Document ID: 116068
Updated: Apr 11, 2013
Contributed by Todd Pula, Cisco TAC Engineer.
This document describes the steps and caveats required in order to successfully deploy Microsoft's Network Device Enrollment Service (NDES) and Simple Certificate Enrollment Protocol (SCEP) for Bring Your Own Device (BYOD).
Cisco recommends that you have knowledge of these topics:
- Identity Services Engine (ISE) Release 1.1.1 or later.
- Microsoft Windows Server 2008 R2.
- Public Key Infrastructure (PKI) and certificates.
- ISE Release 1.1.1 or later
- Windows Server 2008 R2 SP1 w/ KB2483564 and KB2633200 hotfixes installed
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The information related to Microsoft certificate services is provided as a guide specifically for Cisco BYOD. Please refer to Microsoft's TechNet as the definitive source of truth for MS certification authority, Network Device Enrollment Service (NDES), and SCEP related server configurations.
One of the benefits of Cisco's ISE-enabled BYOD implementation is the end users' ability to perform self-service device registration. This eliminates the administrative burden on IT in order to distribute authentication credentials and enable devices on the network. At the heart of the BYOD solution is the network supplicant provisioning process, which seeks to distribute the requisite certificates to employee owned devices. In order to satisfy this requirement, a Microsoft Certificate Authority (CA) can be configured to automate the certificate enrollment process with the SCEP. SCEP has been used for years in Virtual Private Network (VPN) environments to facilitate certificate enrollment and distribution to remote access clients and routers. The enablement of SCEP functionality on a Windows 2008 R2 server requires the installation of the NDES. During the NDES role installation, Microsoft's Internet Information Services (IIS) web server is also installed. IIS is used to terminate HTTP or HTTPS SCEP registration requests and responses between the CA and ISE policy node. The NDES role can be installed on a current CA, or it can be installed on a member server. In a standalone deployment, the NDES service is installed on an existing CA which includes the Certification Authority service and, optionally, the Certification Authority Web Enrollment service. In a distributed deployment, the NDES service is installed on a member server. The distributed NDES server is then configured to communicate with an upstream root or sub-root CA. In this scenario, the registry modifications outlined in this document are made on the NDES server with the custom template and certificates residing on the upstream CA.
Before you configure SCEP support for BYOD, ensure that the Windows 2008 R2 NDES server has these Microsoft hotfixes installed:
- Renewal request for a SCEP certificate fails in Windows Server 2008 R2 if the certificate is managed by using NDES — This issue occurs because NDES does not support the GetCACaps operation.
- NDES does not submit certificate requests after the enterprise CA is restarted in Windows Server 2008 R2 — This message appears in the Event Viewer: "The Network Device Enrollment Service cannot submit the certificate request (0x800706ba). The RPC server is unavailable."
Disable SCEP Enrollment Challenge Password Requirement
By default, Microsoft's SCEP (MSCEP) implementation uses a dynamic challenge password to authenticate clients and endpoints throughout the certificate enrollment process. With this configuration requirement in place, users must browse to the MSCEP admin web GUI on the NDES server to generate a password on-demand. As part of the registration request, the user must include this password.
In a BYOD deployment, the requirement of a challenge password defeats the purpose of a user self-service solution. In order to remove this requirement, this registry key must be modified on the NDES server:
- Click Start and enter regedit in the search bar.
- Navigate to: Computer > HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP > EnforcePassword.
- Ensure that the EnforcePassword value is set to "0" (default is "1").
How to Extend URL Length in IIS
It is possible for ISE to generate URLs, which are too long for the IIS web server. To avoid this problem, the default IIS configuration can be modified to allow longer URLs.
Note: The query string size might vary dependent on the ISE and endpoint configuration. This command should be entered from the NDES server command line with administrative privileges:
%systemroot%\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/
Certificate Template Overview
Administrators of a Microsoft CA can configure one or more templates which are used to apply application policies to a common set of certificates. These policies help to identify what function the certificate and associated keys are to be used. The application policy values are contained in the Extended Key Usage (EKU) field of the certificate. The authenticator parses the values in the EKU field to ensure that the certificate presented by the client can be used for the intended function. Some of the more common uses include server authentication, client authentication, IPSec VPN, and e-mail. In terms of ISE, the more commonly used EKU values include server and/or client authentication.
