Cisco Catalyst 4500 Series Configuration Manual page 1056

Configuring 802.1X Port-Based Authentication
dot1x pae authenticator
authentication port-control auto
spanning-tree portfast trunk
no spanning-tree bpduguard
end
Scenario 2: Without port level BPDU Guard Configuration (with or without globally enabling BPDU
Guard)
Before Authorization
interface GigabitEthernet5/1
switchport access vlan 81
switchport mode access
dot1x pae authenticator
authentication port-control auto
end
Post Authorization and Application of Internal Macro
interface GigabitEthernet5/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 81
switchport mode trunk
dot1x pae authenticator
authentication port-control auto
spanning-tree portfast trunk
no spanning-tree bpduguard
end
When the authenticator switch receives a device-traffic-class=switch AV pair, the following macro is
applied to the authenticator switch port:
no switchport access vlan $AVID
no switchport nonegotiate
switchport mode trunk
switchport trunk native vlan $AVID
no spanning-tree bpduguard enable
spanning-tree portfast trunk
After the supplicant switch is authenticated as a switch device, the configuration will appear as follows:
interface GigabitEthernet5/23
switchport mode trunk
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast trunk
end
Radius Config (Cisco AV Pair value)
------------------------------------------------------
device-traffic-class=switch
show running-config interface is the only command that informs you that the smart macro has been
applied after the supplicant switch is authenticated:
Switch
Interface
Gi5/23
Switch# show running-configuration interface gi 5/23
Building configuration...
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
44-88
# show authentication session
MAC Address Method
0024.9844.de23 dot1x
Chapter 44 Configuring 802.1X Port-Based Authentication
Domain Status
DATA Authz Success
Session ID
0909117A000000000010561C
OL-25340-01