Administrator Guide
352 Authentication, Authorization, and Accounting
In this example, Ports 1–23 are configured as downlink, or access, ports, and
Port 24 is the trunk port. As a trunk port, Port 24 is automatically added as a
member to all VLANs that are statically or dynamically configured on the
switch. However, the network administrator in this example has determined
that traffic in VLANs 1000–2000 should not be forwarded on the trunk port,
even if the RADIUS server assigns a connected host to a VLAN in this range,
and the switch dynamically creates the VLAN.
To configure the switch:
1
Configure information about the external RADIUS server the switch uses
to authenticate clients. The RADIUS server IP address is 10.10.10.10, and
the global shared secret is qwerty123.
console(config)#radius server key qwerty123
console(config)#radius server 10.10.10.10
console(config-auth-radius)#name MyRadius
console(config-auth-radius)#exit
2
Enable 802.1X on the switch.
console(config)#dot1x system-auth-control
3
Create a default authentication login list and use the RADIUS server for
port-based authentication for connected clients.
console(config)#aaa authentication dot1x default radius
4
Allow the switch to accept VLAN assignments by the RADIUS server.
console(config)#aaa authorization network default radius
5
Allow the switch to dynamically create VLANs when a RADIUS-assigned
VLAN does not exist on the switch.
console(config)#dot1x dynamic-vlan enable
6
Enter interface configuration mode for the downlink ports.
console(config)#interface range Gi1/0/1-23
7
Set the downlink ports to the access mode because each downlink port
connects to a single host that belongs to a single VLAN. Set the port-
control mode to auto (the default) to allow assignment of the dynamically
created VLANs to the host connected port.
NOTE: The configuration to control the VLAN assignment for hosts is done on
the external RADIUS server.