Administrator Guide
Authentication, Authorization, and Accounting 309
switch. However, the network administrator in this example has determined
that traffic in VLANs 1000–2000 should not be forwarded on the trunk port,
even if the RADIUS server assigns a connected host to a VLAN in this range,
and the switch dynamically creates the VLAN.
To configure the switch:
1
Configure information about the external RADIUS server the switch uses
to authenticate clients. The RADIUS server IP address is 10.10.10.10, and
the shared secret is qwerty123.
console(config)#radius-server key qwerty123
console(config)#radius-server host 10.10.10.10
console(Config-auth-radius)#exit
2
Enable 802.1X on the switch.
console(config)#dot1x system-auth-control
3
Create a default authentication login list and use the RADIUS server for
port-based authentication for connected clients.
console(config)#aaa authentication dot1x default radius
4
Allow the switch to accept VLAN assignments by the RADIUS server.
console(config)#aaa authorization network default radius
5
Allow the switch to dynamically create VLANs when a RADIUS-assigned
VLAN does not exist on the switch.
console(config)#dot1x dynamic-vlan enable
6
Enter interface configuration mode for the downlink ports.
console(config)#interface range Gi1/0/1-23
7
Set the downlink ports to the access mode because each downlink port
connects to a single host that belongs to a single VLAN. Set the port-
control mode to auto (the default) to allow assignment of the dynamically
created VLANs to the host connected port.
console(config-if)#switchport mode access
console(config-if)#dot1x port-control auto
console(config-if)#exit
NOTE: The configuration to control the VLAN assignment for hosts is done on
the external RADIUS server.