Author Topic: ISE SCEP Issue MS AD - BYOD (Read 34905 times)

xovercable · « **on:** April 07, 2016, 01:42:16 PM »

Hi all,

I am running into an issue with ISE and Microsoft CA. I have a two tier PKI set up, an offline Root CA and an Issuing CA. All ISE Certificates (Admin, EAP & Portal) are provided by Issuing CA. Root certificates are installed in the trusted store.

When I try to register my BYOD device, the device successfully downloads the package and accepts the root certificates from ISE. However, ISE is not able to get the certificate issued from the Issuing CA. ISE is configured as the RA. I looked through the logs on both client and ISE side and I see an error on the ISE debugs. However I am not sure how to decode that error message.

Any help will be highly appreciated.

ISE version 2.0 with patch 2
MS AD/PKI version 2008
Client Device windows7, windows 10 and Apple IMAC. Tried all three.

Debugs below:
Error on ISE debugs from ise-psc.log file

You are not allowed to view links. Register or Login[live,7675,0,0,5]
2016-04-05 23:19:32,433 DEBUG [DefaultQuartzScheduler_Worker-2][] com.cisco.cpm.scep.ScepCertRequestProcessor -:::::- SCEP job scheduler statistics [pool size=0, active=0]
2016-04-05 23:19:32,663 DEBUG [portal-http-service49][] com.cisco.cpm.scep.CertRequestInfo -:::::- Found challenge password with cert template ID.
2016-04-05 23:19:32,663 DEBUG [portal-http-service49][] cisco.cpm.provisioning.cert.CertProvisioningFactory -:::::- Found incoming certifcate request for external CA. Not touching Cert Request counter.
2016-04-05 23:19:32,671 INFO [portal-http-service49][] com.cisco.cpm.scep.ScepCertRequestProcessor -:::::- About to forward certificate request C=US,ST=State,L=City,O=Company name,OU=Example unit,CN=cuser4 with transaction id >|�Qz6�8�� ^��Ax� to server You are not allowed to view links. Register or Login
2016-04-05 23:19:32,675 DEBUG [portal-http-service49][] org.jscep.message.PkiMessageEncoder -:::::- Encoding message: org.jscep.message.PkcsReq@5902ef2f[transId=61977c80534d2b5b5130d341d20322a7f907708a,messageType=PKCS_REQ,senderNonce=Nonce [403814a5b93c21140f96a757bb33e0a2],messageData=org.bouncycastle.pkcs.PKCS10CertificationRequest@43bdbe49]
2016-04-05 23:19:32,675 DEBUG [portal-http-service49][] org.jscep.message.PkcsPkiEnvelopeEncoder -:::::- Encrypting session key using key belonging to [issuer=CN=CTEK Issuing CA, DC=CTEK, DC=COM; serial=122709060007106850062357]
2016-04-05 23:19:32,676 DEBUG [portal-http-service49][] org.jscep.message.PkiMessageEncoder -:::::- Signing message using key belonging to [issuer=CN=CTEK Issuing CA, DC=CTEK, DC=COM; serial=106579447778026949967889]
2016-04-05 23:19:32,678 DEBUG [portal-http-service49][] org.jscep.message.PkiMessageEncoder -:::::- Signing org.bouncycastle.cms.CMSProcessableByteArray@6071fb21 content
2016-04-05 23:19:32,704 WARN [New I/O client worker #2-1][] org.jscep.message.PkiMessageDecoder -:::::- Unable to verify message because the signedData contained no certificates.
2016-04-05 23:19:32,705 DEBUG [New I/O client worker #2-1][] org.jscep.message.PkiMessageDecoder -:::::- Decoded to: org.jscep.message.CertRep@246de576[recipientNonce=Nonce [403814a5b93c21140f96a757bb33e0a2],pkiStatus=FAILURE,failInfo=badMessageCheck,transId=61977c80534d2b5b5130d341d20322a7f907708a,messageType=CERT_REP,senderNonce=Nonce [fbc110cb906ef0419e1b227c6e5ff671],messageData=<null>]
2016-04-05 23:19:34,697 DEBUG [portal-http-service46][] com.cisco.cpm.scep.ScepCertRequestProcessor -:::::- Polling C=US,ST=State,L=City,O=Company name,OU=Example unit,CN=cuser4 for certificate request >|�Qz6�8�� ^��Ax� with id {}
2016-04-05 23:19:34,699 WARN [portal-http-service46][] com.cisco.cpm.scep.ScepCertRequestProcessor -:::::- Certificate request failed for C=US,ST=State,L=City,O=Company name,OU=Example unit,CN=cuser4 due to: badMessageCheck
2016-04-05 23:19:34,699 WARN [portal-http-service46][] com.cisco.cpm.scep.ScepCertRequestProcessor -:::::- Certificate request failed for C=US,ST=State,L=City,O=Company name,OU=Example unit,CN=cuser4 due to: badMessageCheck
2016-04-05 23:19:34,700 DEBUG [portal-http-service46][] com.cisco.cpm.scep.ScepCertRequestProcessor -:::::- Found incoming certifcate request for external CA. Not touching Cert Request counter.
2016-04-05 23:19:34,710 DEBUG [portal-http-service46][] com.cisco.cpm.scep.CertRequestInfo -:::::- Found challenge password with cert template ID.

