Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4129
Views
6
Helpful
4
Replies

ISE BYOD Certificate Issue with external CA using SCEP

xovercable
Level 1
Level 1

‎04-10-2016 10:05 PM - edited ‎03-10-2019 11:39 PM

Hi,

I am running into an issue where ISE is unable to get the certificate issued from an external CA.  All ISE certificates are issued by this CA and normal authentication with and without certificates are working.  However during BYOD on-boarding, it fails during the middle of the installation.  I looked through the debugs on the client side and ISE side.  I can see some errors on the ISE side.  However, I am not able to understand what the error message means.

I suspect the issue is with the external CA, because when I connected the same ISE set up to another external CA, I could successfully get a certificate downloaded to the client.  However this did not help my situation because that is not a trusted CA in my ISE Trusted store.  I am copying the error section of both client and ISE debugs. The client is a Windows 7 laptop. 

Appreciate if some information can be shed on the error message.

 

1 person had this problem
Labels:
0 Helpful
4 Replies 4

xovercable
Level 1
Level 1

‎04-10-2016 10:06 PM

Post did not allow me to add debugs complaining of invalid characters.  Giving it a show as a reply:


$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Error on ISE debugs from ise-psc.log file

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

http://127.0.0.1:9444/caservice/scep[live,7675,0,0,5]
2016-04-05 23:19:32,433 DEBUG  [DefaultQuartzScheduler_Worker-2][] com.cisco.cpm.scep.ScepCertRequestProcessor -:::::- SCEP job scheduler statistics [pool size=0, active=0]
2016-04-05 23:19:32,663 DEBUG  [portal-http-service49][] com.cisco.cpm.scep.CertRequestInfo -:::::- Found challenge password with cert template ID.
2016-04-05 23:19:32,663 DEBUG  [portal-http-service49][] cisco.cpm.provisioning.cert.CertProvisioningFactory -:::::- Found incoming certifcate request for external CA. Not touching Cert Request counter.
2016-04-05 23:19:32,671 INFO   [portal-http-service49][] com.cisco.cpm.scep.ScepCertRequestProcessor -:::::- About to forward certificate request C=US,ST=State,L=City,O=Company name,OU=Example unit,CN=cuser4 with transaction id  >|�Qz6�8�� � � ^�����Ax�  to server http://10.1.103.102/certsrv/mscep
2016-04-05 23:19:32,675 DEBUG  [portal-http-service49][] org.jscep.message.PkiMessageEncoder -:::::- Encoding message: org.jscep.message.PkcsReq@5902ef2f[transId=61977c80534d2b5b5130d341d20322a7f907708a,messageType=PKCS_REQ,senderNonce=Nonce [403814a5b93c21140f96a757bb33e0a2],messageData=org.bouncycastle.pkcs.PKCS10CertificationRequest@43bdbe49]
2016-04-05 23:19:32,675 DEBUG  [portal-http-service49][] org.jscep.message.PkcsPkiEnvelopeEncoder -:::::- Encrypting session key using key belonging to [issuer=CN=CTEK Issuing CA, DC=CTEK, DC=COM; serial=122709060007106850062357]
2016-04-05 23:19:32,676 DEBUG  [portal-http-service49][] org.jscep.message.PkiMessageEncoder -:::::- Signing message using key belonging to [issuer=CN=CTEK Issuing CA, DC=CTEK, DC=COM; serial=106579447778026949967889]
2016-04-05 23:19:32,678 DEBUG  [portal-http-service49][] org.jscep.message.PkiMessageEncoder -:::::- Signing org.bouncycastle.cms.CMSProcessableByteArray@6071fb21 content
2016-04-05 23:19:32,704 WARN   [New I/O client worker #2-1][] org.jscep.message.PkiMessageDecoder -:::::- Unable to verify message because the signedData contained no certificates.
2016-04-05 23:19:32,705 DEBUG  [New I/O client worker #2-1][] org.jscep.message.PkiMessageDecoder -:::::- Decoded to: org.jscep.message.CertRep@246de576[recipientNonce=Nonce [403814a5b93c21140f96a757bb33e0a2],pkiStatus=FAILURE,failInfo=badMessageCheck,transId=61977c80534d2b5b5130d341d20322a7f907708a,messageType=CERT_REP,senderNonce=Nonce [fbc110cb906ef0419e1b227c6e5ff671],messageData=<null>]
2016-04-05 23:19:34,697 DEBUG  [portal-http-service46][] com.cisco.cpm.scep.ScepCertRequestProcessor -:::::- Polling C=US,ST=State,L=City,O=Company name,OU=Example unit,CN=cuser4 for certificate request  >|�Qz6�8�� � � ^�����Ax�  with id {}
2016-04-05 23:19:34,699 WARN   [portal-http-service46][] com.cisco.cpm.scep.ScepCertRequestProcessor -:::::- Certificate request failed for C=US,ST=State,L=City,O=Company name,OU=Example unit,CN=cuser4 due to: badMessageCheck
2016-04-05 23:19:34,699 WARN   [portal-http-service46][] com.cisco.cpm.scep.ScepCertRequestProcessor -:::::- Certificate request failed for C=US,ST=State,L=City,O=Company name,OU=Example unit,CN=cuser4 due to: badMessageCheck
2016-04-05 23:19:34,700 DEBUG  [portal-http-service46][] com.cisco.cpm.scep.ScepCertRequestProcessor -:::::- Found incoming certifcate request for external CA. Not touching Cert Request counter.
2016-04-05 23:19:34,710 DEBUG  [portal-http-service46][] com.cisco.cpm.scep.CertRequestInfo -:::::- Found challenge password with cert template ID.



