Administrator Guide
Authentication, Authorization, and Accounting 353
console(config-if)#switchport mode access
console(config-if)#dot1x port-control auto
console(config-if)#exit
8
Enter Interface Configuration mode for port 24, the uplink (trunk) port.
console(config)#interface Gi1/0/24
9
Disable 802.1X authentication on the interface. This causes the port to
transition to the authorized state without any authentication exchange
required. This port does not connect to any end-users, so there is no need
for 802.1X-based authentication.
console(config-if-Gi1/0/24)#dot1x port-control force-
authorized
10
Set the uplink port to trunk mode so that it accepts tagged traffic and
transmits it to the connected device (another switch or router). The trunk
port will automatically become a member of any dynamically created
VLANs unless configured to exclude them.
console(config-if-Gi1/0/24)#switchport mode trunk
11
Forbid the trunk from forwarding traffic that has VLAN tags for any VLAN
from 1000–2000, inclusive.
console(config-if-Gi1/0/24)#switchport trunk allowed vlan
remove 1000-2000
console(config-if-Gi1/0/24)#exit
Configuring Authentication Server DiffServ Policy Assignments
To enable DiffServ policy assignment by an external server, the following
conditions must be true:
• The port that the host is connected to must be enabled for MAC-based
port access control by using the following command in Interface Config
mode:
dot1x port-control mac-based
• The RADIUS or 802.1X server must specify the name of the policy to
assign.
For example, if the DiffServ policy to assign is named internet_access,
include the following attribute in the RADIUS server configuration:
Filter-id (11) = “internet_access”