Concepts

LMA solves dynamic assignment of per client (mac-address) attributes without having to create RADIUS infrastructure. It also allows the user to define authentication polices based on the MAC OUI and MAC/mask, which simplifies management of devices by removing the need to create a policy on a per device basis.

LMA is an addition to existing client authentication methods. Users can configure multiple authentication methods (802.1X, LMA, Mac auth (radius), web-auth (radius)) on a single port concurrently. When multiple authentication methods are configured on a single port the precedence of authentication methods is (right to left): 802.1X -> LMA -> web auth/Mac auth. This means:

When 802.1X and LMA are enabled on a port, the policy configured for 802.1X takes precedence over LMA.
When LMA and Mac-auth (radius) are enabled on a port, the policy configured for LMA takes precedence over Mac-auth radius.
When only LMA is enabled on a port, client access is subjected to the LMA profile configuration.

LMA supports defining configuration profiles called LMA profiles and mac-groups, which significantly reduce the number of configuration entries during Authentication. There are two types of profiles:

applied – a profile applied to a mac-group
provisioned – a profile not applied to a group, however the user can use this profile later

LMA mac-groups group different types of mac entities - mac-address, mac-mask and mac-oui.