This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Technical Discussions
- Network Architecture & Design
- RE: Anyone using ShoreTel VOIP with Enterasys NAC?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Anyone using ShoreTel VOIP with Enterasys NAC?
Anyone using ShoreTel VOIP with Enterasys NAC?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-11-2013 09:00 PM
We had a ShoreTel VOIP system installed yesterday, this is our first step into the VOIP world. We're using Enterasys NAC with MAC and 802.1x authentication for clients. Ports are configured for both MAC and 802.1x auth with 8 users allowed.
We MAC authenticated the phones and they work fine, however when we plug a computer into the phone it doesn't seem to pass the authentication request up to the switch. Is anyone running this setup? I believe we are looking for some type of 802.1x pass-through option on the phone, but haven't found it so far. The phones are model IP 480g
Thanks
We MAC authenticated the phones and they work fine, however when we plug a computer into the phone it doesn't seem to pass the authentication request up to the switch. Is anyone running this setup? I believe we are looking for some type of 802.1x pass-through option on the phone, but haven't found it so far. The phones are model IP 480g
Thanks
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-13-2013 11:08 PM
Hi Matt...Is MD5 listed if you click on the EAP Methods button in the matching RADIUS Policy (go to Edit Profile >> Authentication tab first)? If not, can you add MD5 there (Add button in the Select EAP Providers UI))? I am not sure I recall seeing this missing on a 2003 server but if yours is that would be strange for sure.
-Scott Keene
Enterasys / Extreme GTAC
-Scott Keene
Enterasys / Extreme GTAC
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-13-2013 03:45 PM
Matt,
We run a ShoreTel VoIP phone system with 1,700 phones on our campus. We utilize 115, 230, 560 and 655 phones connected to our SecureStack C5's with policy and authentication via Enterasys NAC both MAC and 802.1x. We chose to utilize the 802.1x functionality of the shoretel phone. We utilize the phone extension as the user credentials with the same password on all phones. Active Directory in our backend was then setup with all possible extensions so auth through NAC -> IAS is validated. This allows us to locate a specific phone extension on campus quickly since the username is then the phone extension.
I'm curious if you need to have 802.1x enabled on the phone to allow the computer to 802.1x pass-through to function correctly? I've never tried to MAC auth the phone and then dot1x the machine. Your using a newer SIP phone so that could also be another difference in your configuration compared with ours.
We run a ShoreTel VoIP phone system with 1,700 phones on our campus. We utilize 115, 230, 560 and 655 phones connected to our SecureStack C5's with policy and authentication via Enterasys NAC both MAC and 802.1x. We chose to utilize the 802.1x functionality of the shoretel phone. We utilize the phone extension as the user credentials with the same password on all phones. Active Directory in our backend was then setup with all possible extensions so auth through NAC -> IAS is validated. This allows us to locate a specific phone extension on campus quickly since the username is then the phone extension.
I'm curious if you need to have 802.1x enabled on the phone to allow the computer to 802.1x pass-through to function correctly? I've never tried to MAC auth the phone and then dot1x the machine. Your using a newer SIP phone so that could also be another difference in your configuration compared with ours.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-13-2013 03:45 PM
Thank you for providing such a great comment Matt! I am going to see if a GTAC engineer can give a little more insight into this. Have a great day!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-13-2013 02:21 PM
Hi Brian, thanks for the great questions. We have some customers with this configuration so I am sure you will see some suggestions shortly.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-12-2013 12:31 PM
I've been on two deployments of NAC where the customer had Shoretel phones. The phones are setup by default to have 802.1x turned on, for whatever reason. Also, there isn't a magic button in their mgmt software to turn it off, nor a config file you can use (although Shoretel does mention that as an option, we haven't gotten it to work) . It has to be turned off on each phone before you can get them to MAC auth, since 802.1x takes precedence over MAC. Here is one link to turn off 802.1x on the phone, not sure if all phones are the same, you may have to consult with your phone vendor to find out the key sequence to turn it off. Shortel Config Setup.
