cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
437
Views
0
Helpful
3
Replies

CP-8865 SCEP Autoenrollement

dgeral1
Level 1
Level 1

Hoping someone can fill in a hole for me.  I am attempting to setup autoenrollment of the user certificate for wireless access for a set of 8865s.  I have used the Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide to the best of my ability, but it seems its last update was in 2021 also.  I don't have an ASA or ISE and am using Windows Server 2022 as a CA and for NDES. 

After configuring the CAPF settings for the phone to "Install/Update" and providing the WLAN SCEP and CA Thumbprint I can pull the Root CA certificate and install it. However, it fails to retrieve a user certificate. 

It appears my IIS is not preventing it:
2024-03-06 18:14:51 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 11764
2024-03-06 18:14:51 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 1
2024-03-06 18:14:55 192.168.10.10 POST /certsrv/mscep/mscep.dll operation=PKIOperation 80 - 192.168.20.100 - - 200 0 0 10
2024-03-06 18:15:17 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 1
2024-03-06 18:15:17 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 1
2024-03-06 18:16:00 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 1
2024-03-06 18:16:00 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 2
2024-03-06 18:16:02 192.168.10.10 POST /certsrv/mscep/mscep.dll operation=PKIOperation 80 - 192.168.20.100 - - 200 0 0 6

My Phone status log:

[14:52:17 06/21/23] No IPv4 DNS server
 [14:52:19 06/21/23] ITL installed
 [14:52:20 06/21/23] SEPF8A5C5------.cnf.xml.sgn(HTTP)
 [14:52:22 06/21/23] VPN not configured
 [14:52:23 06/21/23] oAuth mode disabled
 [14:52:23 06/21/23] Successfully installed root certificate via SCEP.
 [14:52:24 06/21/23] Failed to install user certificate via SCEP!

I have configured the Windows Registry per the document.  Any pointers or help is greatly appriciated.

3 Replies 3

dgeral1
Level 1
Level 1

Still have not solved this but for anyone else that comes across this post:

The error is related to the the way the phone is presenting itself.  Once the process is initiated the phone reaches out to the CA/NDES directly and presents its MIC to the server.  NDES will return a Windows Event ID of 18 in the Application log "The Network Device Enrollment Service cannot decrypt the client's PKCS7 message (0x80090005). Bad Data."  I can't find anything in Cisco's documentation that covers this.  As I am not using ISE, I am not finding anything that has helped to open the MIC so that the Windows CA can read it.  I have attempted to put the Manufacturing CA root certs in the Trusted Root Certification Authorities, Enterprise Trust, Intermediate Certificate Authorities and Third-Party Root Certification Authorities in the local Machine store to allow the server to decrypt the MIC.  

I would encourage you to open a TAC case on this issue. Are you able to do that?

Maren

Thanks for responding. I attempted to open a TAC case today, but unfortunately it couldn't find CUCM entitlement. I reached out to a team member to see if they could put it in today.