Critical VLAN: when the authenticator server(LAN enforcer) is inaccessible, the switch can assign the interface to a VLAN that is defined critical VLAN in Cisco switch. Normally, to avoid to impact service, critical VLAN is a normal VLAN that can access the appropriate resource. Customer uses SNAC as transparent mode 802.1x client. Customer has only one LAN enforcer, all of clients will not be able to access network once the LAN enforcer gets down. So customer would like to configure critical VLAN for every interface.
The issue is:
For transparent mode client, Enforcer's AAA server is configured the 0.0.0.0. After 802.1x authentication, a PC without SNAC will be assigned to critical VLAN if it is enabling 802.1x in Windows.
In SEPM configure a dummy AAA server for Enforcer, the AAA server will always give user authentication fail to LAN enforcer. So you can configure a switch action for "Host authentication——unavailable" and "User Authentication——failed" for matching those computers which are not install SNAC but enabling 802.1x.