Local MAC Authentication (LMA) is a software feature that simplifies deployment for devices such as IP phones and security cameras. In general, it provides dynamic attribute assignment (e.g., VLAN and QoS) through the use of a locally configured authentication repository. The most common use model for LMA is to automatically assign a VLAN to IP phones. In some cases, it can also provide rudimentary access security for the network.
While there are other network technologies that can be used to deploy IP phones (MAC Authentication and IEEE 802.1X), deployment is complex. LMA however is relatively simple to deploy yet offers adequate security for most uses.
Additionally, LMA can be used in environments that deploy a mix of legacy and newer IP phones, even though in the past legacy IP phones did not support newer technologies such as LLDP-MED and IEEE 802.1X.
LMA solves dynamic assignment of per client (mac-address) attributes without having to create RADIUS infrastructure. It also allows the user to define authentication polices based on the MAC OUI and MAC/mask, which simplifies management of devices by removing the need to create a policy on a per device basis.
LMA is an addition to existing client authentication methods. Users can configure multiple authentication methods (802.1x, LMA, Mac auth (radius), web-auth (radius)) on a single port concurrently. When multiple authentication methods are configured on a single port the precedence of authentication methods is (right to left): 802.1x -> LMA -> web auth/Mac auth. This means:
-
When 8021.x and LMA are enabled on a port, the policy configured for 802.1x takes precedence over LMA.
-
When LMA and Mac-auth (radius) are enabled on a port, the policy configured for LMA takes precedence over Mac-auth radius.
-
When only LMA is enabled on a port, client access is subjected to the LMA profile configuration.
LMA supports defining configuration profiles called LMA profiles and mac-groups, which significantly reduce the number of configuration entries during Authentication. There are two types of profiles:
-
applied – a profile applied to a mac-group
-
provisioned – a profile not applied to a group, however the user can use this profile later
LMA mac-groups group different types of mac entities - mac-address, mac-mask and mac-oui.