Cisco Catalyst 4500 series Administration Manual page 1230

Configuring 802.1X Port-Based Authentication
interface GigabitEthernet5/1
switchport access vlan 81
switchport mode access
dot1x pae authenticator
authentication port-control auto
spanning-tree bpduguard enable
end
Post Authorization and Application of Internal Macro
interface GigabitEthernet5/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 81
switchport mode trunk
dot1x pae authenticator
authentication port-control auto
spanning-tree portfast trunk
no spanning-tree bpduguard
end
Scenario 2: Without port level BPDU Guard Configuration (with or without globally enabling BPDU
Guard)
Before Authorization
interface GigabitEthernet5/1
switchport access vlan 81
switchport mode access
dot1x pae authenticator
authentication port-control auto
end
Post Authorization and Application of Internal Macro
interface GigabitEthernet5/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 81
switchport mode trunk
dot1x pae authenticator
authentication port-control auto
spanning-tree portfast trunk
no spanning-tree bpduguard
end
When the authenticator switch receives a device-traffic-class=switch AV pair, the following macro is
applied to the authenticator switch port:
no switchport access vlan $AVID
no switchport nonegotiate
switchport mode trunk
switchport trunk native vlan $AVID
no spanning-tree bpduguard enable
spanning-tree portfast trunk
After the supplicant switch is authenticated as a switch device, the configuration will appear as follows:
interface GigabitEthernet5/23
switchport mode trunk
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast trunk
end
Radius Config (Cisco AV Pair value)
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
46-92
Chapter 46 Configuring 802.1X Port-Based Authentication
OL_28731-01