We got it working. The problems appear to only arise when we use the Cisco phones that packetfence can't resolve the dhcp fingerprint for:
1,3,15,6,12,35,66,150 Makes sense I guess. It now all works fine with the other phones. Thanks, Kevin -----Original Message----- From: Francois Gaudreault [mailto:[email protected]] Sent: January-18-12 5:12 PM To: [email protected] Subject: Re: [Packetfence-users] VOIP Phone with packetfence Can you share the configuration of the switch ports? How much mac address you allowed on the port (You should allow 3)? Is it possible that it's a firmware issue? I believe the normal flow should be : - Authorizing the phone, on the reg or data vlan - LLDP-MED negociation - Authorizing the phone on the voice vlan. The only setup I have seen with Avaya using VoIP is with Nortel phones, not Cisco. Did you try using NoEAP instead (aka Mac Authentication)? I think you can return a VSA to the switch with a user-based policy to tell the switch the device is a voice device (Avaya Attribute 111 string: UROLvoice). See:http://support.avaya.com/css/P8/documents/100099486 On 12-01-18 3:18 PM, Kevin Manuel wrote: > The phones are Cisco phones. The switches are Avaya 5500 series so CDP > does not work. LLDP-Med from the switch is used to configure the > phones (tell it voice vlan, QOS stuff, etc). > > A couple of the phones have the following fingerprint: > 1,3,15,6,12,35,66,150 > > A couple of the phones do not show a fingerprint One phone shows as > auto-registered and it's fingerprint is > 1,3,6,15,42,66,150 which was resolved to Cisco IP Phone > 0c:85:25:3f:d6:ee > > Here are some examples of what is seen in the switch forwarding table: > > Vlan mac addr port > > 1128 d4:d7:48:41:c6:cd 1/11 > 1128 00:16:41:e6:23:87 1/11 > 2038 d4:d7:48:41:c6:cd 1/11 > > 2038 70:81:05:0c:3d:26 1/31 > 38 70:81:05:0c:3d:26 1/31 > > 2038 00:07:7d:df:c9:a4 1/39 > 38 00:07:7d:df:c9:a4 1/39 > > Where > - vlan 1128 = registration vlan > - vlan 2038 = voice vlan > - vlan 38 = (registered) data vlan > - d4:d7:48:41:c6:cd, 70:81:05:0c:3d:26, 00:07:7d:df:c9:a4 are phones > that are showing up in both the voice and data vlans > - 00:16:41:e6:23:87 is a registered computer that shows up in the > registration vlan > > > Associated packetfence.log logs show the following for port 11 (the > one with the computer connected): > > Jan 18 15:52:30 pfsetvlan(15) INFO: nb of items in queue: 1; nb of > threads > running: 0 (main::startTrapHandlers) > Jan 18 15:52:30 pfsetvlan(15) INFO: secureMacAddrViolation trap > received on > 10.10.38.1 ifIndex 11 for d4:d7:48:41:c6:cd (main::handleTrap) Jan 18 > 15:52:30 pfsetvlan(15) INFO: d4:d7:48:41:c6:cd is a secure MAC address > at 10.10.38.1 ifIndex 27 VLAN 38. De-authorizing (new entry > 02:00:00:00:00:27) (main::do_port_security) Jan 18 15:52:31 > pfsetvlan(15) INFO: MAC: d4:d7:48:41:c6:cd is unregistered; belongs > into registration VLAN (pf::vlan::vlan_determine_for_node) > Jan 18 15:52:31 pfsetvlan(15) INFO: authorizing d4:d7:48:41:c6:cd at > new location 10.10.38.1 ifIndex 11 (main::handleTrap) Jan 18 15:52:31 > pfsetvlan(15) INFO: finished (main::cleanupAfterThread) Jan 18 > 15:52:36 pfsetvlan(10) INFO: nb of items in queue: 1; nb of threads > running: 0 (main::startTrapHandlers) > Jan 18 15:52:36 pfsetvlan(10) INFO: secureMacAddrViolation trap > received on > 10.10.38.1 ifIndex 11 for 00:16:41:e6:23:87 (main::handleTrap) Jan 18 > 15:52:36 pfsetvlan(10) INFO: de-authorizing 00:16:41:e6:23:87 (new > entry 02:00:00:00:00:07) at old location 10.10.38.1 ifIndex 7 > (main::do_port_security) > Jan 18 15:52:36 pfsetvlan(10) INFO: authorizing 