Cisco Cisco Identity Services Engine 3315 Appliance Troubleshooting Guide
Components Used
The information in this document is based on these software and hardware versions:
ISE Release 1.1.1 or later
●
Windows Server 2008 R2 SP1 with KB2483564 and KB2633200 hotfixes installed
●
Windows Server 2012 Standard
●
The information in this document was created from the devices in a specific lab environment. All of
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any command.
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any command.
The information related to Microsoft certificate services is provided as a guide specifically for Cisco
BYOD. Refer to the Microsoft TechNet as the definitive source of truth for Microsoft certification
authority, Network Device Enrollment Service (NDES), and SCEP-related server configurations.
BYOD. Refer to the Microsoft TechNet as the definitive source of truth for Microsoft certification
authority, Network Device Enrollment Service (NDES), and SCEP-related server configurations.
Background Information
One of the benefits of the Cisco ISE-enabled BYOD implementation is the ability of the end users
to perform self-service device registration. This eliminates the administrative burden on IT in order
to distribute authentication credentials and enable devices on the network. At the heart of the
BYOD solution is the network supplicant provisioning process, which seeks to distribute the
requisite certificates to employee-owned devices. In order to satisfy this requirement, a Microsoft
Certificate Authority (CA) can be configured in order to automate the certificate enrollment process
with the SCEP.
to perform self-service device registration. This eliminates the administrative burden on IT in order
to distribute authentication credentials and enable devices on the network. At the heart of the
BYOD solution is the network supplicant provisioning process, which seeks to distribute the
requisite certificates to employee-owned devices. In order to satisfy this requirement, a Microsoft
Certificate Authority (CA) can be configured in order to automate the certificate enrollment process
with the SCEP.
SCEP has been used for years in Virtual Private Network (VPN) environments in order to facilitate
certificate enrollment and distribution to remote access clients and routers. The enablement of
SCEP functionality on a Windows 2008 R2 server requires the installation of the NDES. During the
NDES role installation, the Microsoft Internet Information Services (IIS) web server is also
installed. IIS is used in order to terminate HTTP or HTTPS SCEP registration requests and
responses between the CA and ISE policy node.
certificate enrollment and distribution to remote access clients and routers. The enablement of
SCEP functionality on a Windows 2008 R2 server requires the installation of the NDES. During the
NDES role installation, the Microsoft Internet Information Services (IIS) web server is also
installed. IIS is used in order to terminate HTTP or HTTPS SCEP registration requests and
responses between the CA and ISE policy node.
The NDES role can be installed on a current CA, or it can be installed on a member server. In a
standalone deployment, the NDES service is installed on an existing CA that includes the
Certification Authority service and, optionally, the Certification Authority Web Enrollment service.
In a distributed deployment, the NDES service is installed on a member server. The distributed
NDES server is then configured in order to communicate with an upstream root or sub-root CA. In
this scenario, the registry modifications outlined in this document are made on the NDES server
with the custom template, where certificates reside on the upstream CA.
standalone deployment, the NDES service is installed on an existing CA that includes the
Certification Authority service and, optionally, the Certification Authority Web Enrollment service.
In a distributed deployment, the NDES service is installed on a member server. The distributed
NDES server is then configured in order to communicate with an upstream root or sub-root CA. In
this scenario, the registry modifications outlined in this document are made on the NDES server
with the custom template, where certificates reside on the upstream CA.
Tested CA/NDES Deployment Scenarios
This section provides a brief overview of the CA/NDES deployment scenarios that have been
tested in the Cisco lab. Refer to the Microsoft TechNet as the definitive source of truth for
Microsoft CA, NDES, and SCEP-related server configurations.
tested in the Cisco lab. Refer to the Microsoft TechNet as the definitive source of truth for
Microsoft CA, NDES, and SCEP-related server configurations.
Standalone Deployments
When ISE is used in a Proof of Concept (PoC) scenario, it is common to deploy a self-contained
Windows 2008 or 2012 machine that acts as an Active Directory (AD) domain controller, root CA,
Windows 2008 or 2012 machine that acts as an Active Directory (AD) domain controller, root CA,