cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1601
Views
0
Helpful
4
Replies

Cisco ISE 2.3 Does not connect to MS SCEP Server for BYOD Cert Request

ainsleye
Level 1
Level 1

When using BYOD in a DUAL SSID setup with Microsoft Server 2012 R2 CA as a SCEP server and Android phone, the Network Setup assistant does not ask you to enter your password nor does it connect to the SCEP to relay the certificate request.

Can someone help?

1 Accepted Solution

Accepted Solutions

My wireless setup is not connected to a Windows 2012R2 CA. I know for sure ISE working with Windows 2012R2 because a couple of Cisco field engineers did a Techtorial in Cisco Live before.

I just tried it with our existing Windows 2008R2 and my test Android device (Google Nexus 5X) got the certificate installed ok.

Screen Shot 2018-02-12 at 4.59.16 AM.png

Screenshot_20180212-121039.png

Below are some screenshots of my ISE configurations:

Screen Shot 2018-02-12 at 6.55.31 AM.png

Screen Shot 2018-02-12 at 6.56.39 AM.png

Screen Shot 2018-02-12 at 6.58.20 AM.png

If you still have problem to get the requests going to your MS CA, please engage Cisco TAC.

View solution in original post

4 Replies 4

hslai
Cisco Employee
Cisco Employee

Please clarify whether it working with ISE internal CA, with other client OS's than Android, and testing SCEP connection ok.

The process works with ISE Internal CA with Android clients. So far in our setup we have mostly Android clients. With regards to the SCEP, I have used the sscep toolset to test and verify that SCEP is working as seen below.

The process just doesn't work when using the External SCEP Server. The RootCA and SubCA certificates have been added to ISE trusted certificates to support the External SCEP Server. Note also the SCEP server is also the SUBCA that issues the certificates.

My wireless setup is not connected to a Windows 2012R2 CA. I know for sure ISE working with Windows 2012R2 because a couple of Cisco field engineers did a Techtorial in Cisco Live before.

I just tried it with our existing Windows 2008R2 and my test Android device (Google Nexus 5X) got the certificate installed ok.

Screen Shot 2018-02-12 at 4.59.16 AM.png

Screenshot_20180212-121039.png

Below are some screenshots of my ISE configurations:

Screen Shot 2018-02-12 at 6.55.31 AM.png

Screen Shot 2018-02-12 at 6.56.39 AM.png

Screen Shot 2018-02-12 at 6.58.20 AM.png

If you still have problem to get the requests going to your MS CA, please engage Cisco TAC.

Thank you for the clarification as this has resolved my issue.

It turns out that the key to getting SCEP to work is to specify the entire URL with the mscep.dll such as "http(s)://yourscep.yourdomain.com/certsrv/mscep/mscep.dll"  when creating the SCEP RA Profile.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: