Header Only - DO NOT REMOVE - Extreme Networks

Anyone using ShoreTel VOIP with Enterasys NAC?


We had a ShoreTel VOIP system installed yesterday, this is our first step into the VOIP world. We're using Enterasys NAC with MAC and 802.1x authentication for clients. Ports are configured for both MAC and 802.1x auth with 8 users allowed.

We MAC authenticated the phones and they work fine, however when we plug a computer into the phone it doesn't seem to pass the authentication request up to the switch. Is anyone running this setup? I believe we are looking for some type of 802.1x pass-through option on the phone, but haven't found it so far. The phones are model IP 480g

Thanks

19 replies

Userlevel 2
I've been on two deployments of NAC where the customer had Shoretel phones. The phones are setup by default to have 802.1x turned on, for whatever reason. Also, there isn't a magic button in their mgmt software to turn it off, nor a config file you can use (although Shoretel does mention that as an option, we haven't gotten it to work) . It has to be turned off on each phone before you can get them to MAC auth, since 802.1x takes precedence over MAC. Here is one link to turn off 802.1x on the phone, not sure if all phones are the same, you may have to consult with your phone vendor to find out the key sequence to turn it off. Shortel Config Setup.
Userlevel 2
Hi Brian, thanks for the great questions. We have some customers with this configuration so I am sure you will see some suggestions shortly.
Matt,

We run a ShoreTel VoIP phone system with 1,700 phones on our campus. We utilize 115, 230, 560 and 655 phones connected to our SecureStack C5's with policy and authentication via Enterasys NAC both MAC and 802.1x. We chose to utilize the 802.1x functionality of the shoretel phone. We utilize the phone extension as the user credentials with the same password on all phones. Active Directory in our backend was then setup with all possible extensions so auth through NAC -> IAS is validated. This allows us to locate a specific phone extension on campus quickly since the username is then the phone extension.

I'm curious if you need to have 802.1x enabled on the phone to allow the computer to 802.1x pass-through to function correctly? I've never tried to MAC auth the phone and then dot1x the machine. Your using a newer SIP phone so that could also be another difference in your configuration compared with ours.
Userlevel 2
ECOMMERCE\hessm@mhs-pa.org wrote:

Matt,

We run a ShoreTel VoIP phone system with 1,700 phones on our campus. We utilize 115, 230, 560 and 655 phones connected to our SecureStack C5's with policy and authentication via Enterasys NAC both MAC and 802.1x. We chose to utilize the 802.1x functionality of the shoretel phone. We utilize the phone extension as the user credentials with the same password on all phones. Active Directory in our backend was then setup with all possible extensions so auth through NAC -> IAS is validated. This allows us to locate a specific phone extension on campus quickly since the username is then the phone extension.

I'm curious if you need to have 802.1x enabled on the phone to allow the computer to 802.1x pass-through to function correctly? I've never tried to MAC auth the phone and then dot1x the machine. Your using a newer SIP phone so that could also be another difference in your configuration compared with ours.

Thank you for providing such a great comment Matt! I am going to see if a GTAC engineer can give a little more insight into this. Have a great day!
I think you're on the right track with having to auth the phones dot1x to get this to work.

We tried to auth them 802.1x today, but NPS tells me "The client could not be authenticated because the EAP Type cannot be process by the sever." Do you have any idea what EAP type these are sending?

The connection policy allows EAP-PEAP & EAP-TLS with MSCHAP -v1/2, CHAP, PAP, and SPAP all turned on. I don't see another possible EAP type to allow.

Thanks for everyone's input.

Matt
Matt Stone wrote:

I think you're on the right track with having to auth the phones dot1x to get this to work.

We tried to auth them 802.1x today, but NPS tells me "The client could not be authenticated because the EAP Type cannot be process by the sever." Do you have any idea what EAP type these are sending?

The connection policy allows EAP-PEAP & EAP-TLS with MSCHAP -v1/2, CHAP, PAP, and SPAP all turned on. I don't see another possible EAP type to allow.

Thanks for everyone's input.

Matt

Hi Matt...Is MD5 listed if you click on the EAP Methods button in the matching RADIUS Policy (go to Edit Profile >> Authentication tab first)? If not, can you add MD5 there (Add button in the Select EAP Providers UI))? I am not sure I recall seeing this missing on a 2003 server but if yours is that would be strange for sure.

-Scott Keene
Enterasys / Extreme GTAC
Based on our configuration and the IAS Logs it looks like EAP with MD5-Challange



User 2023 was granted access.
Fully-Qualified-User-Name = mhs-pa.org/NETWORK/SHORETELVOIP (VID220)/2023
NAS-IP-Address = 10.51.32.125
NAS-Identifier = fh-idfb.c5.net.mhs-pa.org
Client-Friendly-Name = NAC2
Client-IP-Address = 10.51.32.125
Calling-Station-Identifier = 00-10-49-20-C6-5C
NAS-Port-Type = Ethernet
NAS-Port = 15
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = [u]
Policy-Name = 802.1x - ShoreTelVoIP - VID220
Authentication-Type = EAP
EAP-Type = MD5-Challenge
Hi Matt,

Can you clarify if you are using an IAS (2003) or NPS (2008/2012) RADIUS server and IAS Event Viewer possibly? If the RADIUS server is NPS it does not support MD5 by default, so the phone, if configured for MD5, would likely need to be changed to another EAP method such as PEAP for example, or use a RADIUS server that is setup for MD5. Microsoft no longer supports MD5 by default beginning with Server 2008/NPS. If this option is missing in IAS (2003) can you tell if is it available to be added in the matching RADIUS Policy?

