This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Anyone using ShoreTel VOIP with Enterasys NAC?

Anyone using ShoreTel VOIP with Enterasys NAC?

Matt_Stone
New Contributor

‎12-11-2013 09:00 PM

We had a ShoreTel VOIP system installed yesterday, this is our first step into the VOIP world. We're using Enterasys NAC with MAC and 802.1x authentication for clients. Ports are configured for both MAC and 802.1x auth with 8 users allowed.

We MAC authenticated the phones and they work fine, however when we plug a computer into the phone it doesn't seem to pass the authentication request up to the switch. Is anyone running this setup? I believe we are looking for some type of 802.1x pass-through option on the phone, but haven't found it so far. The phones are model IP 480g

Thanks
0 Kudos
19 REPLIES 19

Scott_Keene
New Contributor

‎12-16-2013 05:32 PM

Hi Matt,

Is MD5 listed if you click on the EAP Methods button in the matching RADIUS Policy (go to Edit Profile >> Authentication tab first)? If not, can you add MD5 there (Add button in the Select EAP Providers UI))? I am not sure I recall seeing this missing on a 2003 server but if yours is that would be strange for sure.

-Scott
0 Kudos

hessm_mhs-pa_or
New Contributor

‎12-16-2013 05:19 PM

Scott,

We are still using IAS (2003) as we haven't had success in importing our policies into NPS (2008/2012) perhaps it's things like the MD5 that are preventing our import from completing successfully.

Matt
0 Kudos

Scott_Keene
New Contributor

‎12-16-2013 05:11 PM

Hi Matt,

Can you clarify if you are using an IAS (2003) or NPS (2008/2012) RADIUS server and IAS Event Viewer possibly? If the RADIUS server is NPS it does not support MD5 by default, so the phone, if configured for MD5, would likely need to be changed to another EAP method such as PEAP for example, or use a RADIUS server that is setup for MD5. Microsoft no longer supports MD5 by default beginning with Server 2008/NPS. If this option is missing in IAS (2003) can you tell if is it available to be added in the matching RADIUS Policy?

Regards,

Scott Keene

Enterasys / Extreme Networks GTAC

0 Kudos

hessm_mhs-pa_or
New Contributor

‎12-16-2013 02:14 PM

Based on our configuration and the IAS Logs it looks like EAP with MD5-Challange



User 2023 was granted access.
Fully-Qualified-User-Name = mhs-pa.org/NETWORK/SHORETELVOIP (VID220)/2023
NAS-IP-Address = 10.51.32.125
NAS-Identifier = fh-idfb.c5.net.mhs-pa.org
Client-Friendly-Name = NAC2
Client-IP-Address = 10.51.32.125
Calling-Station-Identifier = 00-10-49-20-C6-5C
NAS-Port-Type = Ethernet
NAS-Port = 15
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x - ShoreTelVoIP - VID220
Authentication-Type = EAP
EAP-Type = MD5-Challenge
0 Kudos

Matt_Stone
New Contributor

‎12-13-2013 11:08 PM

I think you're on the right track with having to auth the phones dot1x to get this to work.

We tried to auth them 802.1x today, but NPS tells me "The client could not be authenticated because the EAP Type cannot be process by the sever." Do you have any idea what EAP type these are sending?

The connection policy allows EAP-PEAP & EAP-TLS with MSCHAP -v1/2, CHAP, PAP, and SPAP all turned on. I don't see another possible EAP type to allow.

Thanks for everyone's input.

Matt
0 Kudos
GTM-P2G8KFN