Users Guide
Authentication, Authorization, and Accounting 349
To configure the switch:
1
Create the VLANs and configure the VLAN names.
console(config)#vlan 100
console(config-vlan100)#name Authorized
console(config-vlan100)#exit
console(config)#vlan 200
console(config-vlan200)#name Unauthorized
console(config-vlan200)#exit
console(config)#vlan 300
console(config-vlan300)#name Guest
console(config-vlan300)#exit
2
Configure information about the external RADIUS server the switch uses
to authenticate clients. The RADIUS server IP address is 10.10.10.10, and
the global shared secret is qwerty123. The RADIUS server is configured
into the default group.
console(config)#radius server key qwerty123
console(config)#radius server auth 10.10.10.10
console(config-auth-radius)#exit
3
Enable 802.1X on the switch.
console(config)#dot1x system-auth-control
4
Create a default authentication login list and use the RADIUS server for
port-based authentication for connected clients.
console(config)#aaa authentication dot1x default radius
5
Allow the switch to accept VLAN assignments by the RADIUS server.
console(config)#aaa authorization network default radius
6
Enter interface configuration mode for the downlink ports.
console(config)#interface range Gi1/0/1-23
7
Set the downlink ports to the access mode because each downlink port
connects to a device that belongs to a single VLAN. Other devices (such
as, WAP clients) may authenticate with the switch after the directly
connected device authenticates, therefore the host mode is set to multi-
auth. Set the port control mode to auto (default) to allow VLAN
assignment from the RADIUS server.
console(config-if)#switchport mode access
console(config-if)#authentication port-control auto