Regards,

Scott Keene

Enterasys / Extreme Networks GTAC
Scott,

We are still using IAS (2003) as we haven't had success in importing our policies into NPS (2008/2012) perhaps it's things like the MD5 that are preventing our import from completing successfully.

Matt
Hi Matt,

Is MD5 listed if you click on the EAP Methods button in the matching RADIUS Policy (go to Edit Profile >> Authentication tab first)? If not, can you add MD5 there (Add button in the Select EAP Providers UI))? I am not sure I recall seeing this missing on a 2003 server but if yours is that would be strange for sure.

-Scott
MD5 Is available in my EAP Methods on IAS (2003).
Userlevel 2
Hi Matt (and Matt), Do you feel that the advice from Scott answered your questions? Matt Stone, did you have a chance to verify that your 2003 server contain that information?
Yes, with the information provided we were able to get the phones to authenticate EAP-MD5. Since we are using NPS 2008 we had to edit the registry to turn EAP-MD5 back on (link here for reference http://support.microsoft.com/kb/922574 )

Unfortunately we still aren't able to get the computers to authenticate when plugged in through the phone. If we put an unmanaged switch on the Enterasys port and plug the phone and computer into that, they both authenticate fine so we still believe this to be an issue with the phone not passing the request up to the switch. We are working with our ShoreTel partner to find a solution. If / when I get that I will post it for the benefit of others.

I have also reached out to Scott in a GTAC case with some wireshark captures to see if he can come up with anything that might help come to a resolution.

Thanks to everyone who replied,

Matt
Userlevel 2
Matt Stone wrote:

Yes, with the information provided we were able to get the phones to authenticate EAP-MD5. Since we are using NPS 2008 we had to edit the registry to turn EAP-MD5 back on (link here for reference http://support.microsoft.com/kb/922574 )

Unfortunately we still aren't able to get the computers to authenticate when plugged in through the phone. If we put an unmanaged switch on the Enterasys port and plug the phone and computer into that, they both authenticate fine so we still believe this to be an issue with the phone not passing the request up to the switch. We are working with our ShoreTel partner to find a solution. If / when I get that I will post it for the benefit of others.

I have also reached out to Scott in a GTAC case with some wireshark captures to see if he can come up with anything that might help come to a resolution.

Thanks to everyone who replied,

Matt

Thanks for the update Matt and we definitely look forward to hearing the resolution!
Matt Stone wrote:

Yes, with the information provided we were able to get the phones to authenticate EAP-MD5. Since we are using NPS 2008 we had to edit the registry to turn EAP-MD5 back on (link here for reference http://support.microsoft.com/kb/922574 )

Unfortunately we still aren't able to get the computers to authenticate when plugged in through the phone. If we put an unmanaged switch on the Enterasys port and plug the phone and computer into that, they both authenticate fine so we still believe this to be an issue with the phone not passing the request up to the switch. We are working with our ShoreTel partner to find a solution. If / when I get that I will post it for the benefit of others.

I have also reached out to Scott in a GTAC case with some wireshark captures to see if he can come up with anything that might help come to a resolution.

Thanks to everyone who replied,

Matt

I remember having an issue with Multi-auth and our phones\wireless when we moved to the C5's and I believe our solution was instead of passing the VLAN-ID via the policy we instead switched to sending the VLAN Attribute in IAS and setting the switch to pass-through for this.
Thanks to everyone who provided input on this issue. I just wanted to followup with a resolution as promised.

This turned out to be an issue with the switch inside the phone. It was supposed to be passing the authentication requests through to the switch, but wasn't.

This was fixed in a firmware update from ShoreTel.
Userlevel 4
Matt Stone wrote:

Thanks to everyone who provided input on this issue. I just wanted to followup with a resolution as promised.

This turned out to be an issue with the switch inside the phone. It was supposed to be passing the authentication requests through to the switch, but wasn't.

This was fixed in a firmware update from ShoreTel.

Thanks for the update Matt. Glad to hear it got worked out! Any chance you could share the firmware update that fixed the issue for future reference in case anyone else runs across it?
Matt Stone wrote:

Thanks to everyone who provided input on this issue. I just wanted to followup with a resolution as promised.

This turned out to be an issue with the switch inside the phone. It was supposed to be passing the authentication requests through to the switch, but wasn't.

This was fixed in a firmware update from ShoreTel.

You bet. 802.0.6000.0 resolved this issue.
I never saw the reply to the issue of the Shortel 480G phone not passing the connected PCs 802.1x EAP request. Earlier Shortel phone pass it with out a problem but the 480 do not.

Reply