Security

Reply
Frequent Contributor II

ClearPass and ShoreTel VoIP Phones

2 Things:

1.   Has anyone had any success with implementing ShoreTel phones in a ClearPass environment?  Having a heck of a time getting the phone on the voice vlan.  The phone boots into the data vlan just fine after MAC Auth.  However on the 2nd reboot to get on the voice vlan it can't get an address.

 

2.  ClearPass is only profiling SOME ShoreTel phones...not all.  Successful profiling looks like this:

shortel1.JPG

 

     Unsuccessful profiling looks like this:

shortel2.JPG

 

Sometimes it's classified as a category = VoIP Phone and Device OS Family = ShoreTel.  Sometimes it's unknown and unknown.  

 

Curious if anyone has had a successfull ClearPass/ShoreTel implementation, and if so, how did you get it to work.  

Re: ClearPass and ShoreTel VoIP Phones

the profiling i can't easily explain, do you perhaps have different batches with different firmware versions or such?

 

as for the data / voice vlan, i believe this is something you gotta handle on the switch side. which switches are you using? do the phones use a trunk config or a data / voice vlan setup (usually done with cisco switches)?

 

Frequent Contributor II

Re: ClearPass and ShoreTel VoIP Phones

Thanks for the reply.  

I'm using a mix of access switches....namely 3750x with a couple 4507's. All have the ipbase image. 

I'm not trunking, however I am using the data/voice vlan configuration.  Works perfectly on trusted ports. 

Here is how a dot1x-enabled port is configured on an untrusted switchport:

 

interface GigabitEthernet1/0/1
switchport access vlan 29
switchport mode access
switchport voice vlan 129
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 3
spanning-tree portfast

Aruba Employee

Re: ClearPass and ShoreTel VoIP Phones

Hi Ryan,

 

Your settings look good. On ClearPass, you will need to pass back the av-pair of device-traffic-class=voice for the MAC auth of the phone after it is profiled.

 

Have a look at the attached doc that I wrote. Make sure you enable mls qos and lldp on the switch (listed in the doc).

Thanks,

Zach Jennings
Frequent Contributor II

Re: ClearPass and ShoreTel VoIP Phones

Thank you kindly Zach.  Greatly appreciate the info. 

I'm curious as to how your service is configured.  I don't have my vlans individually defined in Enforcement Profiles like your word doc.  How are you applying profiles to policies, then policies to services in this example?  

Aruba Employee

Re: ClearPass and ShoreTel VoIP Phones

I believe I had the enforcement sending back the voice vsa for unknown and then profiled VoIP phones. Once profiled, I would also send back the VLAN named 'voice' on the switch. You can actually just send back that name instead of a VLAN number. As long as you name the voice VLAN voice on the switch, it will take.

 

One important thing to keep in mind is that you need to use the DHCP server to tell the phone which VLAN is tagged for voice. That way when the phone boots up, it gets that DHCP option, reboots, and attempts to connect via the tagged VLAN.

 

Hope this helps.

Thanks,

Zach Jennings
Frequent Contributor II

Re: ClearPass and ShoreTel VoIP Phones

Thanks again for the quick reply. :-)

The word doc that you attached to this thread references another document for Profile Setup.  Would you happen to have a copy of this document that you could share?  I'm trying to piece all of this together (your info, coupled with how my services are configured) and they appear to be much different.  What you shared makes sense, but only if the policy and service are configured in a way that can use it.  Make sense? :-)

 

Aruba Employee

Re: ClearPass and ShoreTel VoIP Phones

That should be referring to the previous tech note that I wrote.

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=10344

 

That's a link to it. It is in the Documentation section of our support site, under Software->ClearPass->Policy Manager->Tech Notes.

Thanks,

Zach Jennings
Frequent Contributor II

Re: ClearPass and ShoreTel VoIP Phones

Thanks to all for your replies.  Finally got this working today with this simple Enforcement Profile:

 

Capture.JPG

 

Also helped that the Aruba developers wrote some code to correctly fingerprint ShoreTel phones, which was not happening.  

 

Thanks again! 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: