Configuration commands
The configuration strategy below shows the configuration commands that LMA supports. All LMA commands can be prefixed with [no]. For port based commands, a VLAN must be created.
Enable local mac authentication on switch port ‘1’
switch(config)#aaa port-access local-mac 1
Create mac-group, ‘ip-phone-grp’ for IP phones. The newly created group becomes editable. So, the user can add/delete mac-oui from the mac-group.
switch(config)#aaa port-access local-mac mac-group ip-phone-grp
or create mac-group, ‘hpphone-grp’, from the default (factory-shipped) ‘hp-ip-phones’ group
switch(config)#aaa port-access local-mac mac-group default hp-ip-phones hpphones-grp
Note: To determine the factory-shipped default mac-groups, use
show port-access local-mac mac-group default
Associate mac-address, 005557-9B688B to a mac-group, hpphone-grp
switch(config)#aaa port-access local-mac mac-group hpphones-grp mac-addr005557-9B688B
Create LMA profile, ip-phone-prof, with attributes, tagged vlan, 2, untagged vlan, 3 and cos 2
switch(config)#aaa port-access local-mac profile ip-phone-prof vlan tagged 2 untagged 3 CoS2
Associate LMA profile, ip-phone-prof, to a mac-group, hpphone-grp
switch(config)#aaa port-access local-mac apply profile ip-phone-prof mac-group hpphone-grp
Per-port attributes
LMA per-port attributes are used to apply attributes for the clients authenticated through LMA profiles. Switches support different per-port values for different authentication methods (802.1X, mac-based and web-based) configured on the same port.
Configure unauthenticated period
switch(config)#aaa port-access local-mac 1 unauth-period 300
Configure quiet period
switch(config)#aaa port-access local-mac 1 quiet-period 70
Configure logoff period
switch(config)#aaa port-access local-mac 1 logoff-period 400
Configure AuthVid
switch(config)#aaa port-access local-mac 1 auth-vid 10
Configure UnauthVid
switch(config)#aaa port-access local-mac 1 unauth-vid 12
Configure address limit on a port
switch(config)#aaa port-access local-mac 1 addr-limit 2
Re-authenticate clients on a port
switch(config)#aaa port-access local-mac 1 reauthenticate
Un-configure LMA on a port
switch(config)#no aaa port-access local-mac 1
Configuration examples
Configuration example 1
In this example, a PC is directly connected to a 3800 switch series. In addition:
The corporate PC MAC is 002622bba7ac, and belongs to VLAN 2 (Notebook of network administrator)
The rest of the corporate PC series MACs are 00:26:22:bb:* and 00:26:22:bc:*, and belong to VLAN 3
The corporate IP phone example MAC is 00:80:11:*, and belongs to VLAN 5 tagged
Configuration example 2
In this example, PCs are connected to a meeting room HPE 2615 switch series, which is connected to a 3800 switch series where local MAC authentication occurs. In addition:
Authentication of the 2615, example MAC is 00:10:80:* belongs to VLAN 15 tagged (management traffic)
The corporate PC MAC is: 002622bba7ac, and belongs to VLAN 2 (Notebook of network administrator)
The rest of the corporate PC Series MACs are : 002622bb* and 00:26:22:bc:*, and belong to VLAN 3
The guest PC is an unknown MAC, and belongs to Guest VLAN 99
The corporate IP phones, is MAC: 00:80:11:*, and belongs to VLAN 5 tagged
The WLAN AP MAC is : 00:80:12:*, and belongs to VLAN 10 untagged, 12-14 tagged (10 management, 12-14 SSIDs with local break-out)
For further authentication of any OUIs, predefined in SwitchOS, group default is not allowed.
Create 5 LMA profiles
There is no need to create profiles for Guest PCs as you don’t know the MACs. Configure unauth-vid (explained in step 3 below) so that such a client fails the authentication and is put into guest VLAN.
aaa port-access local-mac profile “corp-switch-prof” vlan tagged 15
(for 2615 switches)
aaa port-access local-mac profile “corp-pc-prof” vlan untagged 2
(for corporate PCs)
aaa port-access local-mac profile “rest-pc-prof” vlan untagged 3
(for the rest of corporate PCs)
aaa port-access local-mac profile “corp-phone-prof” vlan tagged 5
(for corporate ip phones)
aaa port-access local-mac profile “wlan-ap-prof” vlan untagged 10 tagged 12-14
(for WLAN APs)
Associate MACs to these profiles
aaa port-ac local-mac apply profile corp-switch-prof mac-oui 001080
aaa port-ac local-mac apply profile corp-pc-prof mac-addr 002622bba7ac
aaa port-ac local-mac apply profile rest-pc-prof mac-mask 002622bb/32 mac-mask 002622bc/32
aaa port-ac local-mac apply profile corp-phone-prof mac-oui 008011
aaa port-ac local-mac apply profile “wlan-ap-prof” mac-oui 008012
Configure guest VLAN
aaa port-ac local-mac <ports> unauth-vid 99
Enable LMA on ports
aaa port-ac local-mac <ports>
Configuration using mac-groups
Create 3 LMA profiles
aaa port-access local-mac profile “corp-pc-prof” vlan untagged 2
(for corporate PCs)
aaa port-access local-mac profile “rest-pc-prof” vlan untagged 3
(for the rest of PCs)
aaa port-access local-mac profile “corp-phone-prof” vlan tagged 5
(for phones)
Create 3 different mac-groups
aaa port-ac local-mac mac-group “corp-pc-grp” mac-addr 002622bba7ac
(for corporate PCs)
aaa port-ac local-mac mac-group “rest-pc-grp” mac-mask 002622bb/32 002622bc/32
(for the rest of PCs)
aaa port-ac local-mac mac-group “corp-phone-grp” mac-oui 008011
(for phones)
Associate groups to profiles
aaa port-ac local-mac apply profile corp-pc-prof mac-group corp-pc-grp
aaa port-ac local-mac apply profile rest-pc-prof mac-group rest-pc-grp
aaa port-ac local-mac apply profile corp-phone-prof mac-group corp-phone-grp
Enable LMA on ports
aaa port-ac local-mac-auth <ports>
Configuration without using mac-groups
Create 3 LMA profiles
aaa port-access local-mac profile “corp-pc-prof” vlan untagged 2
(for corporate PCs)
aaa port-access local-mac profile “rest-pc-prof” vlan untagged 3
(for the rest of PCs)
aaa port-access local-mac profile “corp-phone-prof” vlan tagged 5
(for phones)
Associate hosts directly to profiles
aaa port-ac local-mac apply profile corp-pc-prof mac-addr 002622bba7ac
aaa port-ac local-mac apply profile rest-pc-prof mac-mask 002622bb/32
aaa port-ac local-mac apply profile rest-pc-prof mac-mask 002622bc/32
aaa port-ac local-mac apply profile corp-phone-prof mac-oui 008011
Enable LMA on ports
aaa port-ac local-mac-auth <ports>