06-16-2017 11:15 AM
Has anyone implemented ISE as a SCEP server ?
I am trying to enroll a cert into switch to test scep functionality in ISE but I cannot make it work.
ISE SCEP URL
crypto pki trustpoint ISEPSN
enrollment url http://usnjise03.svlab.local:9090/auth/caservice/pkiclient.exe
revocation-check crl
rsakeypair scep
crypto pki authenticate ISEPSN
I am receiving an error after the above switch commands
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0
Solved! Go to Solution.
06-16-2017 01:53 PM
ISE internal CA/SCEP is not currently supporting Cisco IOS. See CSCuz49209. There is some mismatch in the cert usage field.
06-16-2017 01:53 PM
ISE internal CA/SCEP is not currently supporting Cisco IOS. See CSCuz49209. There is some mismatch in the cert usage field.
06-19-2017 12:00 PM
Thanks Hsing-Tsu
Will it support another ISE ?
I just want to test the SCEP functionality
I am trying to add one ISE server as SCEP server to another ISE but thats failing too.. Not sure if this would work.
Ultimately we would want to have as SCEP to MDM server.
06-19-2017 12:31 PM
It's tested with ASA only. Here are two LabMinutes video on that:
If you need it supported for external MDM, please bring it up with our PM teams.
04-06-2022 09:37 AM
Is there still no solution to issue certificates to Cisco devices (routers, switches, wlc) from ISE CA?
From my view It is very disappointing that a Cisco CA (ISE) is not able to issue certificates to their own main product series.
04-06-2022 03:11 PM
AFAIK this is still not possible. The enhancement 'bug' that was referenced by Hsing below shows a status of Terminated. This is likely because the ISE CA is mainly intended for the BYOD use case (and maybe pxGrid, where needed). It is not intended/supported to be used as an Enterprise CA and that fact is not likely to change.
04-11-2022 05:05 AM - edited 04-11-2022 05:07 AM
Hi Greg,
I was never asking the ISE to become an Enterprise CA - I was just asking why it does not support Cisco products.
E.g. for RADIUS DTLS with ISE the devices need to have certificates installed, but its own/internal CA is not supporting them.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide