Anyone using ShoreTel VOIP with Enterasys NAC?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-11-2013 09:00 PM
We had a ShoreTel VOIP system installed yesterday, this is our first step into the VOIP world. We're using Enterasys NAC with MAC and 802.1x authentication for clients. Ports are configured for both MAC and 802.1x auth with 8 users allowed.
We MAC authenticated the phones and they work fine, however when we plug a computer into the phone it doesn't seem to pass the authentication request up to the switch. Is anyone running this setup? I believe we are looking for some type of 802.1x pass-through option on the phone, but haven't found it so far. The phones are model IP 480g
Thanks
We MAC authenticated the phones and they work fine, however when we plug a computer into the phone it doesn't seem to pass the authentication request up to the switch. Is anyone running this setup? I believe we are looking for some type of 802.1x pass-through option on the phone, but haven't found it so far. The phones are model IP 480g
Thanks
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-16-2013 05:32 PM
Hi Matt,
Is MD5 listed if you click on the EAP Methods button in the matching RADIUS Policy (go to Edit Profile >> Authentication tab first)? If not, can you add MD5 there (Add button in the Select EAP Providers UI))? I am not sure I recall seeing this missing on a 2003 server but if yours is that would be strange for sure.
-Scott
Is MD5 listed if you click on the EAP Methods button in the matching RADIUS Policy (go to Edit Profile >> Authentication tab first)? If not, can you add MD5 there (Add button in the Select EAP Providers UI))? I am not sure I recall seeing this missing on a 2003 server but if yours is that would be strange for sure.
-Scott
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-16-2013 05:19 PM
Scott,
We are still using IAS (2003) as we haven't had success in importing our policies into NPS (2008/2012) perhaps it's things like the MD5 that are preventing our import from completing successfully.
Matt
We are still using IAS (2003) as we haven't had success in importing our policies into NPS (2008/2012) perhaps it's things like the MD5 that are preventing our import from completing successfully.
Matt
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-16-2013 05:11 PM
Hi Matt,
Can you clarify if you are using an IAS (2003) or NPS (2008/2012) RADIUS server and IAS Event Viewer possibly? If the RADIUS server is NPS it does not support MD5 by default, so the phone, if configured for MD5, would likely need to be changed to another EAP method such as PEAP for example, or use a RADIUS server that is setup for MD5. Microsoft no longer supports MD5 by default beginning with Server 2008/NPS. If this option is missing in IAS (2003) can you tell if is it available to be added in the matching RADIUS Policy?
Regards,
Scott Keene
Enterasys / Extreme Networks GTAC
Can you clarify if you are using an IAS (2003) or NPS (2008/2012) RADIUS server and IAS Event Viewer possibly? If the RADIUS server is NPS it does not support MD5 by default, so the phone, if configured for MD5, would likely need to be changed to another EAP method such as PEAP for example, or use a RADIUS server that is setup for MD5. Microsoft no longer supports MD5 by default beginning with Server 2008/NPS. If this option is missing in IAS (2003) can you tell if is it available to be added in the matching RADIUS Policy?
Regards,
Scott Keene
Enterasys / Extreme Networks GTAC
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-16-2013 02:14 PM
Based on our configuration and the IAS Logs it looks like EAP with MD5-Challange
User 2023 was granted access.
Fully-Qualified-User-Name = mhs-pa.org/NETWORK/SHORETELVOIP (VID220)/2023
NAS-IP-Address = 10.51.32.125
NAS-Identifier = fh-idfb.c5.net.mhs-pa.org
Client-Friendly-Name = NAC2
Client-IP-Address = 10.51.32.125
Calling-Station-Identifier = 00-10-49-20-C6-5C
NAS-Port-Type = Ethernet
NAS-Port = 15
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x - ShoreTelVoIP - VID220
Authentication-Type = EAP
EAP-Type = MD5-Challenge
User 2023 was granted access.
Fully-Qualified-User-Name = mhs-pa.org/NETWORK/SHORETELVOIP (VID220)/2023
NAS-IP-Address = 10.51.32.125
NAS-Identifier = fh-idfb.c5.net.mhs-pa.org
Client-Friendly-Name = NAC2
Client-IP-Address = 10.51.32.125
Calling-Station-Identifier = 00-10-49-20-C6-5C
NAS-Port-Type = Ethernet
NAS-Port = 15
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x - ShoreTelVoIP - VID220
Authentication-Type = EAP
EAP-Type = MD5-Challenge
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-13-2013 11:08 PM
I think you're on the right track with having to auth the phones dot1x to get this to work.
We tried to auth them 802.1x today, but NPS tells me "The client could not be authenticated because the EAP Type cannot be process by the sever." Do you have any idea what EAP type these are sending?
The connection policy allows EAP-PEAP & EAP-TLS with MSCHAP -v1/2, CHAP, PAP, and SPAP all turned on. I don't see another possible EAP type to allow.
Thanks for everyone's input.
Matt
We tried to auth them 802.1x today, but NPS tells me "The client could not be authenticated because the EAP Type cannot be process by the sever." Do you have any idea what EAP type these are sending?
The connection policy allows EAP-PEAP & EAP-TLS with MSCHAP -v1/2, CHAP, PAP, and SPAP all turned on. I don't see another possible EAP type to allow.
Thanks for everyone's input.
Matt