When you browse to a secure bank website, for example, the web server that processes the request is configured with a certificate with an application policy of server authentication. When the server receives an HTTPS request, it sends its server authentication certificate to the connecting web browser for authentication. The important point here is that this is a unidirectional exchange from the server to the client. As it relates to ISE, a common use for a server authentication certificate is admin GUI access. ISE sends its configured certificate to the connected browser and does not expect to receive a certificate back from the client.
When it comes to services such as BYOD that use EAP-TLS, mutual authentication is preferred. In order to enable this bi-directional certificate exchange, the template used to generate the ISE identity certificate must possess a minimum application policy of server authentication. The Web Server certificate template satisfies this requirement. The certificate template that generates the endpoint certificates must contain a minimum application policy of client authentication. The User certificate template satisfies this requirement. If you configure ISE for services such as Inline Policy Enforcement Point (iPEP), the template used to generate the ISE server identity certificate should contain both client and server authentication attributes. This allows the admin and inline nodes to mutually authenticate each other. A best practice to future proof the ISE deployment is to ensure that the ISE server identity certificates include both client and server authentication attributes. The default Microsoft CA Web Server and User templates can be reused or a new template can be cloned and created with the process outlined in this document. Based upon these certificate requirements, the CA configuration and resultant ISE and endpoint certificates should be carefully planned in order to minimize any unwanted configuration changes when installed in a production environment.
Certificate Template Configuration
As noted in the introduction, SCEP is widely used in IPSec VPN environments. As a result, installation of the NDES role automatically configures the server to utilize the IPSec (Offline Request) template for SCEP. Because of this, one of the first steps in the preparation of a Microsoft CA for BYOD is to build a new template with the correct application policy. In a standalone deployment, the Certification Authority and NDES services are collocated on the same server. As a result, the templates and the required registry modifications are contained to the same server. In a distributed NDES deployment, the registry modifications are made on the NDES server; however, the actual templates are defined on the root or sub-root CA server specified in the NDES service installation.
Here are the steps used in order to configure the Certificate Template:
- Log on to CA server with admin user.
- Click Start > Administrative Tools > Certification Authority.
- Expand the CA server details and select the Certificate Templates folder. This folder contains a list of the templates currently enabled.
- In order to manage the certificate templates, right-click on the Certificate Templates folder and choose Manage.
- In the Certificate Templates Console, a number of inactive templates are displayed.
- In order to configure a new template for use with SCEP, right-click on a template that already exists, such as User, and choose Duplicate Template.
- Then choose Windows 2003 or Windows 2008, dependent upon the minimum CA operating system (OS) in the environment.
- On the General tab, add a display name, such as ISE-BYOD and validity period; leave all other options unchecked
Note: The template validity period must be less than or equal to the validity period of the CA's root and intermediate certificates.
- Click on the Extensions tab; click on Application Policies; then click Edit.
- Click Add and ensure that Client Authentication is added as an application policy. Click OK.
- Click on the Security tab, click Add.... Ensure that the SCEP service account defined in the NDES service installation has full control of the template. Click OK.
- Return to the Certification Authority GUI interface.
- Right-click on the Certificate Templates directory. Navigate to New > Certificate Template to Issue.
- Select the ISE-BYOD template configured previously and click OK.
- Alternatively, enable the template with the CLI:
certutil -SetCAtemplates +ISE-BYOD
- The ISE-BYOD template should now be listed in the enabled certificate template list.
Certificate Template Registry Configuration
Here are the steps used in order to configure the Certificate Template Registry keys:
- Connect to the NDES server.
- Click Start and enter regedit in the search bar.
- Navigate to: Computer > HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP.
