Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1045
Views
5
Helpful
1
Replies

ISE as SCEP server not working with Catalyst - Error Cert Length = 0

Sindbart
Level 1
Level 1

‎02-16-2022 08:57 AM - edited ‎02-16-2022 08:58 AM

Hello,

I'm trying to use ISE in version 3.1 as a SCEP server for my Catalyst 9300 switches, to enroll a client certificate from my ISE root CA.

After adding the ISE trustpoint to my switch, it fails when I try to authenticate the server certificate via following command:

crypto pki authenticate LAB-ISE

Following error is happening:

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

When I manually enter the server certificate of ISE manually via trustpoint enrollment terminal, it's working fine. With this I validated that my server certificate is not the issue.

 

I also tested the same functionality with a Windows Server which is working without any issues.

 

My ISE configuration:

ise-ca.png

My Catalyst configuration:

ise-ca2.png

I was thinking that the ISE is maybe requesting more optional values which can be added to the trustpoint, maybe this is the root cause for my issue. I sadly don't find any information in my switch log or the ISE debug log for CA services.

Does anyone have an idea how ti make the SCEP enrollment work my with Catalyst?

Best regards

0 Helpful
1 Reply 1

Greg Gibbs
Cisco Employee
Cisco Employee

‎02-16-2022 02:06 PM

The ISE internal CA is only built and intended to be used for the BYOD use case (and possibly to generate certificates for pxGrid). There is limited customisation available and it would not be supported for the purpose you are attempting.

For SCEP services, you should leverage a real Enterprise CA like MS AD Cert Services.

 

Customers Also Viewed These Support Documents