06-05-2015 09:03 AM
1. Has anyone had any success with implementing ShoreTel phones in a ClearPass environment? Having a heck of a time getting the phone on the voice vlan. The phone boots into the data vlan just fine after MAC Auth. However on the 2nd reboot to get on the voice vlan it can't get an address.
2. ClearPass is only profiling SOME ShoreTel phones...not all. Successful profiling looks like this:
Unsuccessful profiling looks like this:
Sometimes it's classified as a category = VoIP Phone and Device OS Family = ShoreTel. Sometimes it's unknown and unknown.
Curious if anyone has had a successfull ClearPass/ShoreTel implementation, and if so, how did you get it to work.
Solved! Go to Solution.
06-21-2015 01:44 AM
the profiling i can't easily explain, do you perhaps have different batches with different firmware versions or such?
as for the data / voice vlan, i believe this is something you gotta handle on the switch side. which switches are you using? do the phones use a trunk config or a data / voice vlan setup (usually done with cisco switches)?
06-21-2015 07:46 PM
Thanks for the reply.
I'm using a mix of access switches....namely 3750x with a couple 4507's. All have the ipbase image.
I'm not trunking, however I am using the data/voice vlan configuration. Works perfectly on trusted ports.
Here is how a dot1x-enabled port is configured on an untrusted switchport:
switchport access vlan 29
switchport mode access
switchport voice vlan 129
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 3
06-22-2015 04:46 AM
Your settings look good. On ClearPass, you will need to pass back the av-pair of device-traffic-class=voice for the MAC auth of the phone after it is profiled.
Have a look at the attached doc that I wrote. Make sure you enable mls qos and lldp on the switch (listed in the doc).
06-22-2015 01:57 PM
Thank you kindly Zach. Greatly appreciate the info.
I'm curious as to how your service is configured. I don't have my vlans individually defined in Enforcement Profiles like your word doc. How are you applying profiles to policies, then policies to services in this example?
06-23-2015 04:56 AM
I believe I had the enforcement sending back the voice vsa for unknown and then profiled VoIP phones. Once profiled, I would also send back the VLAN named 'voice' on the switch. You can actually just send back that name instead of a VLAN number. As long as you name the voice VLAN voice on the switch, it will take.
One important thing to keep in mind is that you need to use the DHCP server to tell the phone which VLAN is tagged for voice. That way when the phone boots up, it gets that DHCP option, reboots, and attempts to connect via the tagged VLAN.
Hope this helps.
06-23-2015 08:49 AM
Thanks again for the quick reply. :-)
The word doc that you attached to this thread references another document for Profile Setup. Would you happen to have a copy of this document that you could share? I'm trying to piece all of this together (your info, coupled with how my services are configured) and they appear to be much different. What you shared makes sense, but only if the policy and service are configured in a way that can use it. Make sense? :-)
06-23-2015 09:15 AM
That should be referring to the previous tech note that I wrote.
That's a link to it. It is in the Documentation section of our support site, under Software->ClearPass->Policy Manager->Tech Notes.
07-09-2015 02:07 PM
Thanks to all for your replies. Finally got this working today with this simple Enforcement Profile:
Also helped that the Aruba developers wrote some code to correctly fingerprint ShoreTel phones, which was not happening.