00:16:41:e6:23:87 (old > entry > d4:d7:48:41:c6:cd) at new location 10.10.38.1 ifIndex 11 > (main::handleTrap) Jan 18 15:52:36 pfsetvlan(10) INFO: MAC: > 00:16:41:e6:23:87, PID: pier, > Status: reg, VLAN: 38 (pf::vlan::vlan_determine_for_node) > Jan 18 15:52:36 pfsetvlan(10) INFO: finished > (main::cleanupAfterThread) Jan 18 15:52:40 pfsetvlan(18) INFO: nb of > items in queue: 1; nb of threads > running: 0 (main::startTrapHandlers) > Jan 18 15:52:40 pfsetvlan(18) INFO: secureMacAddrViolation trap > received on > 10.10.38.1 ifIndex 11 for d4:d7:48:41:c6:cd (main::handleTrap) Jan 18 > 15:52:40 pfsetvlan(18) INFO: authorizing d4:d7:48:41:c6:cd (old entry > 00:16:41:e6:23:87) at new location 10.10.38.1 ifIndex 11 > (main::handleTrap) Jan 18 15:52:40 pfsetvlan(18) INFO: MAC: > d4:d7:48:41:c6:cd is unregistered; belongs into registration VLAN > (pf::vlan::vlan_determine_for_node) > Jan 18 15:52:40 pfsetvlan(18) INFO: finished > (main::cleanupAfterThread) Jan 18 15:52:46 pfsetvlan(11) INFO: nb of > items in queue: 1; nb of threads > running: 0 (main::startTrapHandlers) > Jan 18 15:52:46 pfsetvlan(11) INFO: secureMacAddrViolation trap > received on > 10.10.38.1 ifIndex 11 for 00:16:41:e6:23:87 (main::handleTrap) Jan 18 > 15:52:46 pfsetvlan(11) INFO: authorizing 00:16:41:e6:23:87 (old entry > d4:d7:48:41:c6:cd) at new location 10.10.38.1 ifIndex 11 > (main::handleTrap) Jan 18 15:52:46 pfsetvlan(11) INFO: MAC: > 00:16:41:e6:23:87, PID: pier, > Status: reg, VLAN: 38 (pf::vlan::vlan_determine_for_node) > Jan 18 15:52:46 pfsetvlan(11) INFO: finished > (main::cleanupAfterThread) Jan 18 15:52:51 pfsetvlan(20) INFO: nb of > items in queue: 1; nb of threads > running: 0 (main::startTrapHandlers) > Jan 18 15:52:51 pfsetvlan(20) INFO: secureMacAddrViolation trap > received on > 10.10.38.1 ifIndex 11 for d4:d7:48:41:c6:cd (main::handleTrap) Jan 18 > 15:52:51 pfsetvlan(20) INFO: authorizing d4:d7:48:41:c6:cd (old entry > 00:16:41:e6:23:87) at new location 10.10.38.1 ifIndex 11 > (main::handleTrap) Jan 18 15:52:51 pfsetvlan(20) INFO: MAC: > d4:d7:48:41:c6:cd is unregistered; belongs into registration VLAN > (pf::vlan::vlan_determine_for_node) > Jan 18 15:52:52 pfsetvlan(20) INFO: finished > (main::cleanupAfterThread) Jan 18 15:53:02 pfsetvlan(7) INFO: nb of > items in queue: 1; nb of threads > running: 0 (main::startTrapHandlers) > Jan 18 15:53:02 pfsetvlan(7) INFO: secureMacAddrViolation trap > received on > 10.10.38.1 ifIndex 11 for 00:16:41:e6:23:87 (main::handleTrap) Jan 18 > 15:53:02 pfsetvlan(7) INFO: authorizing 00:16:41:e6:23:87 (old entry > d4:d7:48:41:c6:cd) at new location 10.10.38.1 ifIndex 11 > (main::handleTrap) Jan 18 15:53:02 pfsetvlan(7) INFO: MAC: > 00:16:41:e6:23:87, PID: pier, > Status: reg, VLAN: 38 (pf::vlan::vlan_determine_for_node) > Jan 18 15:53:03 pfsetvlan(7) INFO: finished (main::cleanupAfterThread) > Jan 18 15:53:41 pfsetvlan(13) INFO: nb of items in queue: 1; nb of > threads > running: 0 (main::startTrapHandlers) > Jan 18 15:53:41 pfsetvlan(13) INFO: secureMacAddrViolation trap > received on > 10.10.38.1 ifIndex 11 for d4:d7:48:41:c6:cd (main::handleTrap) Jan 18 > 15:53:41 pfsetvlan(13) INFO: authorizing d4:d7:48:41:c6:cd (old entry > 00:16:41:e6:23:87) at new location 10.10.38.1 ifIndex 11 > (main::handleTrap) Jan 18 15:53:41 pfsetvlan(13) INFO: MAC: > d4:d7:48:41:c6:cd is unregistered; belongs into registration VLAN > (pf::vlan::vlan_determine_for_node) > Jan 18 15:53:41 pfsetvlan(13) INFO: finished > (main::cleanupAfterThread) Jan 18 15:53:49 pfsetvlan(14) INFO: nb of > items in queue: 1; nb of threads > running: 0 (main::startTrapHandlers) > Jan 18 