- Change the EncryptionTemplate, GeneralPurposeTemplate, and SignatureTemplate keys from IPSec (Offline Request) to the ISE-BYOD template previously created.
- Reboot the NDES server in order to apply the registry setting.
Configure ISE as a SCEP Proxy
In a BYOD deployment, the endpoint does not communicate directly with the backend NDES server. Instead, the ISE policy node is configured as a SCEP proxy and communicates with the NDES server on behalf of the endpoints. The endpoints communicate directly with ISE. The IIS instance on the NDES server can be configured to support HTTP and/or HTTPS bindings for the SCEP virtual directories.
Here are the steps in order to configure ISE as a SCEP Proxy:
- Log into ISE GUI with admin credentials.
- Click on Administration > Certificates > SCEP CA Profiles.
- Click Add.
- Enter the server name and description.
- Enter the URL for the SCEP server with the IP or fully qualified domain name (FQDN), for example, http://10.10.10.10/certsrv/mscep/
- Click Test Connectivity.
- A successful connection results in a successful server response pop-up message.
- Click Save to apply the configuration.
- In order to verify, click on Administration > Certificates > Certificate Store and confirm that the SCEP NDES server RA certificate has been automatically downloaded to the ISE node.
This section provides information you can use to troubleshoot your configuration.
- Break down the BYOD network topology into logical waypoints in order to help identify debug and capture points along the path between these endpoints - ISE, NDES, and CA.
- Ensure that TCP 80 and/or TCP 443 are permitted bi-directionally between ISE and the NDES server.
- Test with a Windows machine because of the improved client-side logging.
- Monitor the CA and NDES server application logs for registration errors and use Google or TechNet to research those errors.
- Throughout the test phase, use HTTP for SCEP in order to facilitate packet captures between ISE, NDES, and CA.
- Use the TCP Dump utility on the ISE PSN and monitor traffic to and from the NDES server. This is located under Operations > Diagnostic Tools > General Tools.
- Install Wireshark on the CA and NDES server or use SPAN on intermediary switches in order to capture SCEP traffic to and from the ISE PSN.
- Ensure that the appropriate CA certificate chain installed on the ISE policy node for the authentication of the client certificates.
- Ensure that the appropriate CA certificate chain is automatically installed onto the clients during onboarding.
- Preview the ISE and endpoint identity certificates and confirm that the correct EKU attributes are present.
- Monitor the live authentication logs in the ISE GUI for authentication and authorization failures.
Note: Some supplicants do not initialize a client certificate exchange if the wrong EKU is present, for example, a client certificate with EKU of server authentication. Therefore, authentication failures might not always be present in the ISE logs.
- When NDES is installed in a distributed deployment, a remote root or sub-root CA will be designated by CA Name or Computer Name in the service installation. The NDES server sends certificate registration requests to this target CA server. If the endpoint certificate registration process fails, packet captures (PCAP) might show the NDES server return a 404 Not Found error to the ISE node. In an attempt to resolve, reinstall the NDES service and select the Computer Name option instead of the CA Name.
Client Side Logging
- Windows: Log %temp%\spwProfileLog.txt.
- Android: /sdcards/downloads/spw.log.
- MAC OSX: Use the Console App and look for SPW process.
- iOS: Must use the iPhone Configuration Utility (iPCU) to see messages.
Use these steps in order to view the ISE log:
- Navigate to Administration > Logging > Debug Log Configuration and select the appropriate ISE policy node.
- Set these logs to debug or trace as required: client, provisioning.
- Reproduce the problem and document relevant seed info in order to facilitate searching, such as MAC, IP, user, and so on.
- Navigate to Operations > Download Logs and select the appropriate ISE node.
- On the Debug Logs tab, download the logs named ise-psc.log to the desktop.
- Use an intelligent editor, such as Notepad ++ in order to parse the log files.
- When the issue has been isolated, then return the log levels to their default level.
NDES Logging and Troubleshooting
For more information, refer to the NDES logging and troubleshooting documentation on TechNet.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.