Frequency of MAC address authentication (phones)

ad327 · ‎03-20-2009

Prior to a forthcoming changeover to DHCP networking, we've implemented

MAC address access control on our switches (5500/5500PWR), via a Radius

server. This seems to run perfectly well until we include the PoE switches

(reserved for VoIP telephones & wifi APs only) - invariably within an hour of

doing this our Radius server stops working. It appears that, unlike the

computers which authenticate once and then remain on our network until

they're physically removed, the telephones are constantly re-authenticating

themselves, and the volume of requests is making our server grind to a

halt. Our casual observations reveal that when not in use the phones are

re-authenticating randomly at intervals of between 30secs to 2mins; when

in use they re-authenticate every 60 seconds exactly. Our gut feeling is

that the volume of requests, when coincident with a failed request from an

unauthorised machine, is causing the failure.

Our voice and management are set to the same VLAN, and we haven't

noticed any intermittent rebooting/re-registering of the telephones. Apart

from the fault described above, the telephones seem completely stable.

I've spoken to the people who administer our Cisco Call Manager, and

they're pretty sure this is an issue relating to our 3Com switches.

I'd be very grateful for any advice.

Thanks in advance,

Alastair

Luckycharms · ‎03-20-2009

At first glance this seems more complex than a simple config change and more of a problem for 3Com Tech support to handle than their Forum.

Start with the issue that is the most deterministic first. That would be the 60 Second failure. Your twice as likely to capture info on this issue than some random time between 30 sec-2 mins. Also this has the most enduser impact because the devices are in use when it happens and is probably causing the most impact on your Radius Server

I would suggest a couple of things. I havent dealt with 3Com support much but most support organisation would ask for the following anyway so its still worthwhile

1 Get a packet trace using Wireshark from a port with a phone that fails every 60 seconds.

2 Need the config file from you switch

3 You need to get some logs from the switch around the time of the failure. There are a couple of ways you can do it and all of them are in the manulas just need to do some digging. Serial Connection with Hyperterm, Telnet ( need ro redirect console output to the Telnet session) or syslog. Also I beleive there is a log on the switch itself.

Without some kid of log, trace the following is purely speculation. The 60 Seconds sounds like a a registration timer or polling interval of some sort from the phones or from the switch.

The 30 Sec- 2 Min could be a random keepalive.

When idle the times sounds like a