https://community.cisco.com/t5/network-access-control/ise-as-scep-server/m-p/3599537#M524254 <HTML><HEAD></HEAD><BODY><P>Thanks Hsing-Tsu</P><P></P><P>Will it support another ISE ?</P><P>I just want to test the SCEP functionality</P><P></P><P>I am trying to add one ISE server as SCEP server to another ISE but thats failing too.. Not sure if this would work.</P><P></P><P>Ultimately we would want to have as SCEP to MDM server. </P><P><IMG alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/108435_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P><IMG alt="" class="jive-image image-2" src="https://community.cisco.com/legacyfs/online/fusion/108436_pastedImage_1.png" style="max-width: 1200px; max-height: 900px;" /></P></BODY></HTML> Mon, 19 Jun 2017 19:00:29 GMT umahar 2017-06-19T19:00:29Z https://community.cisco.com/t5/network-access-control/ise-as-scep-server/m-p/3599535#M524252 <HTML><HEAD></HEAD><BODY><P>Has anyone implemented ISE as a SCEP server ?</P><P></P><P>I am trying to enroll a cert into switch to test scep functionality in ISE but I cannot make it work.</P><P></P><P>ISE SCEP URL</P><P><IMG alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/108385_pastedImage_3.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P></P><P><STRONG>crypto pki trustpoint ISEPSN</STRONG></P><P><STRONG><SPAN>enrollment url </SPAN><A class="jive-link-external-small" href="http://usnjise03.svlab.local:9090/auth/caservice/pkiclient.exe" rel="nofollow" target="_blank">http://usnjise03.svlab.local:9090/auth/caservice/pkiclient.exe</A></STRONG></P><P><STRONG>revocation-check crl</STRONG></P><P><STRONG>rsakeypair scep</STRONG></P><P></P><P><STRONG>crypto pki authenticate ISEPSN</STRONG></P><P></P><P>I am receiving an error after the above switch commands</P><P></P><P>% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0</P></BODY></HTML> Fri, 16 Jun 2017 18:15:40 GMT https://community.cisco.com/t5/network-access-control/ise-as-scep-server/m-p/3599535#M524252 umahar 2017-06-16T18:15:40Z https://community.cisco.com/t5/network-access-control/ise-as-scep-server/m-p/3599536#M524253 <HTML><HEAD></HEAD><BODY><P>ISE internal CA/SCEP is not currently supporting Cisco IOS. See CSCuz49209. There is some mismatch in the cert usage field.</P></BODY></HTML> Fri, 16 Jun 2017 20:53:50 GMT https://community.cisco.com/t5/network-access-control/ise-as-scep-server/m-p/3599536#M524253 hslai 2017-06-16T20:53:50Z https://community.cisco.com/t5/network-access-control/ise-as-scep-server/m-p/3599537#M524254 <HTML><HEAD></HEAD><BODY><P>Thanks Hsing-Tsu</P><P></P><P>Will it support another ISE ?</P><P>I just want to test the SCEP functionality</P><P></P><P>I am trying to add one ISE server as SCEP server to another ISE but thats failing too.. Not sure if this would work.</P><P></P><P>Ultimately we would want to have as SCEP to MDM server. </P><P><IMG alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/108435_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P><IMG alt="" class="jive-image image-2" src="https://community.cisco.com/legacyfs/online/fusion/108436_pastedImage_1.png" style="max-width: 1200px; max-height: 900px;" /></P></BODY></HTML> Mon, 19 Jun 2017 19:00:29 GMT https://community.cisco.com/t5/network-access-control/ise-as-scep-server/m-p/3599537#M524254 umahar 2017-06-19T19:00:29Z https://community.cisco.com/t5/network-access-control/ise-as-scep-server/m-p/3599538#M524256 <HTML><HEAD></HEAD><BODY><P>It's tested with ASA only. Here are two LabMinutes video on that:</P><UL><LI><A class="jive-link-external-small" href="http://www.labminutes.com/sec0213_ise_20_internal_ca_scep_anyconnect_vpn_1" rel="nofollow" style="padding: 0 calc(12px + 0.35ex) 0 0; font-style: inherit; font-family: inherit; color: #007fab;">How to Configure Cisco ISE 2.0 Internal CA SCEP with AnyConnect VPN (Part 1)</A></LI><LI><A class="jive-link-external-small" href="http://www.labminutes.com/sec0213_ise_20_internal_ca_scep_anyconnect_vpn_2" rel="nofollow" style="padding: 0 calc(12px + 0.35ex) 0 0; font-style: inherit; font-family: inherit; color: #007fab;">How to Configure Cisco ISE 2.0 Internal CA SCEP with AnyConnect VPN (Part 2)</A></LI></UL><P></P><P>If you need it supported for external MDM, please bring it up with our PM teams.</P></BODY></HTML> Mon, 19 Jun 2017 19:31:19 GMT https://community.cisco.com/t5/network-access-control/ise-as-scep-server/m-p/3599538#M524256 hslai 2017-06-19T19:31:19Z https://community.cisco.com/t5/network-access-control/ise-as-scep-server/m-p/4587470#M573923 <P>Is there still no solution to issue certificates to Cisco devices (routers, switches, wlc) from ISE CA?</P><P>From my view It is very disappointing that a Cisco CA (ISE) is not able to issue certificates to their own main product series.</P> Wed, 06 Apr 2022 16:37:51 GMT https://community.cisco.com/t5/network-access-control/ise-as-scep-server/m-p/4587470#M573923 Andreas Jaeger 2022-04-06T16:37:51Z https://community.cisco.com/t5/network-access-control/ise-as-scep-server/m-p/4587687#M573927 <P>AFAIK this is still not possible. The enhancement 'bug' that was referenced by Hsing below shows a status of Terminated. This is likely because the ISE CA is mainly intended for the BYOD use case (and maybe pxGrid, where needed). It is not intended/supported to be used as an Enterprise CA and that fact is not likely to change.</P> Wed, 06 Apr 2022 22:11:24 GMT https://community.cisco.com/t5/network-access-control/ise-as-scep-server/m-p/4587687#M573927 Greg Gibbs 2022-04-06T22:11:24Z https://community.cisco.com/t5/network-access-control/ise-as-scep-server/m-p/4590124#M574041 <P>Hi Greg,</P><P>I was never asking the ISE to become an Enterprise CA - I was just asking why it does not support Cisco products.</P><P>E.g. for RADIUS DTLS with ISE the devices need to have certificates installed, but its own/internal CA is not supporting them.</P> Mon, 11 Apr 2022 12:07:35 GMT https://community.cisco.com/t5/network-access-control/ise-as-scep-server/m-p/4590124#M574041 Andreas Jaeger 2022-04-11T12:07:35Z