topic Re: ISE SCEP connection to Win2003 server unsuccessful in Network Access Control

ISE SCEP connection to Win2003 server unsuccessful

tgrundbacher — Mon, 11 Mar 2019 02:32:54 GMT

I'm trying to get SCEP enrollment for BYOD on-boarding to work with a Win2k3 server, so far it keeps failing. On the ISE (1.1.1), when I enter the path to the SCEP server ('https://<W2k3_srv_name>/certsrv/mscep/mscep.dll') the connectivity test fails when hitting the "Test Connectivity" button; the error message is "Connection to SCEP server failed. Remotely Closed [id: 0x00313434]". Strangely, the settings can be saved and ISE won't complain, although the ISE user guide says that the ISE will check the connectivity anyway when saving the settings.

In the end, the on-boarding process doesn't work and stops at the stage where the cert enrollment should take place (on various platforms).

See the Win2k3 event log error attached.

Any ideas or experiences?

Thanks

Toni

Re: ISE SCEP connection to Win2003 server unsuccessful

Tarik Admani — Thu, 13 Sep 2012 14:02:18 GMT

Hi,

Try using http (you are using https) and see if this works for you.

thanks,

Tarik Admani
*Please rate helpful posts*

Re: ISE SCEP connection to Win2003 server unsuccessful

tgrundbacher — Mon, 08 Oct 2012 11:54:57 GMT

Hi Tarik

Thanks for your support - we've also tried with HTTP, yet without success. Meanwhile we've set up a 2008 server with SCEP running on it, with this one it seems to work fine now. I deliberately say *seems to work*, since I still can't get the on-borading process to finish successfully (see attached picture).

It works if you use an internal client on the LAN and request a cert directly from the SCEP server via IE. But for the BYOD devices, no cretificates are being rolled out, and no error or logs neither on ISE, nor on the SCEP server nor on the client indicate what's going wrong. I can't open a TAC case since this is a PoC with an Eval license and the customer will only buy the Advanced license if they like what they see...

Re: ISE SCEP connection to Win2003 server unsuccessful

chris_day — Mon, 08 Oct 2012 12:42:28 GMT

Did you tell the SCEP server what template to use for network devices? Also could you post up your policies?

Re: ISE SCEP connection to Win2003 server unsuccessful

tgrundbacher — Mon, 08 Oct 2012 15:25:46 GMT

Chris, please find some screenshots of the cert template and the ISE policies in the attachment. Meanwhile we could prove that the ISE doesn't send a single packet towards the SCEP server during the on-borarding process. We can see a packet arriving when we test the SCEP connection from the ISE to the server.