Output of client side log: spwProfileLog
[Tue Apr 05 19:03:20 2016] Logging started
[Tue Apr 05 19:03:20 2016] SPW Version: 1.0.0.46
[Tue Apr 05 19:03:20 2016] System locale is [en]
[Tue Apr 05 19:03:20 2016] Loading messages for english...
[Tue Apr 05 19:03:20 2016] Initializing profile
[Tue Apr 05 19:03:20 2016] SPW is running as High integrity Process - 12288
[Tue Apr 05 19:03:20 2016] GetProfilePath: searched path = C:\Users\Owner\AppData\Local\Temp\ for file name = spwProfile.xml result: 0
[Tue Apr 05 19:03:20 2016] GetProfilePath: searched path = C:\Users\Owner\AppData\Local\Temp\Low for file name = spwProfile.xml result: 0
[Tue Apr 05 19:03:23 2016] Profile xml not found Downloading profile configuration...
[Tue Apr 05 19:03:23 2016] Downloading profile configuration...
[Tue Apr 05 19:03:23 2016] Discovering ISE using default gateway
[Tue Apr 05 19:03:23 2016] Identifying wired and wireless network interfaces, total active interfaces: 1
[Tue Apr 05 19:03:23 2016] Network interface - mac:58-94-6B-FB-FD-44, name: Wireless Network Connection 3, type: wireless
[Tue Apr 05 19:03:23 2016] Identified default gateway: 10.1.61.254
[Tue Apr 05 19:03:23 2016] Identified default gateway: 10.1.61.254, mac address: 58-94-6B-FB-FD-44
[Tue Apr 05 19:03:23 2016] DiscoverISE - start
[Tue Apr 05 19:03:35 2016] Discovered ISE - : [ISE-PUB.ctek.com, sessionId: 0a01c907000000105704522d]

[Tue Apr 05 19:03:35 2016] DiscoverISE - end
[Tue Apr 05 19:03:35 2016] Successfully Discovered ISE: ISE-PUB.ctek.com, session id: 0a01c907000000105704522d, macAddress: 58-94-6B-FB-FD-44
[Tue Apr 05 19:03:35 2016] GetProfile - start
[Tue Apr 05 19:03:35 2016] Warning - [HTTPConnection:RetrySendRequest] InternetOpen() failed with code: [12045]
[Tue Apr 05 19:03:39 2016] GetProfile - end
[Tue Apr 05 19:03:39 2016] Successfully retrieved profile xml
[Tue Apr 05 19:03:39 2016] using V2 xml version
[Tue Apr 05 19:03:39 2016] parsing wireless connection setting
[Tue Apr 05 19:03:39 2016] Certificate template: [keysize:2048, subject:OU=Example unit,O=Company name,L=City,ST=State,C=US, SAN:MAC]
[Tue Apr 05 19:03:39 2016] set ChallengePwd
[Tue Apr 05 19:03:39 2016] Starting parsing proxy configuration
[Tue Apr 05 19:03:39 2016] ProxySettings key was not found in the configuration xml
[Tue Apr 05 19:03:40 2016] found redirect URL:
[Tue Apr 05 19:03:40 2016] Identifying wired and wireless network interfaces, total active interfaces: 1
[Tue Apr 05 19:03:40 2016] Network interface - mac:58-94-6B-FB-FD-44, name: Wireless Network Connection 3, type: wireless
[Tue Apr 05 19:03:40 2016] Wireless interface [Wireless Network Connection 3] will be configured...
[Tue Apr 05 19:03:40 2016] Host - [ name:RAJPC, mac addresses:58-94-6B-FB-FD-44;5C-26-0A-42-69-1F]
[Tue Apr 05 19:03:41 2016] ApplyProfile - Start...
[Tue Apr 05 19:03:41 2016] User Id: cuser4, sessionid: 0a01c907000000105704522d, Mac: 58-94-6B-FB-FD-44, profile: CTEK_NSP
[Tue Apr 05 19:03:41 2016] number of wireless connections to configure: 1
[Tue Apr 05 19:03:41 2016] applying certificate for ssid [CORPORATE]
[Tue Apr 05 19:03:41 2016] ApplyCert - Start...
[Tue Apr 05 19:03:41 2016] using ChallengePwd
[Tue Apr 05 19:03:41 2016] creating certificate with subject = cuser4 and subjectSuffix = OU=Example unit,O=Company name,L=City,ST=State,C=US
[Tue Apr 05 19:03:42 2016] Installed [CTEK Issuing CA, hash: ec 9b 4f bd cb d8 fe ad 4a d9 2d 97 29 c8 75 fe

03 3e ce 55

] as intermediateCA
[Tue Apr 05 19:03:45 2016] Installed [CTEK Corporate Root CA, hash: 44 56 cd de 8a f6 b9 95 c8 42 ee 09 99 29 00 d9

69 ec b5 1a

] as rootCA
[Tue Apr 05 19:03:45 2016] Installed CA cert for authMode machineOrUser - Success
[Tue Apr 05 19:03:45 2016] HttpWrapper::SendScepRequest - Retrying: [1] time, after: [2] secs , Error:

, msg: [ Pending]

[Tue Apr 05 19:03:47 2016] HttpWrapper::SendScepRequest - Retrying: [2] time, after: [2] secs , Error:

, msg: [ Error]

[Tue Apr 05 19:03:49 2016] HttpWrapper::SendScepRequest - Retrying: [3] time, after: [2] secs , Error:

, msg: [ Pending]

[Tue Apr 05 19:03:51 2016] Failed to get certificate from server - Error:

HTTP Response: [HTTP/1.1 200 OK

Trans-Status: Error

Content-Length: 0

Date: Wed, 06 Apr 2016 00:03:49 GMT

Server:

]

[Tue Apr 05 19:03:51 2016] ScepWrapper::InstallCert start
[Tue Apr 05 19:03:51 2016] ScepWrapper::InstallCert: Reading scep response file [C:\Users\Owner\AppData\Local\Temp\response.cer].
[Tue Apr 05 19:03:51 2016] ScepWrapper::InstallCert CreateFile failed
[Tue Apr 05 19:03:51 2016] ScepWrapper::InstallCert end
[Tue Apr 05 19:03:51 2016] Failed to install identity certificate. Error code: [183]. Check the certificate template on the CA server and the certificate issued for the client on the CA server. Certificate should be for the purpose of Client Authentication.
[Tue Apr 05 19:03:51 2016] ApplyCert - End...
[Tue Apr 05 19:03:51 2016] ApplyCert failed .... 0ca8f1b6-500d-560b-e053-75189a0ab0d1
[Tue Apr 05 19:03:51 2016] Configuring SSID proxies ...
[Tue Apr 05 19:03:51 2016] Failed to configure the device.
[Tue Apr 05 19:03:51 2016] ApplyProfile - End..

Thanks
RH

MC · « **Reply #1 on:** April 07, 2016, 11:38:33 PM »

Have you installed CA cert from both issuing and root to ISE? Can you confirm which method you are doing?
1. Using ISE internal CA as intermediate CA to issue client cert
2. Having ISE use SCEP to request certificate from your issuing CA

xovercable · « **Reply #2 on:** April 08, 2016, 11:42:31 AM »

Thank you MC for your response. I have issued both Root CA Cert and Issuing CA Cert on ISE. I am using Method 2. ISE using SCEP to request certificate from Issuing CA. Attaching screenshot of certificates from "Trusted Certificate Store". Had to snip down the screenshot to fit the attachment size.

By the way, A Big Thank You for all your videos.

MC · « **Reply #3 on:** April 10, 2016, 09:18:03 PM »

Under SCEP section on ISE, are you able to test successfully. If so, did you see ISE downloaded RA cert? Have you validated that SCEP is working correctly on the issuing CA? Would you be able to test SCEP using a router or ASA?

xovercable · « **Reply #4 on:** April 10, 2016, 09:31:57 PM »

I am able to test SCEP section on ISE. The test passed successfully. I can see RA certificates downloaded from ISE. I am going to test if I can get a certificate issued to a router.

