Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1293
Views
0
Helpful
3
Replies

ISE, MAB and Shoretel Phones

deyster94
Level 5
Level 5

‎06-09-2015 11:34 AM - last edited on ‎03-25-2019 05:33 PM by Community Manager

I am working on setting up ISE for a client that uses Shoretel Phones.  I created a profile for the devices so we can use MAB.  However, even though the switches and ISE show the phone passing authentication and authorization, the phone does not get an IP address.  I know the phone does work since when I take the commands off the switch port, the phone connects fine to the network.  

I am not sure if this is an ISE issue or Shoretel.  

TIA,

Dan

Labels:
0 Helpful
3 Replies 3

deyster94
Level 5
Level 5

‎06-10-2015 11:27 AM

Well, I figured it out.  I had to enabled LLDP on the switch to tell the phone what vlan to reside in.  The client told me that when the phone is connected, it first connects to the data vlan and from there, gets the information on the phone vlan, ftp server, etc.  From there, it reloads and connects to the phone vlan and downloads it's config.  They have all their ports in trunk ports (cringe), but with lldp, I have them in access ports.  

On the AuthZ profile, I tried using a dACL, which the phone didn't like.  Not a big deal since it was permit ip any any.  I was able to use the voice domain permission option as well.

Hopefully this will help someone in the future.

Dan

0 Helpful

Rafael Ertel
Level 1
Level 1
In response to deyster94

‎04-06-2016 06:47 AM

Hey Dan,

We are trying to get our shoretel phones to use 802.1x/cisco2960(15.0(2)SE6)/NPS (with registry hack for MD5)

interface GigabitEthernet1/0/30

switchport mode access

switchport voice vlan 20

authentication host-mode multi-domain

authentication port-control auto

dot1x pae authenticator

no cdp enable

spanning-tree portfast

lldp has been enabled.  and according to shoretels scant docs when using lldp the phone should only reboot once.  the config of the port reflects our desire to have the phone send its voice traffic over the voice vlan and piggy back a pc through said phone.  The PC will be on vlan 10 and the voice vlan is 20.  Right now we have the NPS server handing out vlan 10 when the phone authenticates thus putting the port in the right vlan for the piggy backed PC but the phone never recognizes the Voice Vlan (20) and just loops.  shoretel has been zero help, any recommendations?

thanks,

rif

0 Helpful

sasni
Level 1
Level 1
In response to deyster94

‎11-30-2023 05:50 AM - edited ‎11-30-2023 05:51 AM

Hello, I'm from the future. 

So grateful to have found your post, but I'm struggling to understand on lldp setup that you mentioned. I have it configured globally "lldp run" and that's about it. Not sure if I need to add more lldp configs, do you mind sharing?

 

Regards, Sasni

0 Helpful
Customers Also Viewed These Support Documents