07-18-2018 10:16 AM
Hi team,
My customer is planning BYOD solution in green field and now wants to deploy new CA server.
In original plan, they're going to use Windows Server 2016 but now we've found CSCvh95680.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh95680/?rfs=iqvred
Because Windows2012 is about to reach end of mainstream support, the customer wouldn't like to use the old version.
Is there a workaround to use ISE BYOD with windows2016?
And could you also tell me fix(or enhancement) plan for the BugID?
Solved! Go to Solution.
08-05-2018 02:29 PM
Hamid:- Thanks for your input. Yes, as the customer preferring Windows CA to issue certificates, the team agreed to change from 2016 to 2012, while following up with our product management team.
Masahiro:- Please continue your discussion with our product manager on CSCvh95680.
Even though we are not Microsoft, the info from Microsoft sites look promising:
Microsoft Lifecycle Policy for 2012 R2 shows Windows Server 2012 R2 Datacenter and Standard both have
Microsoft Business, Developer and Desktop Operating Systems Policy shows extended support providing security updates and non-security updates on extended hotfix support.
07-18-2018 11:08 AM
It appears that Microsoft CA has a change of behavior in Windows Server 2016 and becomes not compliant with HTTP/1.1 RFC in supporting Chunked Transfer Coding. I will check with our teams and update you later.
08-05-2018 01:26 AM - edited 08-05-2018 01:29 AM
That's right. Technically SCEP is not compatible with Windows Server 2016. Actually that's Microsoft which in violation of RFC 2616 Section 3.6.1.
As far as I know Microsoft already informed and should be fixed from their side in next updates. No workaround from ISE side, you should temporarily use MS Server 2012!
08-05-2018 02:29 PM
Hamid:- Thanks for your input. Yes, as the customer preferring Windows CA to issue certificates, the team agreed to change from 2016 to 2012, while following up with our product management team.
Masahiro:- Please continue your discussion with our product manager on CSCvh95680.
Even though we are not Microsoft, the info from Microsoft sites look promising:
Microsoft Lifecycle Policy for 2012 R2 shows Windows Server 2012 R2 Datacenter and Standard both have
Microsoft Business, Developer and Desktop Operating Systems Policy shows extended support providing security updates and non-security updates on extended hotfix support.
01-28-2020 07:04 AM
Please engage the ISE Product Manager to have them update CSCvh95680.
The bug still shows unresolved, yet this issue was addressed and resolved by Microsoft back in Aug 2018 under KB4457127. You can search for NDES in the following url regarding the rollup: https://support.microsoft.com/en-us/help/4457127/windows-10-update-kb4457127
Additionally, Microsoft released an article with a simple command to enable chunked encoding (which Cisco support has been giving out to their customers using 2016 CA to workaround the problem): https://support.microsoft.com/en-au/help/278998/how-to-enable-chunked-transfer-encoding-with-iis
This forum post is misleading Cisco customers to believe that Windows 2016 CA is officially not supported for use with ISE, yet we can find no official ISE documentation that states this (seemingly because the issue was immediately resolved by Microsoft).
08-06-2018 07:56 AM
If the goal is to have ISE generate MS PKI certificates, then I suggest making ISE sub-CA of the existing 2016 MS CA. This way, endpoint certificates can be revoked via my devices portal as well as easier to troubleshoot certificate issues within ISE, not to mention the integration of ISE as sub-CA is trivial.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0111.html#task_E458E69FA39941BBAA9799AAD7FDC644
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide