Thursday, March 5, 2015

Local MAC Authentication in HP ProCurve Switches (K/KA.15.14)

Local MAC Authentication (LMA) locally performs MAC address-based authentication (as opposed to MAC authentication using a RADIUS server). Based on this authentication, devices can be assigned to appropriate VLANs and, optionally, CoS values. The usage of MAC OUI and MAC mask allows to group multiple devices under one single policy.

Configuring LMA using MAC groups:


Creating MAC groups and assign MAC addresses to each group. In the following example:

The first MAC group (“admin-pc-grp”) is assigned one single MAC address.
The second MAC group (“corp-pcs-grp”) is assigned 2 groups of addresses, each group is determined by the first 32 bits in the addresses.
The third MAC group (“corp-phones-grp”) is assigned all addresses carrying the same 24-bit OUI part of the MAC addresses.

HP-5406zl(config)# aaa port-access local-mac mac-group “admin-pc-grp” mac-addr 005056840161
HP-5406zl(config)# aaa port-access local-mac mac-group “corp-pcs-grp” mac-mask 002622bb/32 002622bc/32
HP-5406zl(config)# aaa port-access local-mac mac-group “corp-phones-grp” mac-oui 008011

Creating LMA profiles. In each profile, attributes such as VLAN (tagged or untagged) and QoS setting (CoS priority, aka 802.1p value) can be assigned.

HP-5406zl(config)# aaa port-access local-mac profile “admin-pc-prof” vlan untagged 2 cos 5
HP-5406zl(config)# aaa port-access local-mac profile “corp-pcs-prof” vlan untagged 3
HP-5406zl(config)# aaa port-access local-mac profile “corp-phones-prof” vlan tagged 5 cos 6

Linking profiles to MAC groups:

HP-5406zl(config)# aaa port-access local mac apply profile admin-pc-prof mac-group admin-pc-grp
HP-5406zl(config)# aaa port-access local mac apply profile corp-pcs-prof mac-group corp-pcs-grp
HP-5406zl(config)# aaa port-access local mac apply profile corp-phones-prof mac-group corp-phones-grp

Enabling LMA on ports:

HP-5406zl(config)# aaa port-access local-mac a1

Configuring LMA without MAC groups:


Creating LMA profiles just like in the previous section (using MAC groups). Again, in each profile attributes such as VLAN (tagged or untagged) and QoS setting (CoS priority, aka 802.1p value) can be assigned.

HP-5406zl(config)# aaa port-access local-mac profile “admin-pc-prof” vlan untagged 2 cos 5
HP-5406zl(config)# aaa port-access local-mac profile “corp-pcs-prof” vlan untagged 3
HP-5406zl(config)# aaa port-access local-mac profile “corp-phones-prof” vlan tagged 5 cos 6

Linking MAC addresses directly to profiles:

HP-5406zl(config)# aaa port-access local mac apply profile admin-pc-prof mac-addr 005056840161
HP-5406zl(config)# aaa port-access local mac apply profile corp-pcs-prof mac-mask 002622bb/32
HP-5406zl(config)# aaa port-access local mac apply profile corp-pcs-prof mac-mask 002622bc/32
HP-5406zl(config)# aaa port-access local mac apply profile corp-phones-prof mac-oui 008011

Enabling LMA on ports:

HP-5406zl(config)# aaa port-access local-mac a1

Question: What is the difference between LMA configuration using MAC groups and not using MAC groups?
Answer: LMA configuration not using MAC groups is a shortcut, useful when one has just a few MAC addresses for the same profile. When there is a lot of MAC addresses to be put under the same profile, MAC groups are recommended to avoid confusion.

LMA Monitoring:

After the LMA configuration shown above, when the client with the MAC address of 005056840161 accesses the switch at the specified port, it will be granted access. For monitoring LMA, enter the following command:

HP-5406zl(config)# show port-access local-mac active

The output will look like below. Notice that the authenticated client was put into VLAN 2 as untagged with CoS priority value of 5, just like what has been configured in the profile associated with that MAC address.


Other Features:

- The default MAC address format is “no delimiter”, for example "002622bba7ac" as shown in previous examples. To change the MAC address format, use the command:

HP-5406zl(config)# aaa port-access mac-based addr-format

MAC address format options include: no-delimiter (default), single-dash, multi-dash, multi-colon, no-delimiter-uppercase, single-dash-uppercase, multi-dash-uppercase, multi-colon-uppercase.

- By default, clients that cannot be authenticated will be dropped. However, an unauthenticated VLAN can be configured for these clients to access limited services. The administrator must implement measures to isolate the unauthenticated VLAN from restricted resources.

HP-5406zl(config)# aaa port-access local-mac unauth-vid 99

- On the other hand, if a client is successfully authenticated yet does not have a VLAN assignment in its profile, then it will be moved to an authorized VLAN which can be configured as below:

HP-5406zl(config)# aaa port-access local-mac auth-vid 10

- There are also a number of per-port parameters such as addr-limit (maximum number of authenticated local MAC addresses), logoff-period (period of time of inactivity that the switch considers an implicit logoff), quiet-period (period of time the switch does not try to authenticate), unauth-period (period of time the switch waits before moving the port to the VLAN for unauthenticated clients), which can be changed from their default values. For example:

HP-5406zl(config)# aaa port-access local-mac unauth-period 320

- When multiple authentication methods are configured concurrently on a single port, the order of precedence is: 802.1X, LMA, and Web Authentication / MAC Authentication.

2 comments:

  1. hello folks, i am facing issue with mac address authentication. this is the setup from switch
    aaa port-access mac-based 9
    aaa port-access mac-based 9 reauth-period 10
    aaa port-access mac-based addr-format no-delimiter-uppercase
    so i expected that the device will send its mac address in ABCDABCDABCD format, however on ISE (radius server) i see that the request comes from 00:80:9F:XX:XX:XX
    thus authentication failed and user was not able to connect.
    i tried to save the config, reboot the switch, nothing helps. Any suggestions please?

    switch info: J9087A, #R.11.70

    ReplyDelete
  2. Great blog. All posts have something to learn. Your work is very good and I appreciate you and hopping for some more informative posts. Custom LED Linear Lights

    ReplyDelete