Re: Deploy LSC via 9800 using NDES with UseSinglePassword=1 enabled

Tobias Heisele · ‎03-26-2024

Hi,

I checked several guides how to deploy LSC on C9800 WLCs (https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9100-access-points/221127-configure-locally-significant-certificat.html / https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-management/215557-configure-scep-for-locally-significant-c.html), but the option to use a permanent password (not OTP) to authenticate towards the NDES server is never mentioned.
Within the trustpoint context, a password can be set, but according to the documentation this password if used to revocate the certificate.
Is there a chance to use a NDES server that has UseSinglePassword option enabled?

marce1000 · ‎03-26-2024

- On the NDES server edit the registry target (name) :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\UseSinglePassword
which is set to 0 by default ; change the value to 1 instead ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Tobias Heisele · ‎03-26-2024

But how need the WLC to be configured to send this password?

marce1000 · ‎03-26-2024

- In a first reaction I would presume that to be explained in the documentation (links) that you provided , if not clear ask further , = contact TAC for explanations and guidelines,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '