Re: CP-8865 SCEP Autoenrollement

dgeral1 · ‎03-06-2024

Hoping someone can fill in a hole for me. I am attempting to setup autoenrollment of the user certificate for wireless access for a set of 8865s. I have used the Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide to the best of my ability, but it seems its last update was in 2021 also. I don't have an ASA or ISE and am using Windows Server 2022 as a CA and for NDES.

After configuring the CAPF settings for the phone to "Install/Update" and providing the WLAN SCEP and CA Thumbprint I can pull the Root CA certificate and install it. However, it fails to retrieve a user certificate.

It appears my IIS is not preventing it:
2024-03-06 18:14:51 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 11764
2024-03-06 18:14:51 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 1
2024-03-06 18:14:55 192.168.10.10 POST /certsrv/mscep/mscep.dll operation=PKIOperation 80 - 192.168.20.100 - - 200 0 0 10
2024-03-06 18:15:17 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 1
2024-03-06 18:15:17 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 1
2024-03-06 18:16:00 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 1
2024-03-06 18:16:00 192.168.10.10 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=CAIdentifier 80 - 192.168.20.100 - - 200 0 0 2
2024-03-06 18:16:02 192.168.10.10 POST /certsrv/mscep/mscep.dll operation=PKIOperation 80 - 192.168.20.100 - - 200 0 0 6

My Phone status log:

[14:52:17 06/21/23] No IPv4 DNS server
	[14:52:19 06/21/23] ITL installed
	[14:52:20 06/21/23] SEPF8A5C5------.cnf.xml.sgn(HTTP)
	[14:52:22 06/21/23] VPN not configured
	[14:52:23 06/21/23] oAuth mode disabled
	[14:52:23 06/21/23] Successfully installed root certificate via SCEP.
	[14:52:24 06/21/23] Failed to install user certificate via SCEP!

I have configured the Windows Registry per the document. Any pointers or help is greatly appriciated.

dgeral1 · ‎03-12-2024

Still have not solved this but for anyone else that comes across this post:

The error is related to the the way the phone is presenting itself. Once the process is initiated the phone reaches out to the CA/NDES directly and presents its MIC to the server. NDES will return a Windows Event ID of 18 in the Application log "The Network Device Enrollment Service cannot decrypt the client's PKCS7 message (0x80090005). Bad Data." I can't find anything in Cisco's documentation that covers this. As I am not using ISE, I am not finding anything that has helped to open the MIC so that the Windows CA can read it. I have attempted to put the Manufacturing CA root certs in the Trusted Root Certification Authorities, Enterprise Trust, Intermediate Certificate Authorities and Third-Party Root Certification Authorities in the local Machine store to allow the server to decrypt the MIC.

Maren Mahoney · ‎03-13-2024

I would encourage you to open a TAC case on this issue. Are you able to do that?

Maren

dgeral1 · ‎03-13-2024

Thanks for responding. I attempted to open a TAC case today, but unfortunately it couldn't find CUCM entitlement. I reached out to a team member to see if they could put it in today.