Users Guide
344 Authentication, Authorization, and Accounting
Allowing Dynamic Creation of RADIUS-Assigned VLANs
The network in this example uses a RADIUS server to provide VLAN
assignments to host that connect to the switch. In this example, the VLANs
are not configured on the switch. Instead, the switch is configured to allow
the dynamic creation of VLANs when a RADIUS-assigned VLAN does not
already exist on the switch.
In this example, Ports 1–23 are configured as downlink, or access, ports, and
Port 24 is the trunk port. As a trunk port, Port 24 is automatically added as a
member to all VLANs that are statically or dynamically configured on the
switch. However, the network administrator in this example has determined
that traffic in VLANs 1000–2000 should not be forwarded on the trunk port,
even if the RADIUS server assigns a connected host to a VLAN in this range,
and the switch dynamically creates the VLAN.
To configure the switch:
1
Configure information about the external RADIUS server the switch uses
to authenticate clients. The RADIUS server IP address is 10.10.10.10, and
the global shared secret is qwerty123.
console(config)#radius server key qwerty123
console(config)#radius server 10.10.10.10
console(config-auth-radius)#name MyRadius
console(config-auth-radius)#exit
2
Enable 802.1X on the switch.
console(config)#dot1x system-auth-control
3
Create a default authentication login list and use the RADIUS server for
port-based authentication for connected clients.
console(config)#aaa authentication dot1x default radius
4
Allow the switch to accept VLAN assignments by the RADIUS server.
console(config)#aaa authorization network default radius
5
Allow the switch to dynamically create VLANs when a RADIUS-assigned
VLAN does not exist on the switch.
console(config)#authentication dynamic-vlan enable
6
Enter interface configuration mode for the downlink ports.
NOTE: The configuration to control the VLAN assignment for hosts is done on
the external RADIUS server.