Hi funroll,
It's a bit older topic, so you might have solved your issue by now. But this might be useful for future readers, so here is how to fix the mac-group device profile config.
You haven't posted your entire configuration, but from your snippet it looks like you have missed a command. Here is a quick testconfig from an Aruba 6200 switch.
You can check the status of the clients with the following command:
6200# show port-access clients
Port Access Clients
Status Codes: d device-mode, c client-mode, m multi-domain
-----------------------------------------------------------------------------------------------------------------
Port MAC-Address Onboarding Status Role Device Type
Method
-----------------------------------------------------------------------------------------------------------------
c 1/1/2 d4:c9:ef:b0:3d:80 device-profile Success User1
c 1/1/47 00:1f:fe:8e:c2:00 device-profile Success Hikvision-role
This will show you the client status and onboarding method. As for the config you have two options. To make your device profile with mac-group work you need to either:
- enable mac auth globally and on the appropriate interfaces
- or add the "mode block-until-profile-applied" option on the interfaces where you want to use the device profile
(this will allow communication only from devices matching the mac-group settings)
Here are the sample configs for both options:
mac-group Hikvision-Test
seq 10 match mac-oui 00:1f:fe
port-access role Hikvision-role
description Hikvision Device
trust-mode none
port-access device-profile Hikvision-profile
enable
associate role Hikvision-role
associate mac-group Hikvision-Test
aaa authentication port-access mac-auth
enable
interface 1/1/47
no shutdown
no routing
vlan access 1
aaa authentication port-access mac-auth
enable
OR:
mac-group lab1
seq 10 match mac-oui d4:c9:ef
port-access role User1
poe-priority low
stp-admin-edge-port
vlan access 10
port-access device-profile lab1
enable
associate role User1
associate mac-group lab1
aaa authentication port-access mac-auth
enable
interface 1/1/2
no shutdown
no routing
vlan access 1
port-access device-profile
mode block-until-profile-applied
As you can see from the show port-access clients
output above both clients were onboarded successfully.
At first glance it looks a bit counter intuitive, but it will fix your device profile.
HTH,
Toni
------------------------------
Toni
------------------------------
Original Message:
Sent: Jun 06, 2023 04:35 AM
From: funroll
Subject: 6300M device profile mac-group not working.
The cameras don't support LLDP unfortunately otherwise that's what I would have done.
Original Message:
Sent: Jun 05, 2023 04:45 PM
From: Dylan Vercamer
Subject: 6300M device profile mac-group not working.
why not trying with an LLDP group then?
No clear system description? Or to many possibilities?
Original Message:
Sent: May 17, 2023 07:39 AM
From: funroll
Subject: 6300M device profile mac-group not working.
I need to apply a device profile to a number of hikvision cameras across a campus with 6300M switches.
The cameras do not support LLDP.
I've defined a mac-group:
mac-group Hikvision
seq 10 match mac-oui c0:51:7e
seq 20 match mac-oui b4:a3:82
seq 30 match mac-oui 4c:f5:dc
A role:
port-access role Hikvision-role
description Hikvision Device
trust-mode none
and a device profile:
port-access device-profile Hikvision-profile
enable
associate role Hikvision-role
associate mac-group Hikvision
But for some reason, it does just not apply. I've used device profiles previously for IAP's with an lldp group and that worked fine.
Anybody got any ideas as to what is going on?
Phil