can specify a user profile in the user account for a MAC authentication user to control the user'saccess to network resources. After the user passes MAC authentication, the authentication serverassigns the user profile to the user to filter traffic for this user. The authentication server can be thelocal access device or a RADIUS server. In either case, you must configure the user profile on theaccess device.To change the user's access permissions, you can use one of the following methods:• Modify the user profile configuration on the access device.• Specify another user profile for the user on the authentication server.