Administrator Guide

310 Authentication, Authorization, and Accounting

Enter Interface Configuration mode for port 24, the uplink (trunk) port.

console(config)#interface Gi1/0/24

Disable 802.1X authentication on the interface. This causes the port to

transition to the authorized state without any authentication exchange

required. This port does not connect to any end-users, so there is no need

for 802.1X-based authentication.

console(config-if-Gi1/0/24)#dot1x port-control force-

authorized

Set the uplink port to trunk mode so that it accepts tagged traffic and

transmits it to the connected device (another switch or router). The trunk

port will automatically become a member of any dynamically created

VLANs unless configured to exclude them.

console(config-if-Gi1/0/24)#switchport mode trunk

Forbid the trunk from forwarding traffic that has VLAN tags for any VLAN

from 1000–2000, inclusive.

console(config-if-Gi1/0/24)#switchport trunk allowed vlan

remove 1000-2000

console(config-if-Gi1/0/24)#exit

Configuring Authentication Server DiffServ Policy Assignments

To enable DiffServ policy assignment by an external server, the following

conditions must be true:

• The port that the host is connected to must be enabled for MAC-based

port access control by using the following command in Interface Config

mode:

dot1x port-control mac-based

• The RADIUS or 802.1X server must specify the name of the policy to

assign.

For example, if the DiffServ policy to assign is named internet_access,

include the following attribute in the RADIUS server configuration:

Filter-id (11) = “internet_access”

• The DiffServ policy specified in the attribute must already be configured

on the switch, and the policy names must be identical.

For information about configuring a DiffServ policy, see "DiffServ

Configuration Examples " on page 1467. The example "Providing Subnets