Thanks Hsing-Tsu

Will it support another ISE ?

I just want to test the SCEP functionality

I am trying to add one ISE server as SCEP server to another ISE but thats failing too.. Not sure if this would work.

Ultimately we would want to have as SCEP to MDM server.

It's tested with ASA only. Here are two LabMinutes video on that:

• How to Configure Cisco ISE 2.0 Internal CA SCEP with AnyConnect VPN (Part 1)
• How to Configure Cisco ISE 2.0 Internal CA SCEP with AnyConnect VPN (Part 2)

If you need it supported for external MDM, please bring it up with our PM teams.

Is there still no solution to issue certificates to Cisco devices (routers, switches, wlc) from ISE CA?

From my view It is very disappointing that a Cisco CA (ISE) is not able to issue certificates to their own main product series.

AFAIK this is still not possible. The enhancement 'bug' that was referenced by Hsing below shows a status of Terminated. This is likely because the ISE CA is mainly intended for the BYOD use case (and maybe pxGrid, where needed). It is not intended/supported to be used as an Enterprise CA and that fact is not likely to change.

Hi Greg,

I was never asking the ISE to become an Enterprise CA - I was just asking why it does not support Cisco products.

E.g. for RADIUS DTLS with ISE the devices need to have certificates installed, but its own/internal CA is not supporting them.