Security

2 Things:

1.   Has anyone had any success with implementing ShoreTel phones in a ClearPass environment?  Having a heck of a time getting the phone on the voice vlan.  The phone boots into the data vlan just fine after MAC Auth.  However on the 2nd reboot to get on the voice vlan it can't get an address.

2.  ClearPass is only profiling SOME ShoreTel phones...not all.  Successful profiling looks like this:

     Unsuccessful profiling looks like this:

Sometimes it's classified as a category = VoIP Phone and Device OS Family = ShoreTel.  Sometimes it's unknown and unknown.  

Curious if anyone has had a successfull ClearPass/ShoreTel implementation, and if so, how did you get it to work.  

the profiling i can't easily explain, do you perhaps have different batches with different firmware versions or such?

as for the data / voice vlan, i believe this is something you gotta handle on the switch side. which switches are you using? do the phones use a trunk config or a data / voice vlan setup (usually done with cisco switches)?

Thanks for the reply.  

I'm using a mix of access switches....namely 3750x with a couple 4507's. All have the ipbase image. 

I'm not trunking, however I am using the data/voice vlan configuration.  Works perfectly on trusted ports. 

Here is how a dot1x-enabled port is configured on an untrusted switchport:

interface GigabitEthernet1/0/1
switchport access vlan 29
switchport mode access
switchport voice vlan 129
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 3
spanning-tree portfast

Hi Ryan,

Your settings look good. On ClearPass, you will need to pass back the av-pair of device-traffic-class=voice for the MAC auth of the phone after it is profiled.

Have a look at the attached doc that I wrote. Make sure you enable mls qos and lldp on the switch (listed in the doc).

Attachment(s)

Avaya VoIP Phone with Cisco Switch and CPPM.docx   665 KB 1 version

Thank you kindly Zach.  Greatly appreciate the info. 

I'm curious as to how your service is configured.  I don't have my vlans individually defined in Enforcement Profiles like your word doc.  How are you applying profiles to policies, then policies to services in this example?  

I believe I had the enforcement sending back the voice vsa for unknown and then profiled VoIP phones. Once profiled, I would also send back the VLAN named 'voice' on the switch. You can actually just send back that name instead of a VLAN number. As long as you name the voice VLAN voice on the switch, it will take.

One important thing to keep in mind is that you need to use the DHCP server to tell the phone which VLAN is tagged for voice. That way when the phone boots up, it gets that DHCP option, reboots, and attempts to connect via the tagged VLAN.

Hope this helps.

Thanks again for the quick reply. :-)

The word doc that you attached to this thread references another document for Profile Setup.  Would you happen to have a copy of this document that you could share?  I'm trying to piece all of this together (your info, coupled with how my services are configured) and they appear to be much different.  What you shared makes sense, but only if the policy and service are configured in a way that can use it.  Make sense? :-)

That should be referring to the previous tech note that I wrote.

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=10344

That's a link to it. It is in the Documentation section of our support site, under Software->ClearPass->Policy Manager->Tech Notes.

Thanks to all for your replies.  Finally got this working today with this simple Enforcement Profile:

Also helped that the Aruba developers wrote some code to correctly fingerprint ShoreTel phones, which was not happening.  

Thanks again! 

hello Zach, 

i know this is an old post, but what you posted as a document looks to be usefull,

i'm running two services, the first for users with 802.1x (for AD users), and the second for MAC auth (with device profiling), 

i'm wondring if my switch port can be configured like the following: 

interface fast 0/1

switchport access vlan yy("default vlan")
switchport mode access

authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 3
spanning-tree portfast

which mean without "switchport voice vlan zz",