Users Guide

Table Of Contents
Authentication, Authorization, and Accounting 345
console(config)#interface range Gi1/0/1-23
7
Set the downlink ports to the access mode because each downlink port
connects to a single host that belongs to a single VLAN. Set the port-
control mode to auto (the default) to allow assignment of the dynamically
created VLANs to the host connected port. Allow a single host to
authenticate on each port.
console(config-if)#switchport mode access
console(config-if)#authentication port-control auto
console(config-if)#authentication host-mode single-host
console(config-if)#exit
8
Enter Interface Configuration mode for port 24, the uplink (trunk) port.
console(config)#interface Gi1/0/24
9
Disable 802.1X authentication on the interface. This causes the port to
transition to the authorized state without any authentication exchange
required. This port does not connect to any end-users, so there is no need
for 802.1X-based authentication.
console(config-if-Gi1/0/24)#authentication port-control force-
authorized
10
Set the uplink port to trunk mode so that it accepts tagged traffic and
transmits it to the connected device (another switch or router). The trunk
port will automatically become a member of any dynamically created
VLANs unless configured to exclude them.
console(config-if-Gi1/0/24)#switchport mode trunk
11
Forbid the trunk from forwarding traffic that has VLAN tags for any VLAN
from 1000–2000, inclusive.
console(config-if-Gi1/0/24)#switchport trunk allowed vlan
remove 1000-2000
console(config-if-Gi1/0/24)#exit
Configuring Authentication Server Dynamic ACL or DiffServ Policy Assignments
To enable Dynamic ACL or DiffServ policy assignment by an external server,
the following conditions must be true:
The RADIUS or 802.1X server must specify the name of the ACL or policy
to assign.
For example, if the DiffServ policy to assign is named internet_access,
include the following attribute in the RADIUS server configuration: