49-91
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 49 Configuring 802.1X Port-Based Authentication
Configuring 802.1X Port-Based Authentication
authentication port-control auto
spanning-tree portfast trunk
no spanning-tree bpduguard
end
Scenario 2: Without port level BPDU Guard Configuration (with or without globally enabling BPDU Guard)
Before Authorization
interface GigabitEthernet5/1
switchport access vlan 81
switchport mode access
dot1x pae authenticator
authentication port-control auto
end
Post Authorization and Application of Internal Macro
interface GigabitEthernet5/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 81
switchport mode trunk
dot1x pae authenticator
authentication port-control auto
spanning-tree portfast trunk
no spanning-tree bpduguard
end
When the authenticator switch receives a device-traffic-class=switch AV pair, the following macro is applied to the
authenticator switch port:
no switchport access vlan $AVID
no switchport nonegotiate
switchport mode trunk
switchport trunk native vlan $AVID
no spanning-tree bpduguard enable
spanning-tree portfast trunk
After the supplicant switch is authenticated as a switch device, the configuration will appear as follows:
interface GigabitEthernet5/23
switchport mode trunk
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast trunk
end
Radius Config (Cisco AV Pair value)
------------------------------------------------------
device-traffic-class=switch
show running-config interface is the only command that informs you that the smart macro has been applied after the
supplicant switch is authenticated:
Switch
# show authentication session
Interface MAC Address Method Domain Status Session ID
Gi5/23 0024.9844.de23 dot1x DATA Authz Success 0909117A000000000010561C
Switch# show running-configuration interface gi 5/23
Building configuration...
Current configuration : 149 bytes
!
To Next Page
Loading...
