2

I have a HP Procurve 2626 as the main trunk for several subnets in production. I am a UNIX systems administrator and not a networking guy, but I've worked with cisco switches and some of these HP switches before. I am completely baffled by the fact that I cannot seem to turn off port-access mac-based radius authentication on a specific port (9). I have looked up every HP manual I can find and scoured google for hours with no results. I have tried the following:

  • config
  • no aaa port-access mac-based 9
  • no aaa port-access authenicator 9
  • aaa no port-access mac-based 9
  • no aaa port-access mac-based 9-13

and every other combination I can imagine. Each command goes with no errors or any output at all, but show run still shows no changes. Here is my config.

hostname "HPSwitch6" 
time timezone -5 
time daylight-time-rule Continental-US-and-Canada 
cdp run 
no telnet-server 
interface 1 
   no lacp
exit
interface 3 
   no lacp
exit
interface 4 
   no lacp
exit
interface 5 
   no lacp
exit
interface 6 
   no lacp
exit
interface 7 
   no lacp
exit
interface 8 
   no lacp
exit
interface 9 
   no lacp
exit
interface 10 
   no lacp
exit
interface 11 
   no lacp
exit
interface 12 
   no lacp
exit
interface 13 
   no lacp
exit
interface 14 
   name "Conf - IS" 
   no lacp
exit
interface 15 
   name "Conf - IS" 
   no lacp
exit
interface 16 
   no lacp
exit
interface 17 
   no lacp
exit
interface 18 
   no lacp
exit
interface 19 
   no lacp
exit
interface 20 
   name "Conf - IS" 
   no lacp
exit
interface 21 
   no lacp
exit
interface 22 
   no lacp
exit
interface 23 
   no lacp
exit
interface 24 
   no lacp
exit
interface 25 
   no lacp
exit
trunk 25 Trk1 Trunk 
ip default-gateway 172.18.0.1 
vlan 1 
   name "VLAN172.18" 
   untagged 17-24,26,Trk1 
   ip address 172.18.10.6 255.255.0.0 
   no untagged 1-8,10-16 
   exit 
vlan 77 
   name "VLANExternal" 
   untagged 1-8 
   exit 
vlan 1020 
   name "VoIP_DMZ" 
   untagged 9-16 
   exit 
aaa authentication web login radius local 
aaa authentication web enable radius local 
aaa accounting network start-stop radius 
aaa accounting exec start-stop radius 
radius-server host ###################### 
radius-server host ###################### 
aaa port-access mac-based 1 addr-limit 32
aaa port-access mac-based 2 addr-limit 32
aaa port-access mac-based 3 addr-limit 32
aaa port-access mac-based 4 addr-limit 32
aaa port-access mac-based 5 addr-limit 32
aaa port-access mac-based 6 addr-limit 32
aaa port-access mac-based 7 addr-limit 32
aaa port-access mac-based 8 addr-limit 32
aaa port-access mac-based 9 addr-limit 32
aaa port-access mac-based 10 addr-limit 32
aaa port-access mac-based 11 addr-limit 32
aaa port-access mac-based 12 addr-limit 32
aaa port-access mac-based 13 addr-limit 32
aaa port-access mac-based 14 addr-limit 32
aaa port-access mac-based 15 addr-limit 32
aaa port-access mac-based 16 addr-limit 32
aaa port-access mac-based 17 addr-limit 32
aaa port-access mac-based 18 addr-limit 32
aaa port-access mac-based 19 addr-limit 32
aaa port-access mac-based 20 addr-limit 32
aaa port-access mac-based 21 addr-limit 32
aaa port-access mac-based 22 addr-limit 32
aaa port-access mac-based 23 addr-limit 32
aaa port-access mac-based 24 addr-limit 32
spanning-tree
spanning-tree Trk1 priority 4
ip ssh
ip ssh filetransfer
ip ssh version 1-or-2
no tftp client
no tftp server
user1625222
  • 21
  • 1
  • 3

2 Answers2

2

You can't remove configuration rules that set values with the [no] syntax; the way to remove them is to set them back to their default value, which may involve RTFM.

So if you have the two rules DarkMoon gives:

aaa port-access mac-based 9
aaa port-access mac-based 9 addr-limit 32

they are disabled with:

no aaa port-access mac-based 9
aaa port-access mac-based 9 addr-limit 1
richardb
  • 1,256
  • 9
  • 14
  • Thanks for the extra info; I actually had downloaded the Access and Security Guide for that switch with the intent of checking on that, and then completely forgot that I had downloaded it. – DarkMoon Aug 06 '14 at 03:50
1

It's already off. Use show port-access mac-based to show the status of each port.

What you have in that config is the address limit for each port, but have not enabled mac-based auth on any of them.

Usually, for a port that has it enabled, you should see:

aaa port-access mac-based 9
aaa port-access mac-based 9 addr-limit 32

The two lines do different things. The first enables mac-based port-access, the second configures it.

And FYI, I put those command into my switch, and I'm now trying to remove that second line as well; I can't find a command to do that. That's the first time I've seen that in a HP switch.

Edit: I forgot to add, the full documentation for aaa port-access mac-based is in the switch's Access & Configuration Guide, found here:

Abhijeet Kasurde
  • 983
  • 9
  • 20
DarkMoon
  • 1,039
  • 15
  • 30
  • Thanks! I figured out after a long time that the mac-checking was off but I didn't understand why the addr-limit was still there. – user1625222 Aug 06 '14 at 12:47