08-23-2018 09:08 AM
Wondering if anyone has any experience implementing ISE with Shoretel phones?
Most of our end users have their PC connected through their Shoretel phone switch. We've had a range of issues trying to implement ISE 2.2 in our environment and most seem related to the phones. We run 2960s switches.
Hoping someone has some experience they could share ....
Solved! Go to Solution.
08-23-2018 05:35 PM
Looks like both the PC and phone authenticated properly from the summary result. If you use the 'detail' keyword for the show authentication command it will also show you any permissions (VLAN, ACL, timers) and IP address for the endpoint as well. If the PC can't access the network even after reviewing the details, you may need to perform packet captures on the PC and on the switch to see where the traffic is getting dropped. Are there any settings you can alter on the phone?
08-23-2018 09:45 AM
If you can provide more details about the issues, it would be helpful. But here are some information that may help:
https://community.cisco.com/t5/identity-services-engine-ise/ise-with-shoretel-ip-phone/td-p/3566895
https://community.cisco.com/t5/policy-and-access/ise-mab-and-shoretel-phones/td-p/2687440
08-23-2018 10:47 AM - edited 08-23-2018 10:48 AM
Thanks for the response, Howon. I have seen the two Shoretel specific posts you referred to.
Here is more detail on our main issue:
We have Shoretel phone connected to 2960s switch.
Behind phone is Windows 10 PC.
Using dot1.x with cert for computer authentication and MAB for phone and printers.
Phone will have connectivity and service but PC will not have ethernet connectivity. Logs report dot1x and MAB are authorized, etc.
Only way to get PC on network is to remove the dot1.x/mab config from switchport.
Port interface configuration:
switchport access vlan 10
switchport mode access
switchport voice vlan 200
spanning-tree portfast
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
08-23-2018 02:21 PM
Are you saying the switch shows both Phone and PC authorized but only Phone is functional? Can you share the output of 'show authentication session interface Gig x/y/z detail'? Also, post the authentication details on the ISE for both the phone and the PC.
08-23-2018 02:49 PM
Yes, that is correct.
Here is the switchport output:
show authentication sessions int gigabitEthernet 2/0/37
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi2/0/37 c434.6b6f.534b dot1x DATA Auth 0A1911130000015E194F292F
Within the ISE log I can see both the phone and PC successfully connecting.
Gi2/0/37 0010.491e.992c mab VOICE Auth 0A1911130000003700020106
08-23-2018 05:35 PM
Looks like both the PC and phone authenticated properly from the summary result. If you use the 'detail' keyword for the show authentication command it will also show you any permissions (VLAN, ACL, timers) and IP address for the endpoint as well. If the PC can't access the network even after reviewing the details, you may need to perform packet captures on the PC and on the switch to see where the traffic is getting dropped. Are there any settings you can alter on the phone?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide