collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?
« previous next »
Pages: [1] 2

Author Topic: ISSUES WITH SCEP SERVER  (Read 36832 times)

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
ISSUES WITH SCEP SERVER
« on: September 03, 2013, 01:28:50 AM »
I am trying to setup device onboarding with Cisco ISE all are working fine until I got to a stage where iPAD return an error that SCEP server could not be contacted but this is not same from using connectivity test from ISE.

I have setup this two on my SCEP container at different time:

You are not allowed to view links. Register or Login

You are not allowed to view links. Register or Login

I receive connectivity response from both but Apple iPAD return SCEP could not be contacted. Any help I definitely know I am missing something here.

Here is exact error message:

"Profile Installation failed: The SCEP server returned an invalid response"

This is the log I have from my CA server:

"The Network Device Enrollment Service cannot convert encoded portions of the client's http message, or the converted message is larger than 64K (0x80004003).  Invalid pointer"

Thanks for your prompt reply.

Cheer.
« Last Edit: September 03, 2013, 03:22:12 AM by adecisco »
Logged
Technology makes life easy but I hope the same technology will not send man back to stone age!

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: ISSUES WITH SCEP SERVER
« Reply #1 on: September 03, 2013, 08:22:18 AM »
Would you be able to test SCEP from a switch or a router and make sure they can get a certificate to confirm the server is setup correctly? Is the CA Windows 2003 or 2008?
Logged

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
Re: ISSUES WITH SCEP SERVER
« Reply #2 on: September 03, 2013, 09:01:17 PM »
The CA is Window 2008.
Logged
Technology makes life easy but I hope the same technology will not send man back to stone age!

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: ISSUES WITH SCEP SERVER
« Reply #3 on: September 03, 2013, 11:09:57 PM »
Definitely try to run SCEP on a router or switch to see if that works first. You might also want to review the videos below and see if you miss anything.

You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
Logged

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
Re: ISSUES WITH SCEP SERVER
« Reply #4 on: September 04, 2013, 01:00:10 AM »
Thanks for your reply I will definitely go through the video to cross check where things are missing.
In the meanwhile, what can you make out of this message from window 2008 server:

"The Network Device Enrollment Service cannot decrypt the client's PKCS7 message (0x80090005).  Bad Data"

Thanks.
Logged
Technology makes life easy but I hope the same technology will not send man back to stone age!

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: ISSUES WITH SCEP SERVER
« Reply #5 on: September 04, 2013, 09:55:23 PM »
Error on Microsoft cert server log is usually helpful but unfortunately this one is rather cryptic and vague. Most SCEP issues I ran into in the past were either permission issue or cert template related as ISE likes the template to be certain way for things to work. I would assume this is something along the same line.
Logged

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
Re: ISSUES WITH SCEP SERVER
« Reply #6 on: September 07, 2013, 06:05:49 AM »
Thanks for your help..I got where the problem is the Window 2008 server is not R2 so other feature that could have made byod to work was not present.

Regards,
Logged
Technology makes life easy but I hope the same technology will not send man back to stone age!

Offline Unibog

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 1
  • Certification: N/A
Re: ISSUES WITH SCEP SERVER
« Reply #7 on: September 11, 2013, 06:08:10 AM »
I found the hardest part to getting it working was choosing the right Certificate Template. Once I got the right certificate template everything started working for me.

Which template did you use?

Also using the Apple iPhone Configuration Utility let me test SCEP pretty quick with setting up policy's and being able to change them on the fly before we configured our MDM to enroll devices.

Let me know if you need any screenshots and I can post my settings.

Thanks
Logged

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: ISSUES WITH SCEP SERVER
« Reply #8 on: September 11, 2013, 06:51:54 PM »
The User template has been working just fine for me although you would need to modify it to use attribute specified as in the cert request. Using iPhone Config utilities is certainly another good way to test SCEP. Share screen shot if you could for the others benefit. 
Just curious, which MDM vendor do you integrate with and how well does it work?
Logged

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
Re: ISSUES WITH SCEP SERVER
« Reply #9 on: September 12, 2013, 09:08:47 PM »
MC

Is there a video on ipep setup and configuration?

Thanks.
Logged
Technology makes life easy but I hope the same technology will not send man back to stone age!

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: ISSUES WITH SCEP SERVER
« Reply #10 on: September 13, 2013, 08:19:03 PM »
adecisco, unfortunately, no. iPEP requires an appliance and we do not have it in our lab.
Logged

Offline Unibog

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 1
  • Certification: N/A
Re: ISSUES WITH SCEP SERVER
« Reply #11 on: September 19, 2013, 11:42:28 AM »
MC we are using Citrix XenMobile that was formally known as Zenprise. We have over 100 Apple devices on it and it works well. Currently our mobile device sit on segregated network where they only get internet access but we are going to enroll them all in our Corp network using SCEP. XenMobile works pretty slick for this. Too bad Android device don't support SCEP as we are allowing users to pick those device too.
Logged

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: ISSUES WITH SCEP SERVER
« Reply #12 on: September 19, 2013, 09:24:23 PM »
You are not allowed to view links. Register or Login
MC we are using Citrix XenMobile that was formally known as Zenprise. We have over 100 Apple devices on it and it works well. Currently our mobile device sit on segregated network where they only get internet access but we are going to enroll them all in our Corp network using SCEP. XenMobile works pretty slick for this. Too bad Android device don't support SCEP as we are allowing users to pick those device too.
unibog, If you have MDM integration setup on ISE, shouldn't ISE be able to push out cert to Android, although Android will require Cisco Network Setup Assistant installed?
Logged

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
Re: ISSUES WITH SCEP SERVER
« Reply #13 on: September 20, 2013, 03:24:43 AM »
My take as well. because Android works well with ISE and certificate can be push just as is done with iPAD. You only need to ensure you android can talk to google play.
« Last Edit: September 20, 2013, 03:34:50 AM by adecisco »
Logged
Technology makes life easy but I hope the same technology will not send man back to stone age!

Offline Unibog

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 1
  • Certification: N/A
Re: ISSUES WITH SCEP SERVER
« Reply #14 on: September 20, 2013, 06:57:23 AM »
MC, I haven't done much with ISE for the Andriod yet. I found a good book called Cisco ISE for BYOD and Secure Unified Access from Cisco Press that has lots of examples on mobile devices enrollment. I just need to setup in our lab before we put it into production.

Here is the URL for the book.
You are not allowed to view links. Register or Login
Logged
Pages: [1] 2
« previous next »
 

Related Topics

  Subject / Started by Replies Last post
5 Replies
56646 Views 		Last post October 11, 2014, 05:10:57 AM
by adecisco
5 Replies
21893 Views 		Last post April 13, 2014, 09:10:08 AM
by MC
1 Replies
13988 Views 		Last post December 12, 2014, 12:00:56 AM
by MC
8 Replies
34889 Views 		Last post May 11, 2016, 04:30:18 AM
by MC
2 Replies
12554 Views 		Last post September 05, 2016, 02:48:34 AM
by czekon26

SimplePortal 2.3.7 © 2008-2024, SimplePortal