$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Output of client side log: spwProfileLog

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$


[Tue Apr 05 19:03:20 2016] Logging started
[Tue Apr 05 19:03:20 2016] SPW Version: 1.0.0.46
[Tue Apr 05 19:03:20 2016] System locale is [en]
[Tue Apr 05 19:03:20 2016] Loading messages for english...
[Tue Apr 05 19:03:20 2016] Initializing profile
[Tue Apr 05 19:03:20 2016] SPW is running as High integrity Process - 12288
[Tue Apr 05 19:03:20 2016] GetProfilePath: searched path = C:\Users\Owner\AppData\Local\Temp\ for file name = spwProfile.xml result: 0
[Tue Apr 05 19:03:20 2016] GetProfilePath: searched path = C:\Users\Owner\AppData\Local\Temp\Low for file name = spwProfile.xml result: 0
[Tue Apr 05 19:03:23 2016] Profile xml not found Downloading profile configuration...
[Tue Apr 05 19:03:23 2016] Downloading profile configuration...
[Tue Apr 05 19:03:23 2016] Discovering ISE using default gateway
[Tue Apr 05 19:03:23 2016] Identifying wired and wireless network interfaces, total active interfaces: 1
[Tue Apr 05 19:03:23 2016] Network interface - mac:58-94-6B-FB-FD-44, name: Wireless Network Connection 3, type: wireless
[Tue Apr 05 19:03:23 2016] Identified default gateway: 10.1.61.254
[Tue Apr 05 19:03:23 2016] Identified default gateway: 10.1.61.254, mac address: 58-94-6B-FB-FD-44
[Tue Apr 05 19:03:23 2016] DiscoverISE - start
[Tue Apr 05 19:03:35 2016] Discovered ISE - : [ISE-PUB.ctek.com, sessionId: 0a01c907000000105704522d]

[Tue Apr 05 19:03:35 2016] DiscoverISE - end
[Tue Apr 05 19:03:35 2016] Successfully Discovered ISE: ISE-PUB.ctek.com, session id: 0a01c907000000105704522d, macAddress: 58-94-6B-FB-FD-44
[Tue Apr 05 19:03:35 2016] GetProfile - start
[Tue Apr 05 19:03:35 2016] Warning - [HTTPConnection:RetrySendRequest] InternetOpen() failed with code: [12045]
[Tue Apr 05 19:03:39 2016] GetProfile - end
[Tue Apr 05 19:03:39 2016] Successfully retrieved profile xml
[Tue Apr 05 19:03:39 2016] using V2 xml version
[Tue Apr 05 19:03:39 2016] parsing wireless connection setting
[Tue Apr 05 19:03:39 2016] Certificate template: [keysize:2048, subject:OU=Example unit,O=Company name,L=City,ST=State,C=US, SAN:MAC]
[Tue Apr 05 19:03:39 2016] set ChallengePwd
[Tue Apr 05 19:03:39 2016] Starting parsing proxy configuration
[Tue Apr 05 19:03:39 2016] ProxySettings key was not found in the configuration xml
[Tue Apr 05 19:03:40 2016] found redirect URL:
[Tue Apr 05 19:03:40 2016] Identifying wired and wireless network interfaces, total active interfaces: 1
[Tue Apr 05 19:03:40 2016] Network interface - mac:58-94-6B-FB-FD-44, name: Wireless Network Connection 3, type: wireless
[Tue Apr 05 19:03:40 2016] Wireless interface [Wireless Network Connection 3] will be configured...
[Tue Apr 05 19:03:40 2016] Host - [ name:RAJPC, mac addresses:58-94-6B-FB-FD-44;5C-26-0A-42-69-1F]
[Tue Apr 05 19:03:41 2016] ApplyProfile - Start...
[Tue Apr 05 19:03:41 2016] User Id: cuser4, sessionid: 0a01c907000000105704522d, Mac: 58-94-6B-FB-FD-44, profile: CTEK_NSP
[Tue Apr 05 19:03:41 2016] number of wireless connections to configure: 1
[Tue Apr 05 19:03:41 2016] applying certificate for ssid [CORPORATE]
[Tue Apr 05 19:03:41 2016] ApplyCert - Start...
[Tue Apr 05 19:03:41 2016] using ChallengePwd
[Tue Apr 05 19:03:41 2016] creating certificate with subject = cuser4 and subjectSuffix = OU=Example unit,O=Company name,L=City,ST=State,C=US
[Tue Apr 05 19:03:42 2016] Installed [CTEK Issuing CA, hash: ec 9b 4f bd cb d8 fe ad  4a d9 2d 97 29 c8 75 fe

