Configuration commands

The configuration strategy below shows the configuration commands that LMA supports. All LMA commands can be prefixed with [no]. For port based commands, a VLAN must be created.

  1. Enable local mac authentication on switch port ‘1’

    switch(config)#aaa port-access local-mac 1
  2. Create mac-group, ‘ip-phone-grp’ for IP phones. The newly created group becomes editable. So, the user can add/delete mac-oui from the mac-group.

    switch(config)#aaa port-access local-mac mac-group ip-phone-grp

    or create mac-group, ‘hpphone-grp’, from the default (factory-shipped) ‘hp-ip-phones’ group

    switch(config)#aaa port-access local-mac mac-group default hp-ip-phones hpphones-grp

    Note: To determine the factory-shipped default mac-groups, use

    show port-access local-mac mac-group default
  3. Associate mac-address, 005557-9B688B to a mac-group, hpphone-grp

    switch(config)#aaa port-access local-mac mac-group hpphones-grp mac-addr005557-9B688B
  4. Create LMA profile, ip-phone-prof, with attributes, tagged vlan, 2, untagged vlan, 3 and cos 2

    switch(config)#aaa port-access local-mac profile ip-phone-prof vlan tagged 2 untagged 3 CoS2
  5. Associate LMA profile, ip-phone-prof, to a mac-group, hpphone-grp

    switch(config)#aaa port-access local-mac apply profile ip-phone-prof mac-group hpphone-grp

Per-port attributes

LMA per-port attributes are used to apply attributes for the clients authenticated through LMA profiles. Switches support different per-port values for different authentication methods (802.1X, mac-based and web-based) configured on the same port.

  • Configure unauthenticated period

    switch(config)#aaa port-access local-mac 1 unauth-period 300
  • Configure quiet period

    switch(config)#aaa port-access local-mac 1 quiet-period 70

    Configure logoff period

    switch(config)#aaa port-access local-mac 1 logoff-period 400

    Configure AuthVid

    switch(config)#aaa port-access local-mac 1 auth-vid 10
  • Configure UnauthVid

    switch(config)#aaa port-access local-mac 1 unauth-vid 12
  • Configure address limit on a port

    switch(config)#aaa port-access local-mac 1 addr-limit 2
  • Re-authenticate clients on a port

    switch(config)#aaa port-access local-mac 1 reauthenticate
  • Un-configure LMA on a port

    switch(config)#no aaa port-access local-mac 1

Configuration examples

Configuration example 1

  • In this example, a PC is directly connected to a 3800 switch series. In addition:

    • The corporate PC MAC is 002622bba7ac, and belongs to VLAN 2 (Notebook of network administrator)

    • The rest of the corporate PC series MACs are 00:26:22:bb:* and 00:26:22:bc:*, and belong to VLAN 3

    • The corporate IP phone example MAC is 00:80:11:*, and belongs to VLAN 5 tagged

Configuration example 2

  • In this example, PCs are connected to a meeting room HPE 2615 switch series, which is connected to a 3800 switch series where local MAC authentication occurs. In addition:

    • Authentication of the 2615, example MAC is 00:10:80:* belongs to VLAN 15 tagged (management traffic)

    • The corporate PC MAC is: 002622bba7ac, and belongs to VLAN 2 (Notebook of network administrator)

    • The rest of the corporate PC Series MACs are : 002622bb* and 00:26:22:bc:*, and belong to VLAN 3

    • The guest PC is an unknown MAC, and belongs to Guest VLAN 99

    • The corporate IP phones, is MAC: 00:80:11:*, and belongs to VLAN 5 tagged

    • The WLAN AP MAC is : 00:80:12:*, and belongs to VLAN 10 untagged, 12-14 tagged (10 management, 12-14 SSIDs with local break-out)

For further authentication of any OUIs, predefined in SwitchOS, group default is not allowed.

  1. Create 5 LMA profiles

    There is no need to create profiles for Guest PCs as you don’t know the MACs. Configure unauth-vid (explained in step 3 below) so that such a client fails the authentication and is put into guest VLAN.

    aaa port-access local-mac profile “corp-switch-prof” vlan tagged 15

    (for 2615 switches)

    aaa port-access local-mac profile “corp-pc-prof” vlan untagged 2

    (for corporate PCs)

    aaa port-access local-mac profile “rest-pc-prof” vlan untagged 3

    (for the rest of corporate PCs)

    aaa port-access local-mac profile “corp-phone-prof” vlan tagged 5

    (for corporate ip phones)

    aaa port-access local-mac profile “wlan-ap-prof” vlan untagged 10 tagged 12-14 

    (for WLAN APs)

  2. Associate MACs to these profiles

    aaa port-ac local-mac apply profile corp-switch-prof mac-oui 001080

    aaa port-ac local-mac apply profile corp-pc-prof mac-addr 002622bba7ac

    aaa port-ac local-mac apply profile rest-pc-prof mac-mask 002622bb/32 mac-mask 002622bc/32

    aaa port-ac local-mac apply profile corp-phone-prof mac-oui 008011

    aaa port-ac local-mac apply profile “wlan-ap-prof” mac-oui 008012

  3. Configure guest VLAN

    aaa port-ac local-mac <ports> unauth-vid 99

  4. Enable LMA on ports

    aaa port-ac local-mac <ports>

Configuration using mac-groups

  1. Create 3 LMA profiles

    aaa port-access local-mac profile “corp-pc-prof” vlan untagged 2

    (for corporate PCs)

    aaa port-access local-mac profile “rest-pc-prof” vlan untagged 3

    (for the rest of PCs)

    aaa port-access local-mac profile “corp-phone-prof” vlan tagged 5

    (for phones)

  2. Create 3 different mac-groups

    aaa port-ac local-mac mac-group “corp-pc-grp” mac-addr  002622bba7ac

    (for corporate PCs)

    aaa port-ac local-mac mac-group “rest-pc-grp” mac-mask  002622bb/32  002622bc/32

    (for the rest of PCs)

    aaa port-ac local-mac mac-group “corp-phone-grp” mac-oui  008011

    (for phones)

  3. Associate groups to profiles

    aaa port-ac local-mac apply profile corp-pc-prof mac-group  corp-pc-grp

    aaa port-ac local-mac apply profile rest-pc-prof mac-group  rest-pc-grp

    aaa port-ac local-mac apply profile corp-phone-prof mac-group  corp-phone-grp

  4. Enable LMA on ports

    aaa port-ac local-mac-auth <ports>

Configuration without using mac-groups

  1. Create 3 LMA profiles

    aaa port-access local-mac profile “corp-pc-prof” vlan untagged 2

    (for corporate PCs)

    aaa port-access local-mac profile “rest-pc-prof” vlan untagged 3

    (for the rest of PCs)

    aaa port-access local-mac profile “corp-phone-prof” vlan tagged 5

    (for phones)

  2. Associate hosts directly to profiles

    aaa port-ac local-mac apply profile corp-pc-prof   mac-addr   002622bba7ac

    aaa port-ac local-mac apply profile rest-pc-prof   mac-mask 002622bb/32

    aaa port-ac local-mac apply profile rest-pc-prof  mac-mask  002622bc/32

    aaa port-ac local-mac apply profile corp-phone-prof   mac-oui  008011

  3. Enable LMA on ports

    aaa port-ac local-mac-auth <ports>