Hello,
I think you need the feature that is called "port-mode" or "port-based" authentication. When the authentication is configured in port-mode, after the succesful authentication of one user the port is opened for all users. In user-mode on the contrary when a user authenticates the port allows only traffic with the source mac of this user, all other macs are blocked.
For 802.1x you configure port-based mode by disabling the client limit (no client-limit), for RADIUS based MAC authentication it is done by a special VSA returned by the RADIUS server.
I think with local MAC it should be possible to do this if you are using a user-role instead of profile. You can use either profile or user-role for configuring the authorization attributes (VLAN, cos, etc)
LeftAcessSw(config)# aaa port-access local-mac apply ?
profile Enter a profile.
user-role Enter a user role.
And as an attribute of a local user-role you can specify port-mode
LeftAcessSw(config)# aaa authorization user-role name User1 device port-mode
Here are the other options of a user-role
LeftAcessSw(config)# aaa authorization user-role name User1 ?
cached-reauth-period The value indicates the period in seconds, during which
cached reauthentication is allowed on the port.
captive-portal-pro... Assign a captive portal profile for this role.
device Set the device specific configuration in user-role.
logoff-period The inactivity period in seconds with either 0 or
60-9999999 for the authenticated client for an implicit
logoff.
policy Set a user policy for this role.
reauth-period Set the reauthentication period in seconds or 0 to
disable.
tunneled-node-serv... Configures traffic redirect to user-based tunnel.
vlan-id Set the untagged VLAN that users will be assigned to.
vlan-id-tagged Set the tagged VLAN that users will be assigned to.
vlan-name Set the untagged VLAN name that users will be assigned
to.
vlan-name-tagged Set the tagged VLAN name that users will be assigned to.
<cr>
You will have to enable user-roles on the switch globally for this to work (aaa authorization user-role enable) and this introduces some restrictions and limitations regarding legacy security feautures. You can read more in the manual.
You can also use a device-profile instead of local-mac authentication, here you can also specify port-mode.
LeftAcessSw(config)# device-profile name AP mode ?
client-mode Configure the device connected port as client mode.
port-mode Configure the device connected port as port mode.
The configuration of device-profiles is also explained in the manual. If you are using LLDP OUI for device-identity you have to keep in mind that this is the OUI used in TLV 127 of the LLDP packet, not the OUI of the device mac.
This is the latest Access Security Guide for 2930 where you should be able to answer all your question.
https://support.hpe.com/hpesc/public/docDisplay?docId=a00091304en_us