03 3e ce 55

] as intermediateCA
[Tue Apr 05 19:03:45 2016] Installed [CTEK Corporate Root CA, hash: 44 56 cd de 8a f6 b9 95  c8 42 ee 09 99 29 00 d9

69 ec b5 1a

] as rootCA
[Tue Apr 05 19:03:45 2016] Installed CA cert for authMode machineOrUser - Success
[Tue Apr 05 19:03:45 2016] HttpWrapper::SendScepRequest - Retrying: [1] time, after: [2] secs , Error: [0], msg: [ Pending]
[Tue Apr 05 19:03:47 2016] HttpWrapper::SendScepRequest - Retrying: [2] time, after: [2] secs , Error: [0], msg: [ Error]
[Tue Apr 05 19:03:49 2016] HttpWrapper::SendScepRequest - Retrying: [3] time, after: [2] secs , Error: [0], msg: [ Pending]
[Tue Apr 05 19:03:51 2016] Failed to get certificate from server - Error: [0]
 HTTP Response: [HTTP/1.1 200 OK

Trans-Status: Error

Content-Length: 0

Date: Wed, 06 Apr 2016 00:03:49 GMT

Server:



]

[Tue Apr 05 19:03:51 2016] ScepWrapper::InstallCert start
[Tue Apr 05 19:03:51 2016] ScepWrapper::InstallCert: Reading scep response file  [C:\Users\Owner\AppData\Local\Temp\response.cer].
[Tue Apr 05 19:03:51 2016] ScepWrapper::InstallCert CreateFile failed
[Tue Apr 05 19:03:51 2016] ScepWrapper::InstallCert end
[Tue Apr 05 19:03:51 2016] Failed to install identity certificate. Error code: [183]. Check the certificate template on the CA server and the certificate issued for the client on the CA server. Certificate should be for the purpose of Client Authentication.
[Tue Apr 05 19:03:51 2016] ApplyCert - End...
[Tue Apr 05 19:03:51 2016] ApplyCert failed ....  0ca8f1b6-500d-560b-e053-75189a0ab0d1
[Tue Apr 05 19:03:51 2016] Configuring SSID proxies ...
[Tue Apr 05 19:03:51 2016] Failed to configure the device.
[Tue Apr 05 19:03:51 2016] ApplyProfile - End..

0 Helpful

maharanavikas3621
Level 1
Level 1
In response to xovercable

‎08-16-2016 11:02 PM

Hi xovercable,

i am facing the same issue by using  ISE internal CA, please let us know if the above issue has been resolved, if yes, how?

Thanks in Advance

Regards,

Vikas

0 Helpful

xovercable
Level 1
Level 1
In response to maharanavikas3621

‎08-18-2016 09:44 AM

I can't remember exactly the reason because we ran into several issues :-).  But I believe the following was the reason.  

The Exchange Enrollment Agent Certificate that got created was invalid due to the sequence in which it was created.  So I had to delete the Exchange Enrollment Agent Certificate and the system will recreate a new one when you restart the CA server.

But the cause for your problem may be different.  Did you verify the NDES itself is working by going to the CA server URL?

 http://<FQDN of NDES Server>/certsrv/mscep/mscep.dll

mumbai.support
Level 1
Level 1
In response to xovercable

‎04-19-2019 01:34 AM

hi,

 

Check the certificate template on the CA server and the certificate issued for the client on the CA server. Certificate should be for the purpose of Client Authentication.

Customers Also Viewed These Support Documents