cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1523
Views
15
Helpful
5
Replies

BYOD with windows 2016

masyamad
Cisco Employee
Cisco Employee

Hi team,

My customer is planning BYOD solution in green field and now wants to deploy new CA server.

In original plan, they're going to use Windows Server 2016 but now we've found CSCvh95680.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh95680/?rfs=iqvred

Because Windows2012 is about to reach end of mainstream support, the customer wouldn't like to use the old version.

Is there a workaround to use ISE BYOD with windows2016?

And could you also tell me fix(or enhancement) plan for the BugID?

1 Accepted Solution

Accepted Solutions

Hamid:- Thanks for your input. Yes, as the customer preferring Windows CA to issue certificates, the team agreed to change from 2016 to 2012, while following up with our product management team.

Masahiro:- Please continue your discussion with our product manager on CSCvh95680.

Even though we are not Microsoft, the info from Microsoft sites look promising: 

Microsoft Lifecycle Policy for 2012 R2 shows Windows Server 2012 R2 Datacenter and Standard both have

  • Mainstream Support End Date on 2018-Oct-09
  • Extended Support End Date on 2023-Oct-10

Microsoft Business, Developer and Desktop Operating Systems Policy shows extended support providing security updates and non-security updates on extended hotfix support.

 

View solution in original post

5 Replies 5

hslai
Cisco Employee
Cisco Employee

It appears that Microsoft CA has a change of behavior in Windows Server 2016 and becomes not compliant with HTTP/1.1 RFC in supporting Chunked Transfer Coding. I will check with our teams and update you later.

That's right. Technically SCEP is not compatible with Windows Server 2016.  Actually that's Microsoft which in violation of RFC 2616 Section 3.6.1. 

As far as I know Microsoft already informed and should be fixed from their side in next updates. No workaround from ISE side, you should temporarily use MS Server 2012! 

Hamid

Hamid:- Thanks for your input. Yes, as the customer preferring Windows CA to issue certificates, the team agreed to change from 2016 to 2012, while following up with our product management team.

Masahiro:- Please continue your discussion with our product manager on CSCvh95680.

Even though we are not Microsoft, the info from Microsoft sites look promising: 

Microsoft Lifecycle Policy for 2012 R2 shows Windows Server 2012 R2 Datacenter and Standard both have

  • Mainstream Support End Date on 2018-Oct-09
  • Extended Support End Date on 2023-Oct-10

Microsoft Business, Developer and Desktop Operating Systems Policy shows extended support providing security updates and non-security updates on extended hotfix support.

 

Please engage the ISE Product Manager to have them update CSCvh95680.

 

The bug still shows unresolved, yet this issue was addressed and resolved by Microsoft back in Aug 2018 under KB4457127.  You can search for NDES in the following url regarding the rollup: https://support.microsoft.com/en-us/help/4457127/windows-10-update-kb4457127

 

Additionally, Microsoft released an article with a simple command to enable chunked encoding (which Cisco support has been giving out to their customers using 2016 CA to workaround the problem):  https://support.microsoft.com/en-au/help/278998/how-to-enable-chunked-transfer-encoding-with-iis

 

This forum post is misleading Cisco customers to believe that Windows 2016 CA is officially not supported for use with ISE, yet we can find no official ISE documentation that states this (seemingly because the issue was immediately resolved by Microsoft).

 

 

 

howon
Cisco Employee
Cisco Employee

If the goal is to have ISE generate MS PKI certificates, then I suggest making ISE sub-CA of the existing 2016 MS CA. This way, endpoint certificates can be revoked via my devices portal as well as easier to troubleshoot certificate issues within ISE, not to mention the integration of ISE as sub-CA is trivial.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0111.html#task_E458E69FA39941BBAA9799AAD7FDC644