I configured one Cisco 8821 connected with EAP-TLS with SCEP for cert enrollment.
I have CUCM 12, 8821 with firmware sip8821.11-0-4SR1-13, one router for SCEP RA, one Microsoft CA and an ACS Cisco.
Everything works fine but I would like to test the scenario where the user cert of the phone is near to expire.
To test that I tried two ways:
- a cert Template with 4 h of duration and 1 h renewal
- The change of the 8821's clock
In both scenario from 8821 log and SCEP router log I can't see any attempt (SCEP mess) of the phone to request a new cert.
The only poor documentation about SCEP that i found is
I can't find a troubleshooting guide, I can't find forum's discussions.
Any one could give me an advise about how to test and troubleshoot cert expiration on 8821 or any one has expirence about that?
Thank you so much
here from section 7 some debugging commands for scep
if your windows server is 2008, here are some issues to check
Before you configure SCEP support for BYOD, ensure that the Windows 2008 R2 NDES server has these Microsoft hotfixes installed:
from this document, that also seems valid for scep, the timers seems to be calculated
- As soon as an identity certificate is installed, IOS calculates the RENEW timer for the specific trust-point as shown below
Current-Authoritative-Time means that the system clock has to be an authoritative source of time
as described here. (link to authoritative Time source section) PKI timers will not be initialized without an authoritative source of time. And as a consequence, renewal operation will not take place.
IOS does not initialize PKI timers without an authoritative clock. Although NTP is highly
recommended, as a temporary measure, the administrator can mark the hardware clock as authoritative using:
Router(config)# clock calendar-valid
Thank you so much.
Cisco Phone 8821 is not an IOS device, so maybe timers calculation is different and I don't have any kind of parameter, timer, documentation about SCEP.
The phone has an NTP server, and I change the time of this NTP server and not the time of the phone directly. So I think it's Authoritative.
On the phone I can't see PKI timers as I can see that on the router.
if the ntp server is unsynchronized with an external timesource, it wil not be authoritative.
Yes I'm aware the phone is not IOS, but when describing SCEP mechanics, the behavour should be the same. the parameters come from the SCEP server and you can perform the calculation as described in the link.
you use the router as RA, you can try debugging there to see if any scep packets are received.
Obtain the IP address of the Cisco IP Phone by using one of these methods:
Open a web browser and enter the following URL, where IP_address is the IP address of the Cisco IP Phone:
Click Console logs.
Open the listed log files and save the files that cover the time period that the user experienced the problem.
If the problem is not limited to a specific time, save all the log files.