This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Anyone using ShoreTel VOIP with Enterasys NAC?

Anyone using ShoreTel VOIP with Enterasys NAC?

Matt_Stone
New Contributor

‎12-11-2013 09:00 PM

We had a ShoreTel VOIP system installed yesterday, this is our first step into the VOIP world. We're using Enterasys NAC with MAC and 802.1x authentication for clients. Ports are configured for both MAC and 802.1x auth with 8 users allowed.

We MAC authenticated the phones and they work fine, however when we plug a computer into the phone it doesn't seem to pass the authentication request up to the switch. Is anyone running this setup? I believe we are looking for some type of 802.1x pass-through option on the phone, but haven't found it so far. The phones are model IP 480g

Thanks
0 Kudos
19 REPLIES 19

Scott_Keene
New Contributor
In response to Matt_Stone

‎12-13-2013 11:08 PM

Hi Matt...Is MD5 listed if you click on the EAP Methods button in the matching RADIUS Policy (go to Edit Profile >> Authentication tab first)? If not, can you add MD5 there (Add button in the Select EAP Providers UI))? I am not sure I recall seeing this missing on a 2003 server but if yours is that would be strange for sure.

-Scott Keene
Enterasys / Extreme GTAC
0 Kudos

hessm_mhs-pa_or
New Contributor

‎12-13-2013 03:45 PM

Matt,

We run a ShoreTel VoIP phone system with 1,700 phones on our campus. We utilize 115, 230, 560 and 655 phones connected to our SecureStack C5's with policy and authentication via Enterasys NAC both MAC and 802.1x. We chose to utilize the 802.1x functionality of the shoretel phone. We utilize the phone extension as the user credentials with the same password on all phones. Active Directory in our backend was then setup with all possible extensions so auth through NAC -> IAS is validated. This allows us to locate a specific phone extension on campus quickly since the username is then the phone extension.

I'm curious if you need to have 802.1x enabled on the phone to allow the computer to 802.1x pass-through to function correctly? I've never tried to MAC auth the phone and then dot1x the machine. Your using a newer SIP phone so that could also be another difference in your configuration compared with ours.
0 Kudos

Tamera_Rousseau
New Contributor
In response to hessm_mhs-pa_or

‎12-13-2013 03:45 PM

Thank you for providing such a great comment Matt! I am going to see if a GTAC engineer can give a little more insight into this. Have a great day!
0 Kudos

Tamera_Rousseau
New Contributor

‎12-13-2013 02:21 PM

Hi Brian, thanks for the great questions. We have some customers with this configuration so I am sure you will see some suggestions shortly.
0 Kudos

Brian_Anderson3
New Contributor

‎12-12-2013 12:31 PM

I've been on two deployments of NAC where the customer had Shoretel phones. The phones are setup by default to have 802.1x turned on, for whatever reason. Also, there isn't a magic button in their mgmt software to turn it off, nor a config file you can use (although Shoretel does mention that as an option, we haven't gotten it to work) . It has to be turned off on each phone before you can get them to MAC auth, since 802.1x takes precedence over MAC. Here is one link to turn off 802.1x on the phone, not sure if all phones are the same, you may have to consult with your phone vendor to find out the key sequence to turn it off. Shortel Config Setup.
0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN