Installation guide

ManualsBrandsShoreTel ManualsComputer equipmentShoreWare

271

272

273

274

275

276

277

278

279

280

Implementing IEEE 802.1x IP Phone Installation

ShoreTel 14.2 Planning and Installation Guide 271

Implementing IEEE 802.1x

Most ShoreTel IP phones support 802.1x network authentication. ShoreTel IP phones support the

following aspects of 802.1x authentication:

 MD-5 challenge method only

 Multicast and unicast frames

 Devices attached to the second Ethernet port (PC port) using 802.1x PAE multicast frames

 EAPOL frames can be prioritized. EAPOL VLAN tags are not supported.

 Mandatory TIA-1057 LLDP-Med functionality for Class III communication device endpoints

ShoreTel IP phones that support 802.1x authentication are shipped with the feature enabled by

default. The first time the phone connects to a network that has 802.1x enabled, the phone must

present an ID and password for the user. The default secure user ID is the last six characters of the

phone’s MAC address; the password must be manually entered when the phone boots for the first

time. The password is cached if authentication succeeds. If the authentication fails, the phone does

not boot.

On networks where 802.1x authentication is not enabled, ShoreTel IP phones boot normally when they

connect to the Ethernet switch.

If upgrading from a firmware version that supports 802.1x (3.3.x or 3.4.x), the previous settings (802.1x

on/off, SID, password) are preserved. If upgrading from a firmware version that does not support

802.1x (2.2, 2.3, 3.1, 3.2), Logical Link Discovery Protocol (LLDP) is turned on by default, and a

default SID of the last six characters of the MAC address is applied.

While 802.1x is enabled by default in ShoreTel 11 and higher, 802.1x might have been explicitly

enabled in earlier releases through the ShoreTel IP phone parameter 802.1xEnable (a 1-character

ASCII parameter). If 802.1x is enabled on the ShoreTel IP phone and disabled on the network switch,

the ShoreTel IP phone never comes up.

You can modify the 802.1x setting through a parameter on ShoreTel IP phones:

 On ShoreTel 100-, 200-, 500-, and 600-Series IP phones, you can enable or disable 802.1x

through the 802.1xEnable option, which you can access through MUTE 73887# (SETUP#). Valid

settings are as follows:



802.1xEnable – 1 (802.1 authentication is enabled.)



802.1xEnable – 0 (802.1 authentication is disabled. This is the default.)

 On ShoreTel 400-Series IP phones, you can enable or disable 802.1x through the Use 802.1x

option available in the Admin options > Ethernet menu, which you can access through MUTE

73887# (SETUP#). The default is “On” (enabled).

The ShoreTel IP Phone models IP110 and IP115 do not support 802.1x.