cancel
Showing results for 
Search instead for 
Did you mean: 

Anyone using ShoreTel VOIP with Enterasys NAC?

Anyone using ShoreTel VOIP with Enterasys NAC?

Matt_Stone
New Contributor
We had a ShoreTel VOIP system installed yesterday, this is our first step into the VOIP world. We're using Enterasys NAC with MAC and 802.1x authentication for clients. Ports are configured for both MAC and 802.1x auth with 8 users allowed.

We MAC authenticated the phones and they work fine, however when we plug a computer into the phone it doesn't seem to pass the authentication request up to the switch. Is anyone running this setup? I believe we are looking for some type of 802.1x pass-through option on the phone, but haven't found it so far. The phones are model IP 480g

Thanks
19 REPLIES 19

Scott_Keene
New Contributor
Hi Matt,

Is MD5 listed if you click on the EAP Methods button in the matching RADIUS Policy (go to Edit Profile >> Authentication tab first)? If not, can you add MD5 there (Add button in the Select EAP Providers UI))? I am not sure I recall seeing this missing on a 2003 server but if yours is that would be strange for sure.

-Scott

hessm_mhs-pa_or
New Contributor
Scott,

We are still using IAS (2003) as we haven't had success in importing our policies into NPS (2008/2012) perhaps it's things like the MD5 that are preventing our import from completing successfully.

Matt

Scott_Keene
New Contributor
Hi Matt,

Can you clarify if you are using an IAS (2003) or NPS (2008/2012) RADIUS server and IAS Event Viewer possibly? If the RADIUS server is NPS it does not support MD5 by default, so the phone, if configured for MD5, would likely need to be changed to another EAP method such as PEAP for example, or use a RADIUS server that is setup for MD5. Microsoft no longer supports MD5 by default beginning with Server 2008/NPS. If this option is missing in IAS (2003) can you tell if is it available to be added in the matching RADIUS Policy?

Regards,

Scott Keene

Enterasys / Extreme Networks GTAC

hessm_mhs-pa_or
New Contributor
Based on our configuration and the IAS Logs it looks like EAP with MD5-Challange



User 2023 was granted access.
Fully-Qualified-User-Name = mhs-pa.org/NETWORK/SHORETELVOIP (VID220)/2023
NAS-IP-Address = 10.51.32.125
NAS-Identifier = fh-idfb.c5.net.mhs-pa.org
Client-Friendly-Name = NAC2
Client-IP-Address = 10.51.32.125
Calling-Station-Identifier = 00-10-49-20-C6-5C
NAS-Port-Type = Ethernet
NAS-Port = 15
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x - ShoreTelVoIP - VID220
Authentication-Type = EAP
EAP-Type = MD5-Challenge

Matt_Stone
New Contributor
I think you're on the right track with having to auth the phones dot1x to get this to work.

We tried to auth them 802.1x today, but NPS tells me "The client could not be authenticated because the EAP Type cannot be process by the sever." Do you have any idea what EAP type these are sending?

The connection policy allows EAP-PEAP & EAP-TLS with MSCHAP -v1/2, CHAP, PAP, and SPAP all turned on. I don't see another possible EAP type to allow.

Thanks for everyone's input.

Matt
GTM-P2G8KFN