Hello,
I think you need the feature that is called "port-mode" or "port-based" authentication. When the authentication is configured in port-mode, after the succesful authentication of one user the port is opened for all users. In user-mode on the contrary when a user authenticates the port allows only traffic with the source mac of this user, all other macs are blocked.
For 802.1x you configure port-based mode by disabling the client limit (no client-limit), for RADIUS based MAC authentication it is done by a special VSA returned by the RADIUS server.
I think with local MAC it should be possible to do this if you are using a user-role instead of profile. You can use either profile or user-role for configuring the authorization attributes (VLAN, cos, etc)
LeftAcessSw(config)# aaa port-access local-mac apply ?
profile Enter a profile.
user-role Enter a user role.
And as an attribute of a local user-role you can specify port-mode
LeftAcessSw(config)# aaa authorization user-role name User1 device port-mode
Here are the other options of a user-role
LeftAcessSw(config)# aaa authorization user-role name User1 ?
cached-reauth-period The value indicates the period in seconds, during which
cached reauthentication is allowed on the port.
captive-portal-pro... Assign a captive portal profile for this role.
device Set the device specific configuration in user-role.
logoff-period The inactivity period in seconds with either 0 or
60-9999999 for the authenticated client for an implicit
logoff.
policy Set a user policy for this role.
reauth-period Set the reauthentication period in seconds or 0 to
disable.
tunneled-node-serv... Configures traffic redirect to user-based tunnel.
vlan-id Set the untagged VLAN that users will be assigned to.
vlan-id-tagged Set the tagged VLAN that users will be assigned to.
vlan-name Set the untagged VLAN name that users will be assigned
to.
vlan-name-tagged Set the tagged VLAN name that users will be assigned to.
<cr>
You will have to enable user-roles on the switch globally for this to work (aaa authorization user-role enable) and this introduces some restrictions and limitations regarding legacy security feautures. You can read more in the manual.
You can also use a device-profile instead of local-mac authentication, here you can also specify port-mode.
LeftAcessSw(config)# device-profile name AP mode ?
client-mode Configure the device connected port as client mode.
port-mode Configure the device connected port as port mode.
The configuration of device-profiles is also explained in the manual. If you are using LLDP OUI for device-identity you have to keep in mind that this is the OUI used in TLV 127 of the LLDP packet, not the OUI of the device mac.
This is the latest Access Security Guide for 2930 where you should be able to answer all your question.
https://support.hpe.com/hpesc/public/docDisplay?docId=a00091304en_us
Where can I find a simple instruction for implementing 802.1x on a switch for an access point?
If you want to use 802.1x authentication for AP which is egressing the wireless traffic locally (not tunneling to any controller) like mentioned above you should configure 802.1x in port-mode. You are doing this by disabling the client limit. Here an example (this is only port configuration, skipping RADIUS configuration and global 802.1x configuration as they are the same as for normal 802.1x users.
LeftAcessSw(config)# aaa port-access authenticator 1
LeftAcessSw(config)# no aaa port-access authenticator 1 client-limit
Hello,
I am sorry, this was not obvious in the manual and I didnt have to do it by now. Please have a look at the device-profile option and test if it will allow to specify port-mode.
If I am not wrong this switch should support 802.1x authentication without RADIUS server, that means using local-users on the switch itself. So maybe this would be another option.
LeftAcessSw(config)# aaa authentication port-access ?
local Use local switch user/password database.
eap-radius Use EAP capable RADIUS server.
chap-radius Use CHAP (MD5) capable RADIUS server.
Unfortunately I dont have experience with it and cannot find config examples.