Solved: ISE with Shoretel IP Phone

avallely · ‎04-06-2017

My customer are going to deploy Shoretel 230 IP Phone and want to use ISE. I have specificed Plus license for profiling, but they have asked if we download a Cert to the IP Phone, and how would we do this. I have seen that we can use SCEP with Cisco IP Phones, but not seen anything wrt the Shoretel.

It appears as though we must create a profile and use MAB.

Can you clarify for me?

Many thanks,

Andy

thomas · ‎04-10-2017

We haven't done any testing with provisioning Shoretel phones for 802.1X. As Paul said, it's unclear if they actually support certificates (EAP-TLS) on their phones or just username/password (PEAP) authentication.

If Shoretel does support certificates, the SCEP interface is the standard way for requesting & obtaining certificates so you may use ISE as your CA server in this case.

View solution in original post

paul · ‎04-06-2017

I haven't done EAP-TLS on Shortel and would advocate using profiling, but if the customer insists on using 802.1x it looks like they support PEAP:

https://support.shoretel.com/kb/view.php?id=kA0C0000000LGHPKA4

You could setup local users in ISE for the phones and have 802.1x configured by the phone tech during initial phone setup. Sounds painful, but could be doable.

thomas · ‎04-10-2017

We haven't done any testing with provisioning Shoretel phones for 802.1X. As Paul said, it's unclear if they actually support certificates (EAP-TLS) on their phones or just username/password (PEAP) authentication.

If Shoretel does support certificates, the SCEP interface is the standard way for requesting & obtaining certificates so you may use ISE as your CA server in this case.