https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-does-not-connect-to-ms-scep-server-for-byod-cert/m-p/3477549#M517925 <HTML><HEAD></HEAD><BODY><P>The process works with ISE Internal CA with Android clients. So far in our setup we have mostly Android clients. With regards to the SCEP, I have used the sscep toolset to test and verify that SCEP is working as seen below.</P><P><IMG alt="" class="image-1 jive-image" height="66" src="https://community.cisco.com/legacyfs/online/fusion/115152_pastedImage_0.png" style="width: 624px; height: 66px;" width="624" /></P><P>The process just doesn't work when using the External SCEP Server. The RootCA and SubCA certificates have been added to ISE trusted certificates to support the External SCEP Server. Note also the SCEP server is also the SUBCA that issues the certificates.</P></BODY></HTML> Sat, 10 Feb 2018 13:01:44 GMT ainsleye 2018-02-10T13:01:44Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-does-not-connect-to-ms-scep-server-for-byod-cert/m-p/3477547#M517923 <HTML><HEAD></HEAD><BODY><P>When using BYOD in a DUAL SSID setup with Microsoft Server 2012 R2 CA as a SCEP server and Android phone, the Network Setup assistant does not ask you to enter your password nor does it connect to the SCEP to relay the certificate request.</P><P></P><P>Can someone help?</P></BODY></HTML> Fri, 09 Feb 2018 19:08:34 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-does-not-connect-to-ms-scep-server-for-byod-cert/m-p/3477547#M517923 ainsleye 2018-02-09T19:08:34Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-does-not-connect-to-ms-scep-server-for-byod-cert/m-p/3477548#M517924 <HTML><HEAD></HEAD><BODY><P>Please clarify whether it working with ISE internal CA, with other client OS's than Android, and testing SCEP connection ok.</P></BODY></HTML> Sat, 10 Feb 2018 05:30:31 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-does-not-connect-to-ms-scep-server-for-byod-cert/m-p/3477548#M517924 hslai 2018-02-10T05:30:31Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-does-not-connect-to-ms-scep-server-for-byod-cert/m-p/3477549#M517925 <HTML><HEAD></HEAD><BODY><P>The process works with ISE Internal CA with Android clients. So far in our setup we have mostly Android clients. With regards to the SCEP, I have used the sscep toolset to test and verify that SCEP is working as seen below.</P><P><IMG alt="" class="image-1 jive-image" height="66" src="https://community.cisco.com/legacyfs/online/fusion/115152_pastedImage_0.png" style="width: 624px; height: 66px;" width="624" /></P><P>The process just doesn't work when using the External SCEP Server. The RootCA and SubCA certificates have been added to ISE trusted certificates to support the External SCEP Server. Note also the SCEP server is also the SUBCA that issues the certificates.</P></BODY></HTML> Sat, 10 Feb 2018 13:01:44 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-does-not-connect-to-ms-scep-server-for-byod-cert/m-p/3477549#M517925 ainsleye 2018-02-10T13:01:44Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-does-not-connect-to-ms-scep-server-for-byod-cert/m-p/3477550#M517926 <HTML><HEAD></HEAD><BODY><P>My wireless setup is not connected to a Windows 2012R2 CA. I know for sure ISE working with Windows 2012R2 because a couple of Cisco field engineers did a Techtorial in Cisco Live before.</P><P></P><P>I just tried it with our existing Windows 2008R2 and my test Android device (Google Nexus 5X) got the certificate installed ok.</P><P><IMG alt="Screen Shot 2018-02-12 at 4.59.16 AM.png" class="image-1 jive-image" src="/legacyfs/online/fusion/115161_Screen Shot 2018-02-12 at 4.59.16 AM.png" style="height: 227px; width: 620px;" /></P><P><IMG alt="Screenshot_20180212-121039.png" class="jive-image image-2" height="409" src="https://community.cisco.com/legacyfs/online/fusion/115162_Screenshot_20180212-121039.png" style="height: 408.8064516129033px; width: 230px;" width="230" /></P><P>Below are some screenshots of my ISE configurations:</P><P></P><P><IMG alt="Screen Shot 2018-02-12 at 6.55.31 AM.png" class="jive-image image-3" src="/legacyfs/online/fusion/115175_Screen Shot 2018-02-12 at 6.55.31 AM.png" style="height: 241px; width: 620px;" /></P><P><IMG alt="Screen Shot 2018-02-12 at 6.56.39 AM.png" class="jive-image image-4" src="/legacyfs/online/fusion/115176_Screen Shot 2018-02-12 at 6.56.39 AM.png" style="height: 486px; width: 620px;" /></P><P><IMG alt="Screen Shot 2018-02-12 at 6.58.20 AM.png" class="jive-image image-5" src="/legacyfs/online/fusion/115177_Screen Shot 2018-02-12 at 6.58.20 AM.png" style="height: 355px; width: 620px;" /></P><P></P><P>If you still have problem to get the requests going to your MS CA, please engage Cisco TAC.</P></BODY></HTML> Mon, 12 Feb 2018 15:30:37 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-does-not-connect-to-ms-scep-server-for-byod-cert/m-p/3477550#M517926 hslai 2018-02-12T15:30:37Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-does-not-connect-to-ms-scep-server-for-byod-cert/m-p/3477551#M517927 <HTML><HEAD></HEAD><BODY><P>Thank you for the clarification as this has resolved my issue. </P><P></P><P>It turns out that the key to getting SCEP to work is to specify the entire URL with the mscep.dll such as<STRONG><EM> "http(s)://yourscep.yourdomain.com/certsrv/mscep/mscep.dll"</EM></STRONG>&nbsp; when creating the SCEP RA Profile.</P></BODY></HTML> Mon, 12 Feb 2018 16:34:04 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-does-not-connect-to-ms-scep-server-for-byod-cert/m-p/3477551#M517927 ainsleye 2018-02-12T16:34:04Z