By the way I had an older set up of CA where all CA, DNS AD were all on the same box. I could simply put in the URL of that CA and ISE could get a certificate issued from that CA. The certificate itself will not work for authentication because I have not added that as a trusted root yet. However it gave me some level of assurance that my ISE set up correct.

I think the issue is with my CA set up. However, I am not seeing an error on the CA side where it failed to issue a certificate. The error in the debugs does not give sufficient useful information on the ISE side either. I am going to test it with the router and see if I can get a certificate issued and will update the thread.

Thanks a ton for your help.

xovercable · « **Reply #5 on:** April 11, 2016, 11:40:34 AM »

Tried it with a switch and certificates cannot be issued. The authentication part is not passing. Below are the logs I am seeing along with the configuration. The HTTP message is 200K. So I guess the folders have the right permission. The content-type also shows that it is a certificate. I am thinking that means it is able to download the certificate or at least read it.

crypto pki trustpoint CTEK-ROOT-CA
enrollment mode ra
enrollment url You are not allowed to view links. Register or Login
fqdn PoE-Switch.ctek.com
subject-name cn=PoE-Switch.ctek.com,OU=IT,O=CTEK,ST=CA,C=US

$$$$$$$$$$$$$$$$
PoE-SWITCH(config)#crypto pki authenticate CTEK-ROOT-CA
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

PoE-SWITCH(config)#
Apr 11 18:38:12.821: CRYPTO_PKI: Sending CA Certificate Request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=CTEK-ROOT-CA HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 10.1.103.102

Apr 11 18:38:12.821: CRYPTO_PKI: locked trustpoint CTEK-ROOT-CA, refcount is 1
Apr 11 18:38:12.821: CRYPTO_PKI: can not resolve server name/IP address
Apr 11 18:38:12.821: CRYPTO_PKI: Using unresolved IP Address 10.1.103.102
Apr 11 18:38:12.821: CRYPTO_PKI: http connection opened
Apr 11 18:38:12.830: CRYPTO_PKI: Sending HTTP message

Apr 11 18:38:12.830: CRYPTO_PKI: HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 10.1.103.102

Apr 11 18:38:12.830: CRYPTO_PKI: unlocked trustpoint CTEK-ROOT-CA, refcount is 0
Apr 11 18:38:12.830: CRYPTO_PKI: locked trustpoint CTEK-ROOT-CA, refcount is 1
Apr 11 18:38:12.838: CRYPTO_PKI: unlocked trustpoint CTEK-ROOT-CA, refcount is 0
Apr 11 18:38:12.838: CRYPTO_PKI: HTTP header:
HTTP/1.1 200 OK
Content-Length: 5571
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/7.5
Date: Mon, 11 Apr 2016 18:38:12 GMT
Connection: close

Content-Type indicates we have received CA and RA certificates.

Apr 11 18:38:12.838: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=CTEK-ROOT-CA)

Apr 11 18:38:12.838: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
Apr 11 18:38:12.838: crypto_certc_pkcs7_extract_certs_and_crls failed
Apr 11 18:38:12.838: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795

Apr 11 18:38:12.838: CRYPTO_PKI: Unable to read CA/RA certificates.
Apr 11 18:38:12.838: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
Apr 11 18:38:12.838: CRYPTO_PKI: transaction GetCACert completed

MC · « **Reply #6 on:** April 12, 2016, 11:28:45 PM »

Do you see any error log on the CA? It usually gives useful info there. Please make sure CA is not setup with Challenge password and have cert approval set to auto.

xovercable · « **Reply #7 on:** May 08, 2016, 06:29:14 PM »

Hi MC,

I figured out the issue. It was due to having a wrong Certificate Template on the CA. I followed the instructions for the Certificate Template as given in the ISE Design Guide and it worked for me. Thank You for your help.

Regards

MC · « **Reply #8 on:** May 11, 2016, 04:30:18 AM »

Good to hear it is working and thanks for the update.

Search

User Info

Author Topic: ISE SCEP Issue MS AD - BYOD (Read 34905 times)

xovercable

ISE SCEP Issue MS AD - BYOD

MC

Re: ISE SCEP Issue MS AD - BYOD

xovercable

Re: ISE SCEP Issue MS AD - BYOD

MC

Re: ISE SCEP Issue MS AD - BYOD

xovercable

Re: ISE SCEP Issue MS AD - BYOD

xovercable

Re: ISE SCEP Issue MS AD - BYOD

MC

Re: ISE SCEP Issue MS AD - BYOD

xovercable

Re: ISE SCEP Issue MS AD - BYOD

MC

Re: ISE SCEP Issue MS AD - BYOD

Related Topics