Greetings fellow Networkers!
In today’s installment, we’re going to configure network Device Enrollment Service, Microsoft’s implementation of SCEP. Then we’ll enroll a router in-band.
A couple of things to note:
- By Default, NDES requires a one time password for enrollment. This can be disabled via registry key.
- SCEP does not work with Elliptic Curve Certificate Authorities. Enrollment over Secure Transport Supports in-band EC enrollment and is considered the successor to SCEP.
- I attached a pcap of all SCEP activity between the router and the CA. if you look at the Cisco doc, it’ll explain what’s happening so you can interpret the activity in the PCAP.
Resources:
PCAP of SCEP activity in video: https://www.cloudshark.org/captures/62d72e489181
SCEP RFC: https://www.ietf.org/id/draft-gutmann-scep-06.txt
Cisco TechNote on SCEP (very well written): https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-technote-scep-00.html
Microsoft Guidance on installing and configuring NDES: https://technet.microsoft.com/en-us/library/hh831498(v=ws.11).aspx