15:53:49 pfsetvlan(14) INFO: secureMacAddrViolation trap > received on > 10.10.38.1 ifIndex 11 for 00:16:41:e6:23:87 (main::handleTrap) Jan 18 > 15:53:49 pfsetvlan(14) INFO: authorizing 00:16:41:e6:23:87 (old entry > d4:d7:48:41:c6:cd) at new location 10.10.38.1 ifIndex 11 > (main::handleTrap) Jan 18 15:53:49 pfsetvlan(14) INFO: MAC: > 00:16:41:e6:23:87, PID: pier, > Status: reg, VLAN: 38 (pf::vlan::vlan_determine_for_node) > Jan 18 15:53:49 pfsetvlan(14) INFO: finished > (main::cleanupAfterThread) Jan 18 15:54:41 pfsetvlan(5) INFO: nb of > items in queue: 1; nb of threads > running: 0 (main::startTrapHandlers) > Jan 18 15:54:41 pfsetvlan(5) INFO: secureMacAddrViolation trap > received on > 10.10.38.1 ifIndex 11 for d4:d7:48:41:c6:cd (main::handleTrap) Jan 18 > 15:54:41 pfsetvlan(5) INFO: authorizing d4:d7:48:41:c6:cd (old entry > 00:16:41:e6:23:87) at new location 10.10.38.1 ifIndex 11 > (main::handleTrap) Jan 18 15:54:41 pfsetvlan(5) INFO: MAC: > d4:d7:48:41:c6:cd is unregistered; belongs into registration VLAN > (pf::vlan::vlan_determine_for_node) > Jan 18 15:54:41 pfsetvlan(5) INFO: finished (main::cleanupAfterThread) > > > > The end result is that only d4:d7:48:41:c6:cd is authorized by mac > security to talk on that port, probably because the computer ends up giving up. > > Any thoughts? > > > > -----Original Message----- > From: Francois Gaudreault [mailto:[email protected]] > Sent: January-18-12 10:25 AM > To: [email protected] > Subject: Re: [Packetfence-users] VOIP Phone with packetfence > > Hi Kevin, > > Let's start with a bunch of questions: > What hardware do you have (Cisco, HP,...)? Do the Phone and hardware > supports CDP or LLDP? When you go to the node table, do you have the > phone DHCP fingerprint? > > On 12-01-17 4:07 PM, Kevin Manuel wrote: >> Hi, >> >> We are having difficulties getting packetfence to recognize a VOIP >> phone as a phone. And if we connect a computer to the phone it >> creates several issues with packetfence because the phone mac address >> is showing up on the data vlan along with the computer for some >> reason (in addition the phone mac address showing up on the voice >> vlan). The phone works - the computer does not. >> >> I realize I didn't include much for details, but does anybody have >> any advice based on the info above? >> >> Thanks in advance, >> >> Kevin >> >> >> --------------------------------------------------------------------- >> - >> -------- Keep Your Developer Skills Current with LearnDevNow! >> The most comprehensive online learning library for Microsoft >> developers is just $99.99! Visual Studio, SharePoint, SQL - plus >> HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when >> you > subscribe now! >> http://p.sf.net/sfu/learndevnow-d2d >> _______________________________________________ >> Packetfence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > > -- > Francois Gaudreault, ing. jr > [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > > ---------------------------------------------------------------------- > ------ > -- > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft > developers is just $99.99! Visual Studio, SharePoint, SQL - plus > HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > ---------------------------------------------------------------------- > -------- Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft > developers is just $99.99! Visual Studio, SharePoint, SQL - plus > HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ---------------------------------------------------------------------------- -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
