cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1420
Views
0
Helpful
5
Replies

Shoretel Phones

FredW
Level 1
Level 1

Wondering if anyone has any experience implementing ISE with Shoretel phones?

 

Most of our end users have their PC connected through their Shoretel phone switch. We've had a range of issues trying to implement ISE 2.2 in our environment and most seem related to the phones. We run 2960s switches.

 

Hoping someone has some experience they could share ....

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

Looks like both the PC and phone authenticated properly from the summary result. If you use the 'detail' keyword for the show authentication command it will also show you any permissions (VLAN, ACL, timers) and IP address for the endpoint as well. If the PC can't access the network even after reviewing the details, you may need to perform packet captures on the PC and on the switch to see where the traffic is getting dropped. Are there any settings you can alter on the phone?

View solution in original post

5 Replies 5

howon
Cisco Employee
Cisco Employee

Thanks for the response, Howon. I have seen the two Shoretel specific posts you referred to.

 

Here is more detail on our main issue:

 

We have Shoretel phone connected to 2960s switch.

 

Behind phone is Windows 10 PC.

 

Using dot1.x with cert for computer authentication and MAB for phone and printers.

 

Phone will have connectivity and service but PC will not have ethernet connectivity. Logs report dot1x and MAB are authorized, etc.

 

Only way to get PC on network is to remove the dot1.x/mab config from switchport.

 

Port interface configuration:

switchport access vlan 10
switchport mode access
switchport voice vlan 200
spanning-tree portfast

authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator

 

 

howon
Cisco Employee
Cisco Employee

Are you saying the switch shows both Phone and PC authorized but only Phone is functional? Can you share the output of 'show authentication session interface Gig x/y/z detail'? Also, post the authentication details on the ISE for both the phone and the PC.

Yes, that is correct.

 

Here is the switchport output:

 

show authentication sessions int gigabitEthernet 2/0/37

 

Interface    MAC Address    Method  Domain  Status Fg Session ID

----------------------------------------------------------------------

Gi2/0/37     c434.6b6f.534b dot1x   DATA    Auth      0A1911130000015E194F292F

 

Within the ISE log I can see both the phone and PC successfully connecting.

Gi2/0/37     0010.491e.992c mab     VOICE   Auth      0A1911130000003700020106

howon
Cisco Employee
Cisco Employee

Looks like both the PC and phone authenticated properly from the summary result. If you use the 'detail' keyword for the show authentication command it will also show you any permissions (VLAN, ACL, timers) and IP address for the endpoint as well. If the PC can't access the network even after reviewing the details, you may need to perform packet captures on the PC and on the switch to see where the traffic is getting dropped. Are there any settings you can alter on the phone?