cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2436
Views
0
Helpful
4
Replies

ISE SCEP connection to Win2003 server unsuccessful

tgrundbacher
Level 1
Level 1

I'm trying to get SCEP enrollment for BYOD on-boarding to work with a Win2k3 server, so far it keeps failing. On the ISE (1.1.1), when I enter the path to the SCEP server ('https://<W2k3_srv_name>/certsrv/mscep/mscep.dll') the connectivity test fails when hitting the "Test Connectivity" button; the error message is "Connection to SCEP server failed. Remotely Closed [id: 0x00313434]". Strangely, the settings can be saved and ISE won't complain, although the ISE user guide says that the ISE will check the connectivity anyway when saving the settings.

In the end, the on-boarding process doesn't work and stops at the stage where the cert enrollment should take place (on various platforms).

See the Win2k3 event log error attached.

Any ideas or experiences?

Thanks

Toni

4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

Try using http (you are using https) and see if this works for you.

thanks,

Tarik Admani
*Please rate helpful posts*

Hi Tarik

Thanks for your support - we've also tried with HTTP, yet without success. Meanwhile we've set up a 2008 server with SCEP running on it, with this one it seems to work fine now. I deliberately say *seems to work*, since I still can't get the on-borading process to finish successfully (see attached picture).

It works if you use an internal client on the LAN and request a cert directly from the SCEP server via IE. But for the BYOD devices, no cretificates are being rolled out, and no error or logs neither on ISE, nor on the SCEP server nor on the client indicate what's going wrong. I can't open a TAC case since this is a PoC with an Eval license and the customer will only buy the Advanced license if they like what they see...

chris_day
Level 1
Level 1

Did you tell the SCEP server what template to use for network devices?  Also could you post up your policies?

Chris, please find some screenshots of the cert template and the ISE policies in the attachment. Meanwhile we could prove that the ISE doesn't send a single packet towards the SCEP server during the on-borarding process. We can see a packet arriving when we test the SCEP connection from the ISE to the server.