topic Shoretel Phones in Network Access Control

Shoretel Phones

FredW — Thu, 23 Aug 2018 16:08:09 GMT

Wondering if anyone has any experience implementing ISE with Shoretel phones?

Most of our end users have their PC connected through their Shoretel phone switch. We've had a range of issues trying to implement ISE 2.2 in our environment and most seem related to the phones. We run 2960s switches.

Hoping someone has some experience they could share ....

Re: Shoretel Phones

howon — Thu, 23 Aug 2018 16:45:42 GMT

If you can provide more details about the issues, it would be helpful. But here are some information that may help:

https://community.cisco.com/t5/identity-services-engine-ise/ise-with-shoretel-ip-phone/td-p/3566895

https://community.cisco.com/t5/policy-and-access/ise-mab-and-shoretel-phones/td-p/2687440

Re: Shoretel Phones

FredW — Thu, 23 Aug 2018 17:48:11 GMT

Thanks for the response, Howon. I have seen the two Shoretel specific posts you referred to.

Here is more detail on our main issue:

We have Shoretel phone connected to 2960s switch.

Behind phone is Windows 10 PC.

Using dot1.x with cert for computer authentication and MAB for phone and printers.

Phone will have connectivity and service but PC will not have ethernet connectivity. Logs report dot1x and MAB are authorized, etc.

Only way to get PC on network is to remove the dot1.x/mab config from switchport.

Port interface configuration:

switchport access vlan 10
switchport mode access
switchport voice vlan 200
spanning-tree portfast

authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator

Re: Shoretel Phones

howon — Thu, 23 Aug 2018 21:21:26 GMT

Are you saying the switch shows both Phone and PC authorized but only Phone is functional? Can you share the output of 'show authentication session interface Gig x/y/z detail'? Also, post the authentication details on the ISE for both the phone and the PC.

Re: Shoretel Phones

FredW — Thu, 23 Aug 2018 21:49:13 GMT

Yes, that is correct.

Here is the switchport output:

show authentication sessions int gigabitEthernet 2/0/37

Interface MAC Address Method Domain Status Fg Session ID

----------------------------------------------------------------------

Gi2/0/37 c434.6b6f.534b dot1x DATA Auth 0A1911130000015E194F292F

Within the ISE log I can see both the phone and PC successfully connecting.

Gi2/0/37 0010.491e.992c mab VOICE Auth 0A1911130000003700020106

Re: Shoretel Phones

howon — Fri, 24 Aug 2018 00:35:50 GMT

Looks like both the PC and phone authenticated properly from the summary result. If you use the 'detail' keyword for the show authentication command it will also show you any permissions (VLAN, ACL, timers) and IP address for the endpoint as well. If the PC can't access the network even after reviewing the details, you may need to perform packet captures on the PC and on the switch to see where the traffic is getting dropped. Are there any settings you can alter on the phone?