03-06-2024 10:37 AM
Hoping someone can fill in a hole for me. I am attempting to setup autoenrollment of the user certificate for wireless access for a set of 8865s. I have used the Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide to the best of my ability, but it seems its last update was in 2021 also. I don't have an ASA or ISE and am using Windows Server 2022 as a CA and for NDES.
After configuring the CAPF settings for the phone to "Install/Update" and providing the WLAN SCEP and CA Thumbprint I can pull the Root CA certificate and install it. However, it fails to retrieve a user certificate.
It appears my IIS is not preventing it:
2024-03-06 18:14:51 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 11764
2024-03-06 18:14:51 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 1
2024-03-06 18:14:55 192.168.10.10 POST /certsrv/mscep/mscep.dll operation=PKIOperation 80 - 192.168.20.100 - - 200 0 0 10
2024-03-06 18:15:17 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 1
2024-03-06 18:15:17 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 1
2024-03-06 18:16:00 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 1
2024-03-06 18:16:00 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 2
2024-03-06 18:16:02 192.168.10.10 POST /certsrv/mscep/mscep.dll operation=PKIOperation 80 - 192.168.20.100 - - 200 0 0 6
My Phone status log:
[14:52:17 06/21/23] No IPv4 DNS server | |
[14:52:19 06/21/23] ITL installed | |
[14:52:20 06/21/23] SEPF8A5C5------.cnf.xml.sgn(HTTP) | |
[14:52:22 06/21/23] VPN not configured | |
[14:52:23 06/21/23] oAuth mode disabled | |
[14:52:23 06/21/23] Successfully installed root certificate via SCEP. | |
[14:52:24 06/21/23] Failed to install user certificate via SCEP! |
I have configured the Windows Registry per the document. Any pointers or help is greatly appriciated.
03-12-2024 09:16 AM
Still have not solved this but for anyone else that comes across this post:
The error is related to the the way the phone is presenting itself. Once the process is initiated the phone reaches out to the CA/NDES directly and presents its MIC to the server. NDES will return a Windows Event ID of 18 in the Application log "The Network Device Enrollment Service cannot decrypt the client's PKCS7 message (0x80090005). Bad Data." I can't find anything in Cisco's documentation that covers this. As I am not using ISE, I am not finding anything that has helped to open the MIC so that the Windows CA can read it. I have attempted to put the Manufacturing CA root certs in the Trusted Root Certification Authorities, Enterprise Trust, Intermediate Certificate Authorities and Third-Party Root Certification Authorities in the local Machine store to allow the server to decrypt the MIC.
03-13-2024 02:28 PM
I would encourage you to open a TAC case on this issue. Are you able to do that?
Maren
03-13-2024 03:29 PM
Thanks for responding. I attempted to open a TAC case today, but unfortunately it couldn't find CUCM entitlement. I reached out to a team member to see if they could put it in today.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide