The configuration strategy below shows the configuration commands that LMA supports. All LMA commands can be prefixed with [no]. For port based commands, a VLAN must be created.
-
Create mac-group, ‘ip-phone-grp’ for IP phones. The newly created group becomes editable. So, the user can add/delete mac-oui from the mac-group.
or create mac-group, ‘hpphone-grp’, from the default (factory-shipped) ‘hp-ip-phones’ group
Note: To determine the factory-shipped default mac-groups, use
show port-access local-mac mac-group default
-
Associate mac-address, 005557-9B688B to a mac-group, hpphone-grp
-
Create LMA profile, ip-phone-prof, with attributes, tagged vlan, 2, untagged vlan, 3 and cos 2
-
Associate LMA profile, ip-phone-prof, to a mac-group, hpphone-grp
LMA per-port attributes are used to apply attributes for the clients authenticated through LMA profiles. HP switches support different per-port values for different authentication methods (802.1x, mac-based and web-based) configured on the same port.
-
In this example, a PC is directly connected to a HP 3800 switch series. In addition:
-
The corporate PC MAC is 002622bba7ac, and it should end up in VLAN 2 (Notebook of network administrator)
-
The rest of the corporate PC series MAC is 00:26:22:bb:* and 00:26:22:bc:*, and it should end up in VLAN 3
-
Corporate IP Phones example MAC is 00:80:11:*, and it should end up in VLAN 5 tagged
-
-
In this example, PCs are connected to a meeting room HP 2615 switch series, which is connected to a HP 3800 switch series (Local MAC authentication happens here). In addition:
-
Authentication of the 2615, example MAC is 00:10:80:* and it should end up in VLAN 15 tagged (management traffic)
-
Corporate PC MAC is: 002622bba7ac, and it should end up in VLAN 2 (Notebook of network administrator)
-
Rest of the corporate PC Series MAC is: 002622bb* and 00:26:22:bc:*, and it should end up in VLAN 3
-
Guest PCs: unknown MAC, and it should end up in Guest VLAN 99
-
Corporate IP Phones, example MAC: 00:80:11:*, and it should end up in VLAN 5 tagged
-
WLAN APs, example MAC: 00:80:12:*, and it should end up in VLAN 10 untagged, 12-14 tagged (10 management, 12-14 SSIDs with local break-out)
-
For further authentication of any OUIs, predefined in SwitchOS, group default is not allowed.
-
There is no need to create profiles for Guest PCs as you don’t know the MACs. Configure unauth-vid (explained in step 3 below) so that such a client fails the authentication and is put into guest VLAN.
aaa port-access local-mac profile “corp-switch-prof” vlan tagged 15
(for 2615 switches)
aaa port-access local-mac profile “corp-pc-prof” vlan untagged 2
(for corporate PCs)
aaa port-access local-mac profile “rest-pc-prof” vlan untagged 3
(for the rest of corporate PCs)
aaa port-access local-mac profile “corp-phone-prof” vlan tagged 5
(for corporate ip phones)
aaa port-access local-mac profile “wlan-ap-prof” vlan untagged 10 tagged 12-14
(for WLAN APs)
-
aaa port-access local-mac profile “corp-pc-prof” vlan untagged 2
(for corporate PCs)
aaa port-access local-mac profile “rest-pc-prof” vlan untagged 3
(for the rest of PCs)
aaa port-access local-mac profile “corp-phone-prof” vlan tagged 5
(for phones)
-
aaa port-ac local-mac mac-group “corp-pc-grp” mac-addr 002622bba7ac
(for corporate PCs)
aaa port-ac local-mac mac-group “rest-pc-grp” mac-mask 002622bb/32 002622bc/32
(for the rest of PCs)
aaa port-ac local-mac mac-group “corp-phone-grp” mac-oui 008011
(for phones)