Users Guide

Authentication, Authorization, and Accounting 345

console(config)#interface range Gi1/0/1-23

Set the downlink ports to the access mode because each downlink port

connects to a single host that belongs to a single VLAN. Set the port-

control mode to auto (the default) to allow assignment of the dynamically

created VLANs to the host connected port. Allow a single host to

authenticate on each port.

console(config-if)#switchport mode access

console(config-if)#authentication port-control auto

console(config-if)#authentication host-mode single-host

console(config-if)#exit

Enter Interface Configuration mode for port 24, the uplink (trunk) port.

console(config)#interface Gi1/0/24

Disable 802.1X authentication on the interface. This causes the port to

transition to the authorized state without any authentication exchange

required. This port does not connect to any end-users, so there is no need

for 802.1X-based authentication.

console(config-if-Gi1/0/24)#authentication port-control force-

authorized

Set the uplink port to trunk mode so that it accepts tagged traffic and

transmits it to the connected device (another switch or router). The trunk

port will automatically become a member of any dynamically created

VLANs unless configured to exclude them.

console(config-if-Gi1/0/24)#switchport mode trunk

Forbid the trunk from forwarding traffic that has VLAN tags for any VLAN

from 1000–2000, inclusive.

console(config-if-Gi1/0/24)#switchport trunk allowed vlan

remove 1000-2000

console(config-if-Gi1/0/24)#exit

Configuring Authentication Server Dynamic ACL or DiffServ Policy Assignments

To enable Dynamic ACL or DiffServ policy assignment by an external server,

the following conditions must be true:

• The RADIUS or 802.1X server must specify the name of the ACL or policy

to assign.

For example, if the DiffServ policy to assign is named internet_access,

include the following attribute in the RADIUS server configuration: