KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

121

122

123

124

125

126

127

128

129

130

(for the rest of PCs)

aaa port-access local-mac profile “corp-phone-prof” vlan tagged 5

(for phones)

2. Associate hosts directly to profiles

aaa port-ac local-mac apply profile corp-pc-prof mac-addr

002622bba7ac

aaa port-ac local-mac apply profile rest-pc-prof mac-mask

002622bb/32

aaa port-ac local-mac apply profile rest-pc-prof mac-mask

002622bc/32

aaa port-ac local-mac apply profile corp-phone-prof mac-oui 008011

3. Enable LMA on ports

aaa port-ac local-mac-auth <ports>

Overview

Local MAC Authentication (LMA) is a software feature that simplifies deployment for devices such

as IP phones and security cameras. In general, it provides dynamic attribute assignment (e.g.,

VLAN and QoS) through the use of a locally configured authentication repository. The most common

use model for LMA is to automatically assign a VLAN to IP phones. In some cases, it can also

provide rudimentary access security for the network.

While there are other network technologies that can be used to deploy IP phones (MAC

Authentication and IEEE 802.1X), deployment is complex. LMA however is relatively simple to

deploy yet offers adequate security for most uses.

Additionally, LMA can be used in environments that deploy a mix of legacy and newer IP phones,

even though in the past legacy IP phones did not support newer technologies such as LLDP-MED

and IEEE 802.1X.

Concepts

LMA solves dynamic assignment of per client (mac-address) attributes without having to create

RADIUS infrastructure. It also allows the user to define authentication polices based on the MAC

OUI and MAC/mask, which simplifies management of devices by removing the need to create a

policy on a per device basis.

LMA is an addition to existing client authentication methods. Users can configure multiple

authentication methods (802.1x, LMA, Mac auth (radius), web-auth (radius)) on a single port

concurrently. When multiple authentication methods are configured on a single port the precedence

of authentication methods is (right to left): 802.1x -> LMA -> web auth/Mac auth. This means:

• When 8021.x and LMA are enabled on a port, the policy configured for 802.1x takes

precedence over LMA.

• When LMA and Mac-auth (radius) are enabled on a port, the policy configured for LMA takes

precedence over Mac-auth radius.

• When only LMA is enabled on a port, client access is subjected to the LMA profile

configuration.

LMA supports defining configuration profiles called LMA profiles and mac-groups, which significantly

reduce the number of configuration entries during Authentication. There are two types of profiles:

• applied – a profile applied to a mac-group

• provisioned – a profile not applied to a group, however the user can use this profile later

LMA mac-groups group different types of mac entities - mac-address, mac-mask and mac-oui.

Overview 121