Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1030
Views
0
Helpful
2
Replies

ISE 1.1.3 en Cisco IOS SCEP

michelbijnsdorp
Level 1
Level 1

‎03-17-2013 08:16 AM - edited ‎03-10-2019 08:12 PM

Hi,

I'm running Cisco ISE 1.1.3.124 and a Cisco IOS 2811 (c2800nm-spservicesk9-mz.150-1.M2.bin) which I configured the be a SCEP server.

PKI Authentication and enrollment of a Cisco switch with this SCEP server is running well but BYOD clients enrollment via EAP-TLS (1024/2048) giving me the following error on the Cisco IOS SCEP server:

SCEP#

.Mar 17 15:21:59.446: Sun, 17 Mar 2013 15:21:59 GMT 10.0.0.164 /cgi-bin/pkiclient.exe ok

        Protocol = HTTP/1.1 Method = GET Query = operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgU

AMIAGCSqGSIb3DQEHAaCAJIAEggPoMIAGCSqGSIb3DQEHA6CAMIACAQAxggEvMIIBKwIBADATMA4xDDAKBgNVBAMTA2lzZQIBA

TANBgkqhkiG9w0BAQEFAASCAQAmbK6WZ5L6gw+uh7h4Qi53XL76QsBNcY8E6cMxWDp8hWbLvujNOylSvJLF

.Mar 17 15:21:59.446:

.Mar 17 15:21:59.454: CRYPTO_CS: received a SCEP request, 3652 bytes

.Mar 17 15:21:59.454: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_10  

.Mar 17 15:21:59.482: CRYPTO_CS: scep msg type - 19

.Mar 17 15:21:59.482: CRYPTO_CS: trans id - 9871e81c65121310b77df8b341c7c887a5392da2

.Mar 17 15:21:59.486: CRYPTO_CS: failed to open env data

.Mar 17 15:21:59.486: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_10  

.Mar 17 15:21:59.486: CRYPTO_CS: failed to read SCEP request

.Mar 17 15:21:59.502: Sun, 17 Mar 2013 15:21:59 GMT 10.0.0.164 /cgi-bin/pkiclient.exe ok

SCEP#

.

I'm stuck now on the message: failed to open env data. So can anyone explain what the meaning is of this message or maybe know if IOS SCEP with ISE is supported ?

Thanks in advance.

greetz Michel

btw the tracelog of the switch enrollment with IOS SCEP is below:

SCEP#
.Mar 17 14:57:10.932: Sun, 17 Mar 2013 14:57:10 GMT 10.0.0.161 /cgi-bin/pkiclient.exe ok
        Protocol = HTTP/1.0 Method = GET Query = operation=PKIOperation&message=MIIGWgYJKoZIhvcNAQcCoIIGSzCCBkcCAQExCzAJBgUrDgMCGgUAMIIDAAYJKoZI
hvcNAQcBoIIC8QSCAu0wggLpBgkqhkiG9w0BBwOgggLaMIIC1gIBADGBujCBtwIB
ADAgMBsxGTAXBgNVBAMTEGNhLndlc3R3aWp6ZXIubmwCAQEwDQYJKoZIhvcNAQEB
BQAEgYAo/LNaINm+tcgzF8V8d7d5x
.Mar 17 14:57:10.932:
.Mar 17 14:57:10.936: CRYPTO_CS: received a SCEP request, 2210 bytes
.Mar 17 14:57:10.940: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_1   
.Mar 17 14:57:10.948: CRYPTO_CS: scep msg type - 19
.Mar 17 14:57:10.948: CRYPTO_CS: trans id - 59D142A6D0F525668626A435229BAAF1
.Mar 17 14:57:11.040: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_1   
.Mar 17 14:57:11.040: CRYPTO_CS: received an enrollment request
.Mar 17 14:57:11.040: CRYPTO_PKI: creating trustpoint clone ise1
.Mar 17 14:57:11.040: CRYPTO_CS: checking policy for enrollment request ID=1
.Mar 17 14:57:11.040: CRYPTO_CS: request has been authorized, transaction id=59D142A6D0F525668626A435229BAAF1
.Mar 17 14:57:11.040: CRYPTO_CS: locking the CS
.Mar 17 14:57:11.040: CRYPTO_CS: added CDP extension
.Mar 17 14:57:11.044: CRYPTO_CS: added key usage extension
.Mar 17 14:57:11.044: CRYPTO_CS: Validity: 13:57:11 UTC Mar 17 2013-13:57:11 UTC Oct 3 2013

.Mar 17 14:57:11.128: CRYPTO_CS: writing serial number 0x2.
.Mar 17 14:57:11.180: CRYPTO_CS: file opened: nvram:ise.ser
.Mar 17 14:57:11.180: CRYPTO_CS: Writing 32 bytes to ser file
.Mar 17 14:57:13.864: CRYPTO_CS: reqID=1 granted, fingerprint=2
.Mar 17 14:57:13.864: CRYPTO_CS: unlocking the CS
.Mar 17 14:57:13.864: CRYPTO_CS: write SCEP: registered and bound service SCEP_WRTE_DB_1   
.Mar 17 14:57:13.984: CRYPTO_CS: write SCEP: unregistered and unbound service SCEP_WRTE_DB_1   
.Mar 17 14:57:13.988: CRYPTO_CS: Certificate generated and sent to requestor
.Mar 17 14:57:13.988: CRYPTO_CS: removing trustpoint clone ise1

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-17-2013 11:49 AM

Michel,

Officially supported it is not:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud86973

Some people mentioned varios degrees of "having it working".

In your case it's the envelope data which appears to be a problem for IOS.

M.

0 Helpful

michelbijnsdorp
Level 1
Level 1
In response to Marcin Latosiewicz

‎03-17-2013 11:43 PM

HI Marcin,

Thanks for this quick response, but is there already a sort of ISE future planning where this feature request is planned to be working?  Or maybe point me to these "having it working" links?

Thanks in advance. M

0 Helpful
Customers Also Viewed These Support Documents