Users Guide

Authentication, Authorization, and Accounting 367

console(config-if)#switchport mode access

console(config-if)#dot1x port-control auto

console(config-if)#exit

Enter Interface Configuration mode for port 24, the uplink (trunk) port.

console(config)#interface Gi1/0/24

Disable 802.1X authentication on the interface. This causes the port to

transition to the authorized state without any authentication exchange

required. This port does not connect to any end-users, so there is no need

for 802.1X-based authentication.

console(config-if-Gi1/0/24)#dot1x port-control force-

authorized

Set the uplink port to trunk mode so that it accepts tagged traffic and

transmits it to the connected device (another switch or router). The trunk

port will automatically become a member of any dynamically created

VLANs unless configured to exclude them.

console(config-if-Gi1/0/24)#switchport mode trunk

Forbid the trunk from forwarding traffic that has VLAN tags for any VLAN

from 1000–2000, inclusive.

console(config-if-Gi1/0/24)#switchport trunk allowed vlan

remove 1000-2000

console(config-if-Gi1/0/24)#exit

Configuring Authentication Server Dynamic ACL or DiffServ Policy Assignments

To enable Dynamic ACL or DiffServ policy assignment by an external server,

the following conditions must be true:

• The RADIUS or 802.1X server must specify the name of the ACL or policy

to assign.

For example, if the DiffServ policy to assign is named internet_access,

include the following attribute in the RADIUS server configuration:

Filter-id (11) = “internet_access”

If it is desired that an existing ACL be configured, include the following

attribute in the RADIUS server configuration:

Filter-ID(11) = "Existing_ACL"