Hi Brent,
> Correct me if I am wrong...this seems to be the issue. Is this identified as
> a "phone port" and thus it takes no action? Looking through the code this
> is what it looks like to me. (Caveat: I am not a developer.) Is this just
> not "multi-domain-ready" at this time?
No, it's not identified as a "phone port" but it detected a phone on the
port. Is this the case, is there a phone on the port?
>
> Mar 25 13:58:56 pfsetvlan(1) INFO: A VoIP phone is currently connected at
> switchipifIndex 154. Leaving everything as it is.
> (pf::SNMP::handleReAssignVlanTrapForWiredMacAuth)
>
> ...
> if ( !$hasPhone ) {
> $logger->info( "no VoIP phone is currently connected at
> " . $switch_ip
> . " ifIndex $ifIndex. Flipping port admin status"
> );
> $this->bouncePort($ifIndex);
>
> } else {
>
> $logger->info(
> "A VoIP phone is currently connected at $switch_ip
> ifIndex $ifIndex. Leaving everything as it is."
> );
> # TODO perform CoA (when implemented)
> ...
>
So you identified the issue correctly. Our MAC-Authentication (MAB)
support with Voice over IP mimicked what we've done with port-security..
perhaps a bit too naively. No problem in ifIndex translation after all.
Now, I'm trying to come up with the correct "here's what we should do"
and I'm having a hard time figuring it out..
If for you security is more important than convenience then no matter if
a phone is present or not you should:
$this->bouncePort($ifIndex);
but this would have the effect of cutting a phone conversation on VLAN
re-assignment. And your phones would have to be PoE so that when it goes
down, the PC port goes down and so the client would do DHCP and obtain
correct VLAN information because of the link change.
Other than that you'll have to wait for us to implement RADIUS Change of
Authorization (CoA) but even then the behavior won't be optimal: the CoA
will force the client to re-authenticate and it will be placed into its
new VLAN but it will not do a new DHCP Request because it didn't lost
it's link status..
IP Telephones with PCs behind them ... except when users are in 802.1X,
you always lose something.. either you cut the user's phone on isolation
or you have him wonder why his network stopped working until he does a
manual dhcp renew (or a more popular unplug / plug).
Fresh ideas to improve the "VoIP with a PC behind" situation would be
really appreciated!
--
Olivier Bilodeau
[email protected] :: +1.514.447.4918 *115 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
