49-90
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 49 Configuring 802.1X Port-Based Authentication
Configuring 802.1X Port-Based Authentication
Figure 49-17 Specifying the Cisco AV Pair
Starting with Cisco IOS XE Release 3.2.0 SG (15.0(2)SG) the spanning-tree bpduguard feature is automatically disabled or
enabled as part of a macro provided it was previously enabled in the port configuration. If the configuration did not have BPDU
Guard enabled before the supplicant switch was authenticated, the spanning-tree bpduguard feature is not applied to the macro.
Note Disabling spanning-tree bpduguard happens only if it was previously enabled through the port level
command. Enabling it globally without a specific port level CLI prevents NEAT from disabling it on the
port after the authenticator switch receives a device-traffic-class=switch AV Pair and applies the macro.
There are 2 scenarios:
Scenario 1: With Port Level BPDU Guard Configuration
Before Authorization
interface GigabitEthernet5/1
switchport access vlan 81
switchport mode access
dot1x pae authenticator
authentication port-control auto
spanning-tree bpduguard enable
end
Post Authorization and Application of Internal Macro
interface GigabitEthernet5/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 81
switchport mode trunk
dot1x pae authenticator
To Next Page
Loading...
