cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

785
Views
0
Helpful
4
Replies
Highlighted
Beginner

Cisco ISE 2.3 Does not connect to MS SCEP Server for BYOD Cert Request

When using BYOD in a DUAL SSID setup with Microsoft Server 2012 R2 CA as a SCEP server and Android phone, the Network Setup assistant does not ask you to enter your password nor does it connect to the SCEP to relay the certificate request.

Can someone help?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Cisco ISE 2.3 Does not connect to MS SCEP Server for BYOD Cert Request

My wireless setup is not connected to a Windows 2012R2 CA. I know for sure ISE working with Windows 2012R2 because a couple of Cisco field engineers did a Techtorial in Cisco Live before.

I just tried it with our existing Windows 2008R2 and my test Android device (Google Nexus 5X) got the certificate installed ok.

Screen Shot 2018-02-12 at 4.59.16 AM.png

Screenshot_20180212-121039.png

Below are some screenshots of my ISE configurations:

Screen Shot 2018-02-12 at 6.55.31 AM.png

Screen Shot 2018-02-12 at 6.56.39 AM.png

Screen Shot 2018-02-12 at 6.58.20 AM.png

If you still have problem to get the requests going to your MS CA, please engage Cisco TAC.

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Re: Cisco ISE 2.3 Does not connect to MS SCEP Server for BYOD Cert Request

Please clarify whether it working with ISE internal CA, with other client OS's than Android, and testing SCEP connection ok.

Highlighted
Beginner

Re: Cisco ISE 2.3 Does not connect to MS SCEP Server for BYOD Cert Request

The process works with ISE Internal CA with Android clients. So far in our setup we have mostly Android clients. With regards to the SCEP, I have used the sscep toolset to test and verify that SCEP is working as seen below.

The process just doesn't work when using the External SCEP Server. The RootCA and SubCA certificates have been added to ISE trusted certificates to support the External SCEP Server. Note also the SCEP server is also the SUBCA that issues the certificates.

Highlighted
Cisco Employee

Re: Cisco ISE 2.3 Does not connect to MS SCEP Server for BYOD Cert Request

My wireless setup is not connected to a Windows 2012R2 CA. I know for sure ISE working with Windows 2012R2 because a couple of Cisco field engineers did a Techtorial in Cisco Live before.

I just tried it with our existing Windows 2008R2 and my test Android device (Google Nexus 5X) got the certificate installed ok.

Screen Shot 2018-02-12 at 4.59.16 AM.png

Screenshot_20180212-121039.png

Below are some screenshots of my ISE configurations:

Screen Shot 2018-02-12 at 6.55.31 AM.png

Screen Shot 2018-02-12 at 6.56.39 AM.png

Screen Shot 2018-02-12 at 6.58.20 AM.png

If you still have problem to get the requests going to your MS CA, please engage Cisco TAC.

View solution in original post

Highlighted
Beginner

Re: Cisco ISE 2.3 Does not connect to MS SCEP Server for BYOD Cert Request

Thank you for the clarification as this has resolved my issue.

It turns out that the key to getting SCEP to work is to specify the entire URL with the mscep.dll such as "http(s)://yourscep.yourdomain.com/certsrv/mscep/mscep.dll"  when creating the SCEP RA Profile.

This widget could not be displayed.